A release candidate for next Tuesday's stable Tor Browser 9.5 has been announced on tor-qa. Some excerpts from the changelog:
(Depends on tor 0.4.3.x and needs an ExtendedErrors flag in torrc for the 9150 Socks ports)
(Might be impossible to make this work with onion-grater while still isolating VMs)
Thanks!
Update Tor to 0.4.3.5
Done
Bug 19251: Show improved error pages for onion service errors
SocksPort option ExtendedErrors
This is now implemented:
Bug 30237: Control port module improvements for v3 client authentication
onion_client_auth_add
Now implemented too.
( https://www.whonix.org/wiki/Dev/Control_Port_Filter_Proxy )
This is now in Whonix developers repository.
Should this really be whitelisted by default? If you log into an onion service with Tor Browser on a particular VM, you're now suddenly logged into it on all other VMs too!
Good point!
Will undo, comment this out now.
//cc @HulaHoop
Maybe this is bound per connection similar to ephemeral Tor onion services? In that case, other VMs couldn't re-use it.
Maybe this is bound per connection similar to ephemeral Tor onion services?
I'm not familiar with how connections are bound for ephemeral services, but no - you can definitely login across VMs.
onion_client_auth_add Flags=Permanent fails with 553 Unable to store creds for
onion-grater-add onion_authentication
onion-grater-remove onion_authentication
...but that is incomplete.
onion_client_auth_add part is "contributor required".
Making that work would require extensive modifications. Started here but unlikely to finish anytime soon:
https://www.whonix.org/wiki/Dev/Control_Port_Filter_Proxy#onion_client_auth_add
Tor Browser currently gets confused by onion-grater. When providing the onion service authentication key, Tor Browser does not even ask Tor ControlPort. (Does not show up in onion-grater.) It works with onion-grater --complain (pasthrough without filtering) mode.
We'd need to make Tor Circuit View visible inside Whonix-Workstation but filter the actual relay fingerprints / IPs. All Tor Browser control protocol commands should be processed but relayed back to the workstation redacted.
Requires RegEx knowledge which isn't a strong skill of mine.
RegEx contributor required:
https://www.whonix.org/wiki/Contribute#Regular_Expression_RegEx
Tor Browser onion authentication prompt:
https://blog.torproject.org/sites/default/files/inline-images/onion-auth%402x.png
Perhaps ricochet, not that it matters currently.
https://lists.torproject.org/pipermail/tor-dev/2020-June/014353.html
553 Unable to store creds for
Did you set ClientOnionAuthDir in torrc (to a directory with "private
enough" permissions)?Rusty
https://github.com/Whonix/anon-gw-anonymizer-config/commit/47cf0e376ab4af6a2b9f2165b6e449c2176a3afd