How can I set up a .onion HSP (Hidden Service Protocol) on an Azure Host?

Question

A client wants to support anonymous users using Azure.  How can I integrate TOR HSP Server into Azure so my host can respond to a .onion address? 

Answer 1

Hi,

I am trying to involve someone familiar with this topic to further look at this issue. There might be some time delay.

Appreciate your patience.

Best Regards,

Ming Xu.

---

Please mark the replies as answers if they help or unmark if not.
If you have any feedback about my replies, please contact msdnmg@microsoft.com.
Microsoft One Code Framework

Answer 2

Hi,

I just read some documents about the Tor network like below:

https://www.torproject.org/docs/hidden-services.html.en

My understanding is you expect a VM on Windows Azure act as the "Bob" in the chart in above article, am I right?

The problem is it seems Tor doesn't naturally work well in NAT environment. According to:

https://trac.torproject.org/projects/tor/wiki/doc/TorFAQ#HowcanImakemyrelayaccessibletopeoplestuckbehindrestrictivefirewalls

You need to manually configure port forwarder. (Seem you need to know external IP beforehand). I doubt it could simply work in Azure environment that is behind a load balancer.

Other problems I would ask:

1. Is any long connection required between "Bob" and others? Azure has 1 min idle timeout that may break the protocol. (Not sure, need to check out the Tor implementation but haven't found detailed one)

2. The Tor installation&Configuration on Windows seems is UI based. So I think you need to use VM role. Even you use VM role, probably further configuration is required after moving to Azure. You have to RDP to VM and manually configure. Not a good way to me. Is there any command that can configure Tor? (Haven't found doc regarding this)

My last question is, is Tor must be used in your requirement? It looks to me a decent solution is there with the help of Service Bus if the requriement is Server should not know the IP of client.

http://msdn.microsoft.com/en-us/library/windowsazure/ee732537.aspx

If you relay all requests via Service Bus the web server will not know the client IP address.

---

Allen Chen [MSFT]
MSDN Community Support | Feedback to us
Get or Request Code Sample from Microsoft
Please remember to mark the replies as answers if they help and unmark them if they provide no help.

Allen Chen [MSFT]
MSDN Community Support | Feedback to us
Get or Request Code Sample from Microsoft
Please remember to mark the replies as answers if they help and unmark them if they provide no help.

Answer 3

I think there is a difference between a relay and a HSP.  The HSP accepts a *.onion address (similar to duckduckgo.com at 3g2upl4pq6kufc4m.onion )  and doesn't necessarily relay traffic.  The issue of a NAT in that specific context might not matter.

Info on the exit node: http://www.gabrielweinberg.com/blog/2010/08/duckduckgo-now-operates-a-tor-exit-enclave.html 

Yes, like the service bus, the sender and receiver should be anonymous.  Can anyone at MSFT tell me how a comparable ServiceBus configuration would compare to a HSP-based TOR connection?  For example, a .onion address doesn't require DNS at all.. however as far as I know, the ServiceBus requires this.

Some links I'm looking at while I compare TOR against the Service Bus 

• Does TOR Hidden Service Protocol (HSP) provide more security than HTTPS
• Does the Service Bus require DNS?  If so, is DNSSec/IPSec required?
• Does any protocol feature of the ServiceBus (WCF) send the client IP address to the server?

Question

Can anyone from MSFT assist in comparing the relative security of a TOR Exit Enclave (HSP) vs the Service Bus facilities?  Keep in mind that a HSP is quite different than a plain relayed connection, which is often decrypted/sniffed/and hacked.  (Attend any Defcon conference and you'll see that being used as test data)

Answer 4

Hi,

Correct me if I'm wrong, as I only read little documents about Tor after I see your question:

>For example, a .onion address doesn't require DNS at all..

This is because Tor software installed on your machine act as a resolver, a proxy. It maps the .onion address to the IP of the entry node in the Tor circus that can finally reach hidden server. The key is in the Tor network each node knows nothing about the client and server IP (except the entry node who knows the IP of client and the exit node who knows the IP of hidden server). While as to Service Bus, logically there is only 1 node (Azure Service Bus) in the middle in the app layer. As a result this node knows both the client and server IP.

As to client/server, they don't know each other's IP in both Tor and Service Bus scenarios(assume you don't enable direct connection). From security's perspective, it's harder to trace the message in Tor as no individual node knows the complete path and knows both the hidden service and client IP address.

>Can anyone at MSFT tell me how a comparable ServiceBus configuration would compare to a HSP-based TOR connection?

As they are naturally different there is no a counterpart in Service bus. However, if your requirement is to hide client IP to the server then I think you can use Service Bus to relay the data for you.

>Keep in mind that a HSP is quite different than a plain relayed connection, which is often decrypted/sniffed/and hacked.

If you're talking about end-to-end security it's also possible in Service Bus. You can use message level security to protect your data. In Service Bus as there is only 1 node in the middle some security methods used in Tor may not required.

---

Allen Chen [MSFT]
MSDN Community Support | Feedback to us
Get or Request Code Sample from Microsoft
Please remember to mark the replies as answers if they help and unmark them if they provide no help.