Use onion services for built-in Brave connections

[tildelowengrimm]

Once we have Tor working, we should consider using it whenever the browser would otherwise connect directly to a service run by Brave.

If Brave is connecting to on of our services we should probably configure that as an onion service on our end. Should we use a single onion service rather than a full hidden service? We should consider using something like Alec Muffett's Enterprise Onion Toolkit on the infrastructure side.

Tor — even a single onion service — is still probably slower than a regular connection. This may impact it s applicability for some services. But there are certainly background processes for which this is not a problem.

Some specific services which we should consider torifying:

• ledger services (Use Tor for ledger proxy instead of PIA #12923)
• update ping & downloads (Use Tor for update checks and downloads #12924)
• analytics (Use Tor for analytics and reporting #12925)
• sync (Use Tor for sync #12926)

This issue is a meta/tracker for those, and a reminder that there may be services other than those listed above for which this makes sense.

[riastradh-brave]

There are two related questions here:

1. Should the browser make these connections through Tor?

   • Pro: We bake fewer tracking beacons into the toys we hand out to hapless users.
   • Con: Slower.

2. If so, should the server be accessible (only) through an onion service?

   • Pro: Natural equivalent of certificate pinning. No DNS/vhost/certificate overhead.
   • Con: Key management issues. Onion management overhead, e.g. with eotk or what-have-you.

[tildelowengrimm]

I think that a lot of the features under this umbrella don't have to take user time, so they don't need to feel fast. For each feature that's worth implementing over Tor client-side, I think it's worth implementing as an onion service server-side. And for each onion that we stand up, I think it makes sense to retire the regular HTTPS access point after enough versions that we can reasonably expect users not to be running old-enough versions of Brave that they'll need to access the HTTPS versions.

[riastradh-brave]

For any built-in service that we route through Tor, there's another advantage to using a (single-hop) onion service over just using an ordinary https host: less load on the exit nodes in the network, which are bottlenecks and which we're (currently) not contributing back to.

(The tradeoff isn't as clear for standard three-hop onion services, but I can't imagine we have any reason to pay the cost in the Tor network commons of server anonymity here.)

[tildelowengrimm]

Definitely agree: this is exactly the right situation for single-hop onions.

[bsclifton]

@flamsmark did you want to create an issue for this in brave-core and then close this out?

[NumDeP]

I was wondering if update ping & downloads (#12924) also includes extensions as well and whether torifying Brave's new webstore or simply just the updates in about:preferences#extensions be overkill?

[tildelowengrimm]

This issue now lives at brave/brave-browser#804.