Introducing Onion Containers - Docker Meets the Darknet
OnionContainers.com is a cloud hosting service with a difference. As the name suggests you can spin up a Docker container which is only accessible via Tor.
At the moment you can only spin up free instances of NGINX, an SSH shell based on Alpine and a PostgreSQL container. These containers last for between 15 minutes and 1 hour. But when we move to Beta in Q3 2018 you will be able to specify any Docker image from any registry and OnionContainers will pull it down ready for you to configure.
We are also proud to report that we have secured an EV Certificate and will be serving this on our container656ovix.onion domain and, in what we believe to a world first, a NextGen Onion; hzwjmjimhr7bdmfv2doll4upibt5ojjmpo3pbp5ctwcg37n3hyk7qzid.onion/.
We don’t require any personal information from you to use our services but we want to ensure that you know you’ve visited the right place so an EV certificate seemed to be a good idea!
The OnionContainers service was built to allow people an easy way to host content via Tor Onion Services but in a way that respects your privacy and what better way to do that than to not require any personal information, facilitate Monero and use Onion Services ourselves!
Q3 Beta Features
- Specify any image for use with your container
- Specify up to 10 Tor Onion Service port mappings (e.g. map xxxxxxxxx.com:80 to container:8080)
- Specify environment variables for your container
- Pay with Bitcoin, Monero or ZCash to keep your container running for as long as you wish
- Write a custom docker file
- Use Docker Swarm to spin up multiple containers (e.g. Wordpress & MySQL)
- Integration with OnionWatch.email for alerting if your service goes down
- A Docker registry running at OnionContainers.com:5000 and container656ovix.onion:5000 for users to store their own images
The Journey to .onion EV TLS
Securing an Extended Validation certificate can be a pain but the folks at CertSimple make it much easier. There are still some hurdles to jump over but we’ll cover them here.
- Generate your onion address
- Generate an RSA public key from your private key due to the concerns around SHA1
openssl rsa -in key.pem -pubout -out pubkey.pem
- Register your Business Name somewhere such as HotFrog or Data.com
- Ensure your address matches that of Companies House / Domain / Certificate
- Ensure the phone number listed is one which can be transferred through to yourself
- Generate your CSR and key (unless you really trust CertSimple)
openssl ecparam -genkey -name prime256v1 -out xxxxxxxx.onion.key
openssl req -new -key xxxxxxxx.onion.key -out xxxxxxxx.onion.csr -subj '/C=GB/L=Town/O=Company Name/CN=xxxxxxxx.onion'
- Ensure your website whois lists an email address you can check
- If you don’t receive the email sent to the address it will slow things down
- DNS TXT verification is an option - ensure you email the team
- Goto CertSimple.com and start the process
- Enter the business name *(it should autocomplete from Companies House)_
- Enter a display City/Town *(it should match all your other details)_
- Enter your .onion domain
- Choose to upload your own CSR
- Enter your contact details (used as part of the validation process but don’t feature in the Certificate)
- Choose 1 year and then fill in the payment details and you’re all sorted.
- You will receive several emails
- An email asking to confirm the Terms and Conditions of the CA with the subject “Completing Your [CA] Order “
- An email asking to confirm access to the domain(s) (step 5) with the subject “Please validate ownership of your domain”
- An email asking you to forward the URL of the profile you create in Step 3 to the CA’s support team.
- Reply back to the email from CertSimple, attach the RSA public key you generated in Step 2 and advise them if you’d like to have a wildcard record for your .onion
- You will shortly receive a phone call asking to confirm the details and permission to issue the certificate
- A few hours later you should receive your certificate
- Install it and you’re good to go;
As far as I'm aware @OnionContainers is the first @torproject NextGen .onion to get an EV certificate which is pretty cool.— Gareth (@NetworkString) March 28, 2018
These onions are running in SingleHop mode with an EV certificate that attributes it to a business - there's no "darknet" here - just privacy & anonymity! pic.twitter.com/raNUElyZbI