Dmytri Kleiner on how to set up a publicly accessible Tor-based forum

My criticism of Facebook and other sites is not they are not useful, it is rather that they are private, centralized, proprietary platforms. Also, simply abstaining from Facebook in the name of my own media purity is not something that I’m interested in, I don’t see capitalism as a consumer choice, I’m more interested in the condition of the masses, than my own consumer correctness. In the end it’s clear that criticizing platforms like Facebook today means using those platforms. Thus, I became a user and set up the Telekommunisten page. Unsurprisingly, it’s been quite successful for us, and reaches a lot more people than our other channels, such as our websites, mailing lists, etc. Hopefully it will also help us promote new decentralized channels as well, as they become viable.

Dmytri Kleiner

Dmytri Kleiner

I couldn’t agree more; using the master’s tools to help bring down a rapidly collapsing house is better than leaving those tools untouched. This certainly doesn’t stop us from finding or creating new tools to repurpose what remains. The shortcomings and profit-driven design imperatives of these platforms should be well understood by their users, and that is what we strive to do at the Foundation: educating users on the full spectrum of ideas related to Social Media.

Personal reflections aside, it’s good to see Kleiner and the gang at ThoughtWorks Werkstatt Berlin still leading the way in combining proprietary access with surveillance-conscious tools. Their latest creation in this burgeoning space is Werkstatt Groups, a web forum running on a Tor hidden service!

How have they achieved this? Kleiner explains it in the article below (originally published in his blog).

werkstatt

 

ThoughtWorks Werkstatt Berlin hosts many different working groups, including several Cryptoparties, The Kids’ Hacker Club, and the Marx-Engels Werkshau group. In order for the groups to plan and stay in touch with each other in between their meetings at Werkstatt, we have implemented Werkstatt Groups, an online discussion forum based on NodeBB.

Creating a discussion channel for Werkstatt is tricky, since working group participants range from Tor project contributors, who are very knowledgable and concerned about technology and privacy issues, to kids, to political activists, who have other interests and areas of focus, and may be still learning about technology and privacy issues. So the Werkstatt Groups platform needs to be something that is usable across the spectrum, to be a place where privacy experts and privacy novices can intereact online.

Looking at the options available, a simple web forum became the most reasonable choice. With the many working groups at Werkstatt, managing dozens of mailing lists seems unworkable. Usenet, alas, has become entombed behind paywalls, and is inaccessable to most people, except through untrusted interfaces like Google Groups. Platforms that offer groups functionality like Facebook obviously have privacy issues, among many others, and old favourites like IRC and Jabber are not particularly suitable for asynchronous group discussion.

So how to set up a web forum that respects privacy? Run it on a Tor hidden service!

Before I explain how this was done, I need to start with a disclaimer: Werkstatt Groups makes no guarantees of privacy or anonymity, Tor is designed to provide anonymity. However, identifying all the possible ways in which the software running the forum may leak information is not easy, so use caution and report any issues or potential issues to us.

There are two ways to access this site, the recommended way is Tor Browser. Downloading and installing Tor Browser Bundle takes seconds and ensures that all your browser traffic goes over Tor and that your browser doesn’t leak any information and is difficult to fingerprint.

Using Tor Browser, you can access Werkstatt Groups using this url: http://vgnx2fk2co55genc.onion. Note HTTPS is not used, this is because the connection is already encrypted by Tor.

The other way of accessing it is by way of the public URL, http://groups.werkstatt.tw, which links to HTTPS when you access the forum. This is a reverse proxy running on a different server than the one that hosts the hidden service, accessing the hidden service over the tor network, thus making the site publicly accessible outside of the Tor network by way of a public url, while at the same time not revealing the location of the hidden service.

The NodeBB platform itself is a very dynamic, responsive platform which makes heavy use of websockets by way of socket.io, this is very advantageous over Tor, as a request to a hidden service needs to traverse 6 different servers, making page loads very expensive. Minimizing page loads by way of websocket requests compensates for this.

However, NodeBB also has some drawbacks, the platform uses Gravatar and Google Fonts, and socket.io includes a Flash fallback option, so a small Flash object is loaded in the site. All these issues are fixable, and are on our isssues list, however the best way to defend against these kinds of issues is to use Tor Browser. This way, even requests to Gravatar and Google Fonts go over Tor, and potentially dangerous plugins like Flash are blocked. However, JavaScript running in the browser is always a security concern, as exploits are possible. Also, NodeBB is beta software in very active development, and we are running the bleeding-edge head-of-branch, so expect glitches and some downtime.

OK, OK, so with all that out of the way, here is how the setup works. If all you want to do is use the forum, just get started here: http://groups.werkstatt.tw, however if you want to know how the setup works, keep reading. This assumes a relatively expert knowledge of server setup, including node, tor, nginx and iptables.

Please visit Dmytri Kleiner’s blog for the full technical details

Leave A Comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.