Given the US recently made a bid to fast-track multiple censorship bills, KOSA included, and is also trying to kill Section 230 now, which will pose an existential threat to Fediverse instances hosted over the clearnet, how feasible would it be to host said instances over Tor/I2P?
Coming from someone who is in fact hosting fediverse instances over Tor, I can tell you right off the bat that it is challenging. Most fediverse software is not created with privacy in my mind — including Matrix which features E2EE for certain rooms and DMs. Here is a breakdown of my experience with individual tools:
Matrix: While Matrix can technically work over Tor, you will have significant challenges with using desktop clients to connect to the server and getting federation working properly. Even if you have both a clearnet domain and hidden service, desktop clients like Element, Fluffy, and Cinny are unable to resolve hidden services. Despite the connection technically working via the utilization of torsocks, the DNS resolution is a problem. For this reason, the primary way of accessing a Matrix server hosted as a hidden service is via a web client. If you do choose to use a web client via the Tor Browser, you must enable dom.ServiceWorkers.enabled for media to play on instances with authenticated media enabled and javascript.options.wasm for E2EE. The latter is enabled by default since one of the latest releases of the Tor Browser. I also suggest enabling SVG support in about:config by setting svg.disabled to false.
Similar to the DNS resolution issue with desktop clients, there is a similar problem with federation. However, one way you can attempt to get both working, is by installing iptables and using nat rules to route all traffic through Tor and use the tor DNS resolver. You can use an existing set of iptables rules published on the Arch Linux wiki: https://wiki.archlinux.org/title/Tor#Transparent_Torification
You also won’t be able to federate with clearnet instances, if your instance uses a hidden service as its primary domain (i.e. @user:kxnsyyr[…].onion]. I remember someone who got it working to a certain extend, but fundamentally you are on your own, if you wish to get federation working with both clearnet and hidden service instances. I also urge you to verify whether there are any IP leaks. Last year I discovered Matrix Synapse was making direct connections to other instances completely bypassing Cloudflare and reverse proxies. I noticed this as after attempting to whitelist a specific instance that was behind Cloudflare. After whitelisting Cloudflare’s IP ranges, it simply would not work. When I was checking my logs, I noticed not connections. After that, I went into my Element Web client and typed in the designated instance. Once I did, I noticed an IP address in the logs that wasn’t a Cloudflare IP address. After whitelisting it, the connection worked. I haven’t tested this is in a while, but this was certainly the case last year when I was playing around with Matrix Synapse.
Lemmy: My instance is hosted on the clearnet with a separate hidden service front-end. While I haven’t upgraded Lemmy in a while, the hidden service client nonetheless pulls external images, such as avatars, via the clearnet. Running on version 0.19.5, not all images are yet being proxied and — as a result — you will make some connections over Tor to the clearnet. This is a common issue. In the case of Matrix, if your instance is hosted on a clearnet instance, but features a separate hidden service proxy, some elements may still be pulled in via the clearnet over the hidden service client.
Mitra: This is the only client that I know of, which is built for the darknet. It is a project developed by silverpill and features integrated Tor and i2p support. It enables you to federate with both clearnet and darknet instances rather than just one or the other. It is relatively minimal compared to Mastodon or Pleroma, however it does have some significant privacy benefits. Meanwhile, I have experienced issues with the likes of Pleroma and Akkoma. For example, my main instance was hosted on the clearnet, but featured a hidden service version. Unfortunately, by default, all images were still being loaded through external calls to other instances on the client side. So while you are accessing an onion address, you will still make clearnet connections to fetch media content from other instances and thereby leak the exit node to them. An alternative is use the media proxy and proxy all content through the server. However, you are only able to define one media proxy address. So if you would like to have both a clearnet and darknet front-end, you will have to select a clearnet domain for the media proxy. A workaround requires manual editing of the front-end to change the media proxy from clearnet to darknet when a user is accessing the darknet front-end.
Long story short, you will have a steep uphill climb ahead of you, if you would like to operate fediverse instances on the darknet. There are many pitfalls and issues since almost none of these instances are built explicitly for the darknet.
For my own platform, I’m developing a custom community forum that is made for the darknet that will integrate with Mitra to pull in the Mitra feed through the back-end. This will effectively show the Mitra feed in a javascript–free web application and make the fediverse accessible to darknet users. For chat, we are working on configuring an XMPP server with prosody, since prosody has a module enabling federation over Tor. At this time, XMPP is a much more viable option for the darknet than Matrix, which is especially the case as you can run it via a desktop client over Tor. While I do host a SimpleX relay, I’m not fond of SimpleX due to the glitchy UI, the VC funding, and the direction of the project as a whole. It also lacks significant moderation features, which are paramount for running a stable community. For now, we have both a SimpleX relay and a Matrix instance, but will switch to XMPP soon until something better comes along.
The only issue I have with XMPP relates to the registration. You can enable or disable registration. Technically, prosody does have mod_invites_register, which generates invitation tokens that are similar to Matrix Synapse’s registration token. Unfortunately, not a single client has implemented XEP-0379 to my knowledge rendering this feature effectively useless. If you would like to have a separate invitation form, I suggest creating a simple web application with a dedicated form and a simple database that allows you to approve / reject applicants.
Lastly, I also want to emphasize that open–source does not automatically mean free and open–source — that is free as in freedom as in libre. There is a rise in open–source software, yet little of it feels actually free. As for hosting anything on the darknet, compared to the clearnet, anything on the darknet takes 10 times the time, requires 10 times the resources, costs 10 times as much, and gives 10 times the headaches.
Best of luck!
While it isn’t easy for Matrix, running an quivalent XMPP server on Tor, I2P or similar is fairly well documented, and there are multiple such servers accessible both on the clearnet and Tor.
Many XMPP clients also have built in Tor proxy settings.
NGL I tried setting up an xmpp server with i2p once and it confused the fk out of me.
It would work just fine within TOR. Reaching out would be a massive pain as the software is not ready.
I’ve set up the “old” UI - no javascript - on TOR on lemmy.cafe. It works well, but that’s not a real hidden service, as such.
Yes, it is feasible and such instances already exist.
For example, you can run a Mitra instance on Tor, I2P or Yggdrasil. It is a lightweight micro-blogging server similar to Mastodon:
https://codeberg.org/silverpill/mitra
Tor / I2P docs:
- https://codeberg.org/silverpill/mitra/src/branch/main/docs/onion.md
- https://codeberg.org/silverpill/mitra/src/branch/main/docs/i2p.mdFrom a technical pov nothing is stopping it. Tor addresses are valid domains names and you can run your own fediverse in those networks. The problem becomes when you want clearnet instances to send you content. As they aren’t running in tor or i2p they can’t send you stuff.
The other problem is exit nodes are fairly well known for being the source of bad shit and many instances will block them as part of their anti spam/bot setup
As they aren’t running in tor or i2p they can’t send you stuff.
A server can run on both the clearnet and darknet simultaneously, but indeed I don’t think that works that well if the server name is the identifier for an instance — since it would be different between the networks.
If you detach the origin from the host it’d work, aka HTTP Alternative Services. Firefox used to (maybe still does? idk) use it to silently switch from using the base hostname to a hidden service when running under Tor, when the site provided the mapping.
Clearnet stuff would work without it, but any I2P/Tor support needs server integration, which would be non-existent at the moment I’d bet.
Not feasible.
Just use an instance that is outside USA and not using a USA hosting company? Half the fediverse uses Hetzner, for example. OVH (French) is another popular provider.
I’d probably choose somewhere outside of France. Hetzner probably a better bet.
Of course it’s feasible. Easy? Maybe not.
Good recommendations though.
I took the question to be “could you currently host fedi servers on the dark web, without any big changes to their code” but yeah I’m sure it’s possible to make it happen, if people wanted to put in the work.
Javascript will be an issue
That’s just a frontend issue. You can have clients that don’t try to do regular polling.
Having reliable activitypub federation is going to be a much harder challenge. The server to server protocol has a bunch of assumptions that are not true for tor and i2p.
And unless you want the entire network to become a CSAM and Nazi cespool, you would also need a reliable way of identifying servers, which defeats the purpose.
The server to server protocol has a bunch of assumptions that are not true for tor and i2p.
Could you please elaborate just a bit? I’m a web dev, but haven’t looked into fediverse protocols yet.
One example is HTTP signatures. Servers sign their payloads and receiving servers should validate not just the hash but ensure the payload is not too old. Mastodon allows for a twelve hour difference (https://docs.joinmastodon.org/spec/security/#http-signatures) but other software might be stricter for security reasons. The a bunch of things like webfinger were designed around public dns and public key chains A mastodon server running on the open internet and/or expecting public keychain HTTPs will not be able to federate with something running in tor.
You could cut enough corners to make something that federates inside tor, but at that point it’s better to design something around tor’s features.
One example is HTTP signatures.
Why is it the first time I hear of this?
Ah, because it’s apparently a fresh proposal, perhaps from Mastodon themselves.
https://www.w3.org/wiki/ActivityPub/Primer/Authentication_Authorization mentions HTTP signatures since the very first version of the document in 2017. The current efforts seem more in the direction of describing standardizing the existing usage.
APIs should work, though. So unless the instance needs some kinda captcha or other client-side challenge, e.g. for registration, people could presumably use apps with it.
Plus, if the aim is just to reach and use the instances, and not to be anonymous, then one could probably use a regular browser with a Tor proxy (Firefox can do it per site with both proxy-switching extensions and containers). Assuming that domain resolution would work.
However, in my experience, not many social-media-adjacent apps support setting a custom proxy, even though modern network libraries should make it a no-brainer. E.g. few Matrix clients support that, and ones that do aren’t much of an eye candy (and have problems with the initial setup of the encryption, which seems to be a pervasive issue with Matrix).
I’ve heard of TOR, not of I2P. Are they both programs to anonymise other programs? I didn’t know it was possible to anonymise an entire instance! Would be cool if that were possible.
I2P is like Tor but peer-to-peer and as a result more decentralized, IIRC.
I believe I2P is more for things like torrents.
I’ve been meaning to test it out (I seem to remember that it’s possible to run it side by side), but haven’t got a chance yet.
I didn’t know it was possible to anonymise an entire instance
I mean, that works pretty much like any server on the web, now that most communication is done via http. However, websockets, http/2 and /3 might break, I guess, when they expect a continuous connection.
(Dunno which underlying protocols Lemmy uses, so can’t guarantee that it’s really that easy.)
I don’t know what any of those terms mean. If it were easy, wouldn’t it have been done already?
Wouldnt that mean that users would also have to use tor? Thats not going to happen…
It might if they’re censored off the clearnet.
i feel like you may not really understand how basic the average user is.
for example, most have never even been near people who know what tor is. and as the technical-info proxy for an absurd number of humans the number of people asking me how to be ‘uncensored’ on the internet is zero. its fucking zero.
Who cares about them? Even if it was easier to use, they still wouldn’t use it because they want to be monitored.
https://github.com/agabani/tor-operator I’ve keep wanting to add something like this to a cluster and hosting those services behind a Tor proxy
