Onion services for APT are less reliable than a direct connection
Experienced today while working on #17510.
I got 2 errors in a row while fetching the onion service of deb.torproject.org:
Err:17 tor+http://apow7mjfryruh65chtdydfmqfpj5btws7nbocgtaovhvezgccyjazpqd.onion/torproject.org bookworm InRelease
Timed out while waiting to read 'first part of response' from proxy socks5h://127.0.0.1:9050 [IP: 127.0.0.1 9050]
W: Failed to fetch tor+http://apow7mjfryruh65chtdydfmqfpj5btws7nbocgtaovhvezgccyjazpqd.onion/torproject.org/dists/bookworm/InRelease Timed out while waiting to read 'first part of response' from proxy socks5h://127.0.0.1:9050 [IP: 127.0.0.1 9050]
Err:12 tor+http://apow7mjfryruh65chtdydfmqfpj5btws7nbocgtaovhvezgccyjazpqd.onion/torproject.org bookworm InRelease
Timed out while waiting to read 'first part of response' from proxy socks5h://127.0.0.1:9050 [IP: 127.0.0.1 9050]
W: Failed to fetch tor+http://apow7mjfryruh65chtdydfmqfpj5btws7nbocgtaovhvezgccyjazpqd.onion/torproject.org/dists/bookworm/InRelease Timed out while waiting to read 'first part of response' from proxy socks5h://127.0.0.1:9050 [IP: 127.0.0.1 9050]
I switched to using deb.torproject.org
directly and it worked straight away.
Then I tried to switch back to the onion service and this time it worked. Because I got a different circuit?
I guess that when such errors happen, the user would get an error updating Additional Software, right?
It seems like reliability was not taken into account in the tradeoff made when switching to onion services in #11556 (closed):
Pros:
- Strong authentication of the APT repository itself (not just of the contents), which protects against security flaws in APT; switching to Onion services was reprioritized as an alternative to #8143 (closed) when https://www.debian.org/security/2016/dsa-3733 came up
- Traffic stays within Tor, avoidance of metadata
- End-to-End encryption to the Onion Service
- (debatable) Fingerprinting of Tails users (what diffs were missing? when was the last package list update?) at the Tor Exit might become more difficult
Cons:
- Adds load to the Onion mirror
- Packages signed with GnuPG anyways
- Might be slower than non-Onion Service access
The list of pros seems rather thin to me if it comes to a cost in reliability.
Do we have more data on how frequently this happens?
Edited by intrigeri