1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
//! Security Features Example for hypertor
//!
//! This example demonstrates ALL security hardening features available in hypertor.
//! These features are fully integrated with arti's security APIs.
//!
//! Run with: cargo run --example security_features
//!
//! Use cases demonstrated:
//! 1. Client in censored network (China scenario)
//! 2. Maximum security onion service (Free Press scenario)
//! 3. Private service with client authorization
//! 4. Defense in depth with all features combined
use hypertor::{
Result, TorClientBuilder, VanguardMode,
onion_service::{ClientAuthMode, OnionServiceConfig},
security::{ClientSecurityConfig, ServiceSecurityConfig},
};
use std::time::Duration;
#[tokio::main]
async fn main() -> Result<()> {
tracing_subscriber::fmt::init();
// ===========================================================================
// SCENARIO 1: Client in Censored Network (China, Iran, Russia)
// ===========================================================================
// When operating in a censored network:
// - Direct Tor connections are BLOCKED
// - You MUST use bridges (unlisted relays)
// - You MUST use pluggable transports (obfs4, meek, snowflake)
// - Full vanguards recommended for maximum anonymity
println!("=== Scenario 1: Censored Network Client ===\n");
let _client_builder = TorClientBuilder::new()
// Multiple bridges for reliability (if one is blocked, others work)
// These are example bridges - get real ones from bridges.torproject.org
.bridge("obfs4 192.0.2.1:443 FINGERPRINT cert=base64cert iat-mode=0")
.bridge("obfs4 192.0.2.2:443 FINGERPRINT cert=base64cert iat-mode=0")
.bridge("obfs4 192.0.2.3:443 FINGERPRINT cert=base64cert iat-mode=0")
// Pluggable transport binary (must be installed on system)
// Common transports: obfs4proxy, snowflake-client, meek-client
.transport("obfs4", "/usr/bin/obfs4proxy")
// Full vanguards protect against traffic analysis
// This is CRITICAL in hostile networks where adversary controls ISPs
.vanguards(VanguardMode::Full)
// Longer timeouts for high-latency censored connections
.timeout(Duration::from_secs(120))
// Limit connections to reduce fingerprint
.max_connections(5);
println!("China scenario client configured:");
println!(" - 3 obfs4 bridges for redundancy");
println!(" - obfs4proxy transport for traffic obfuscation");
println!(" - Full vanguards for guard discovery protection");
println!(" - 120s timeout for high-latency connections");
// To actually connect:
// let client = client_builder.build().await?;
// let resp = client.get("http://example.onion")?.send().await?;
// ===========================================================================
// SCENARIO 2: Maximum Security Onion Service (Free Press / Whistleblower)
// ===========================================================================
// When hosting a service that may be targeted:
// - DoS attacks from state actors
// - Deanonymization attempts
// - Need high availability under attack
println!("\n=== Scenario 2: Maximum Security Onion Service ===\n");
let _service_config = OnionServiceConfig::new("free-press-server")
// ---- DoS Protection ----
// Proof-of-Work (Equi-X) - Clients must solve puzzle to connect
// This makes large-scale DoS attacks computationally expensive
.with_pow()
// PoW queue depth - How many pending connections to allow
// 16000 * 4KB ≈ 64MB memory
.pow_queue_depth(16000)
// Rate limiting at introduction points
// rate: 10 requests per second, burst: 20 requests
// Prevents intro point flooding
.rate_limit_at_intro(10.0, 20)
// Stream limit per circuit - Prevents stream flooding attacks
// Attacker can't open thousands of streams on one circuit
.max_streams_per_circuit(100)
// ---- Anonymity Protection ----
// Full vanguards - Protects against guard discovery attacks
// Essential for high-value targets
.vanguards_full()
// More introduction points - Higher availability
// Service remains reachable even if some intros are attacked
.num_intro_points(5);
println!("Free Press server configured:");
println!(" - Proof-of-Work enabled (Equi-X algorithm)");
println!(" - PoW queue: 16000 pending connections (~64MB)");
println!(" - Rate limit: 10 req/s at intro points, burst 20");
println!(" - Stream limit: 100 per circuit");
println!(" - Full vanguards for deanonymization protection");
println!(" - 5 intro points for high availability");
// To start the service:
// let mut service = OnionService::new(service_config);
// let address = service.start().await?;
// println!("Service running at: {}", address);
// ===========================================================================
// SCENARIO 3: Private Service with Client Authorization
// ===========================================================================
// When you need a service accessible only to specific clients:
// - Private organizational service
// - Restricted access journalism portal
// - Invite-only communication platform
println!("\n=== Scenario 3: Private Service (Restricted Discovery) ===\n");
let _private_config = OnionServiceConfig::new("private-portal")
// Stealth mode: Service hidden from unauthorized clients
// Unauthorized users get no response at all (not even "access denied")
// Note: Use authorize_client() to add actual keys in production
// Still use PoW for authorized clients (defense in depth)
.with_pow()
// Full vanguards even for private service
.vanguards_full();
println!("Private service configured:");
println!(" - Use authorize_client() to add authorized keys");
println!(
" - ClientAuthMode: {:?} (None by default)",
ClientAuthMode::None
);
println!(" - PoW still enabled for defense in depth");
// ===========================================================================
// SCENARIO 4: Using Security Presets
// ===========================================================================
// hypertor provides security presets for common configurations
println!("\n=== Scenario 4: Security Presets ===\n");
// Standard: Balanced security
let standard = ServiceSecurityConfig::standard();
println!("Standard Security:");
println!(" - PoW: {}", standard.enable_pow);
println!(" - Rate limit: {:?}", standard.rate_limit);
println!(" - Max streams: {}", standard.max_streams);
println!(" - Intro points: {}", standard.num_intro_points);
// Enhanced: For services expecting some attacks
let enhanced = ServiceSecurityConfig::enhanced();
println!("\nEnhanced Security:");
println!(" - PoW: {}", enhanced.enable_pow);
println!(" - Rate limit: {:?}", enhanced.rate_limit);
println!(" - Max streams: {}", enhanced.max_streams);
println!(" - Intro points: {}", enhanced.num_intro_points);
// Maximum: For high-value targets
let maximum = ServiceSecurityConfig::maximum();
println!("\nMaximum Security:");
println!(" - PoW: {}", maximum.enable_pow);
println!(" - Rate limit: {:?}", maximum.rate_limit);
println!(" - Max streams: {}", maximum.max_streams);
println!(" - Intro points: {}", maximum.num_intro_points);
// ===========================================================================
// SCENARIO 5: Security Levels for Client Configuration
// ===========================================================================
println!("\n=== Scenario 5: Client Security Levels ===\n");
let configs = [
("Standard", ClientSecurityConfig::standard()),
("Enhanced", ClientSecurityConfig::enhanced()),
("Maximum", ClientSecurityConfig::maximum()),
];
for (name, config) in configs {
println!("{} Security:", name);
println!(" - Vanguard mode: {:?}", config.vanguard_mode);
println!(" - Strict isolation: {}", config.strict_isolation);
println!();
}
// ===========================================================================
// Summary
// ===========================================================================
println!("=== Summary ===\n");
println!("All security features in hypertor are FULLY INTEGRATED with arti:");
println!();
println!("✓ Vanguards → arti VanguardConfigBuilder::mode()");
println!("✓ PoW (Equi-X) → arti OnionServiceConfigBuilder::enable_pow()");
println!("✓ Rate Limiting → arti OnionServiceConfigBuilder::rate_limit_at_intro()");
println!(
"✓ Stream Limits → arti OnionServiceConfigBuilder::max_concurrent_streams_per_circuit()"
);
println!("✓ Client Auth → arti RestrictedDiscoveryConfigBuilder");
println!("✓ Bridges → arti TorClientConfigBuilder::bridges()");
println!("✓ Transports → arti TransportConfigBuilder");
println!();
println!("NO SCAFFOLDING. NO FAKE SECURITY. ALL REAL.");
Ok(())
}