Title: Tor part 2: hidden service
       Author: Solène
       Date: 11 October 2018
       Tags: openbsd unix tor security
       Description: 
       
       In this second Tor article, I will present an interesting Tor feature
       named **hidden service**. The principle of this hidden service is to
       make available a network service from anywhere, with only
       prerequisites that the computer must be powered on, tor not blocked
       and it has network access. 
       
       This service will be available through an address not disclosing
       anything about the server internet provider or its IP, instead, a
       hostname ending by **.onion** will be provided by tor for
       connecting. This hidden service will be only accessible through Tor.
       
       There are a few advantages of using hidden services:
       
       - privacy, hostname doesn't contain any hint
       - security, secure access to a remote service not using SSL/TLS
       - no need for running some kind of dynamic dns updater
       
       The drawback is that it's quite slow and it only work for TCP
       services.
       
       From here, we assume that Tor is installed and working.
       
       Running an hidden service require to modify the Tor daemon
       configuration file, located in **/etc/tor/torrc** on OpenBSD.
       
       Add the following lines in the configuration file to enable a hidden
       service for SSH:
       
           HiddenServiceDir /var/tor/ssh_service
           HiddenServicePort 22 127.0.0.1:22
       
       The directory **/var/tor/ssh_service** will be be created. The
       directory **/var/tor** is owned by user **_tor** and not readable by
       other users. The hidden service directory can be named as you want,
       but it should be owned by user **_tor** with restricted
       permissions. Tor daemon will take care at creating the directory with
       correct permissions once you reload it.
       
       Now you can reload the tor daemon to make the hidden service
       available.
       
           $ doas rcctl reload tor
       
       In the **/var/tor/ssh_service** directory, two files are created. What
       we want is the content of the file **hostname** which contains the
       hostname to reach our hidden service.
       
           $ doas cat /var/tor/ssh_service/hostname
           piosdnzecmbijclc.onion
       
       Now, we can use the following command to connect to the hidden service
       from anywhere.
       
           $ torsocks ssh piosdnzecmbijclc.onion
       
       In Tor network, this feature doesn't use an exit node. Hidden services
       can be used for various services like http, imap, ssh, gopher etc...
       
       Using hidden service isn't illegal nor it makes the computer to relay
       tor network, as previously, just check if you can use Tor on your
       network.
       
       Note: it is possible to have a version 3 .onion address which will
       prevent hostname collapsing, but this produce very long
       hostnames. This can be done like in the following example:
       
           HiddenServiceDir /var/tor/ssh_service
           HiddenServicePort 22 127.0.0.1:22
           HiddenServiceVersion 3
       
       This will produce a really long hostname like
       tgoyfyp023zikceql5njds65ryzvwei5xvzyeubu2i6am5r5uzxfscad.onion
       
       If you want to have the short and long hostnames, you need to specify
       twice the hidden service, with differents folders.
       
       Take care, if you run a ssh service on your website and using this
       same ssh daemon on the hidden service, the host keys will be the same,
       implying that someone could theoricaly associate both and know that
       **this** public IP runs **this** hidden service, breaking anonymity.