Support authenticated v3 Onion Services in Tor Browser
A dialog was added in Tor Browser v9.5 to allow the user to enter the authentication key when visiting an authenticated onion service for the first time, along with additions to Preferences to store and manage said keys. This does not appear when using Tor Browser under Tails. Instead, the connection fails - the browser returns: "Unable to connect - Firefox can’t establish a connection to the server at AddressHere." Also, in about:preferences#privacy
, in the Onion Services Authentication section, saved keys can't be viewed, and a message "Command filtered" is displayed in the Onion Service Keys modal.
This functionality relies on onion_client_auth_add/remove/view
control port commands from the browser to Tor, so the onion-grater config would probably have to be updated to allow them (FWIW, setting onion-grater into complain mode allowed the keys to be viewed in Preferences). The keys are stored in the onionauthdir defined in the system torrc, so this directory could ideally live in the Persistent Volume in order for keys to be managed from the browser and persist between sessions.
User research
-
This feature would be really useful for users of authenticated onion services. For example, SecureDrop uses authenticated services for journalist/admin access, and adding them to the tor config involves running a custom hook on network changes. Using Tor Browser's built-in functionality and storing the keys in a consistent way in Tails would significantly simplify this.
-
At Netzwerk Recherche, we also met journalist who collaborate online using authenticated onion services.
Tasks
-
Re-enable authenticated v3 Onion Services in OnionShare by default - We disabled it in 99db6c38 so that this very issue is not a blocker for Tails 6.0.
How to test
onionshare creates authenticated onion services, so that's a good way to test it yourself