[GH-ISSUE #231] cobalt as a Tor .onion service #7482

New Issue

GiteaMirror · 2026-04-21T19:24:50-05:00

GiteaMirror commented

2026-04-21 19:24:50 -05:00

Originally created by @suprstarrd on GitHub (Oct 28, 2023).
Original GitHub issue: https://github.com/imputnet/cobalt/issues/231

I think it'd be really nice if cobalt was available as a .onion service for Tor users. I probably don't have to explain to you who Tor is used by, but you do also mention cobalt is used by journalists and that it respects your privacy. I can see having a .onion service being helpful in serving both these interests.

regular Tor does circumvent censorship, but the exit relay could still snoop on traffic if they really wanted to. .onion services anonymize both sides of communication (client/server) so there's no metadata communicated between them - it's entirely end-to-end.

as someone who's pretty paranoid about privacy, censorship, and cares a lot about internet archival and preservation, I personally would use it over the regular cobalt.tools. I'm probably the only person who accesses it over Tor lmfao, but if I'm not then go figure I guess

however, I also know that this is not exactly all sunshine and rainbows to setup lmfao - so I wanted to bring up some other things to consider:

existing websites do have .onion services!
- Twitter offers a Tor .onion service, but current management has let the three certificates expire. I've downloaded and reuploaded them here, but if you don't trust me you can go through the Tor Browser and visit the links yourself.
- Reddit offers a Tor .onion service
- Facebook support was mentioned in #54 - they offer a Tor .onion service too
your .onion service link can actually be called cobalt. v2 .onion services are deprecated, but mkp224o still lets you make these addresses for the latest v3.
you don't need HTTPS for .onion sites (you can probably put together why), but generally people do still see HTTPS as necessary and HTTP as scary - because it is! ...except in Tor. there is some guidance on it, but don't worry about it too much - if you want it then go for it but it's absolutely not necessary.

I know you're sponsored by Royale Hosting, so if you do want to do this chat with them first! feel free to check out Tor's website and this list.

Originally created by @suprstarrd on GitHub (Oct 28, 2023). Original GitHub issue: https://github.com/imputnet/cobalt/issues/231 I think it'd be really nice if cobalt was available as a .onion service for Tor users. I probably don't have to explain to you who Tor is used by, but you do also mention cobalt is used by journalists and that it respects your privacy. I can see having a .onion service being helpful in serving both these interests. regular Tor does circumvent censorship, but the exit relay could still snoop on traffic if they really wanted to. .onion services anonymize both sides of communication (client/server) so there's no metadata communicated between them - it's entirely end-to-end. as someone who's pretty paranoid about privacy, censorship, and cares a lot about internet archival and preservation, I personally would use it over the regular `cobalt.tools`. I'm probably the only person who accesses it over Tor lmfao, but if I'm not then go figure I guess however, I also know that this is not exactly all sunshine and rainbows to setup lmfao - so I wanted to bring up some other things to consider: * existing websites do have .onion services! * Twitter [offers a Tor .onion service](https://www.theverge.com/2022/3/8/22967843/twitter-tor-onion-service-version-launch), but current management has let the three certificates expire. I've downloaded and reuploaded them [here](https://github.com/jbmagination/dump/releases/tag/twt), but if you don't trust me you can go through the Tor Browser and [visit the links yourself](https://help.twitter.com/en/using-x/x-supported-browsers). * Reddit offers a Tor .onion service * Facebook support was mentioned in #54 - they offer a Tor .onion service too * your .onion service link can actually be called cobalt. [v2 .onion services are deprecated](https://blog.torproject.org/v2-deprecation-timeline), but [mkp224o](https://github.com/cathugger/mkp224o) still lets you make these addresses for the latest v3. * you don't need HTTPS for .onion sites (you can probably put together why), but generally people do still see HTTPS as necessary and HTTP as scary - because it is! ...except in Tor. [there is some guidance on it](https://community.torproject.org/onion-services/advanced/https/), but don't worry about it too much - if you want it then go for it but it's absolutely not necessary. I know you're sponsored by Royale Hosting, so if you do want to do this **chat with them first**! feel free to check out [Tor's website](https://community.torproject.org/onion-services/) and [this list](https://community.torproject.org/relay/community-resources/good-bad-isps/).

GiteaMirror added the feature request label 2026-04-21 19:24:50 -05:00

GiteaMirror closed this issue

2026-04-21 19:24:51 -05:00

GiteaMirror commented

2026-04-21 19:24:52 -05:00

@ghost commented on GitHub (Oct 29, 2023):

I think that wouldn't work because, as far as I know, cobalt saves a hashed version of your IP address temporarily (20 seconds) to identify you, then send you the requested video.

(Source: it was mentioned on the website a little while ago, until it was rewritten to a simpler sentence. I'm not sure if wukko has changed the system to be more privacy friendly.)

@ghost commented on GitHub (Oct 29, 2023): I think that wouldn't work because, as far as I know, cobalt saves _a hashed version of your IP address_ temporarily (20 seconds) to identify you, then send you the requested video. (Source: it was mentioned on the website a little while ago, until it was rewritten to a simpler sentence. I'm not sure if wukko has changed the system to be more privacy friendly.)

GiteaMirror commented

2026-04-21 19:24:54 -05:00

@suprstarrd commented on GitHub (Oct 29, 2023):

oh yeah I didn't even think about that tbh. I think that wouldn't be much of an issue though as like 99% of traffic won't be through Tor anyway, and any hashed IP that comes through would just be a Tor exit node. and while that would be anyone who collectively exits through that node, there's like more than 1,000 so that's almost guaranteed to not affect anyone

@suprstarrd commented on GitHub (Oct 29, 2023): oh yeah I didn't even think about that tbh. I think that wouldn't be much of an issue though as like 99% of traffic won't be through Tor anyway, and any hashed IP that comes through would just be a Tor exit node. and while that would be anyone who collectively exits through that node, there's like more than 1,000 so that's almost guaranteed to not affect anyone

GiteaMirror commented

2026-04-21 19:24:54 -05:00

@wukko commented on GitHub (Oct 29, 2023):

cobalt saves a hashed version of your IP address temporarily (20 seconds) to identify you, then send you the requested video

this was removed from privacy policy because cobalt no longer keeps any personal information about you that isn’t necessary to perform the download (aka download links and its metadata)

@wukko commented on GitHub (Oct 29, 2023): > cobalt saves a hashed version of your IP address temporarily (20 seconds) to identify you, then send you the requested video this was removed from privacy policy because cobalt no longer keeps any personal information about you that isn’t necessary to perform the download (aka download links and its metadata)

GiteaMirror commented

2026-04-21 19:24:55 -05:00

@wukko commented on GitHub (Oct 29, 2023):

any hashed IP that comes through would just be a Tor exit node. and while that would be anyone who collectively exits through that node, there's like more than 1,000 so that's almost guaranteed to not affect anyone

the sha256 hash was impossible to recreate because it was salted with a rotating key, so it could not possibly affect anyone even if it was to somehow ever leak.

@wukko commented on GitHub (Oct 29, 2023): > any hashed IP that comes through would just be a Tor exit node. and while that would be anyone who collectively exits through that node, there's like more than 1,000 so that's almost guaranteed to not affect anyone the sha256 hash was impossible to recreate because it was salted with a rotating key, so it could not possibly affect anyone even if it was to somehow ever leak.

GiteaMirror commented

2026-04-21 19:24:55 -05:00

@suprstarrd commented on GitHub (Oct 29, 2023):

the sha256 hash was impossible to recreate because it was salted with a rotating key, so it could not possibly affect anyone even if it was to somehow ever leak.

didn't know it was rotating; I thought that was being collected for rate limiting purposes

@suprstarrd commented on GitHub (Oct 29, 2023): > the sha256 hash was impossible to recreate because it was salted with a rotating key, so it could not possibly affect anyone even if it was to somehow ever leak. didn't know it was rotating; I thought that was being collected for rate limiting purposes

GiteaMirror commented

2026-04-21 19:24:56 -05:00

@wukko commented on GitHub (Oct 29, 2023):

slight update: rate limiting is still done with hashed ip, but it isn't effective as salt rotates, i will either fix or remove it in a future update.

@wukko commented on GitHub (Oct 29, 2023): slight update: rate limiting is still done with hashed ip, but it isn't effective as salt rotates, i will either fix or remove it in a future update.

GiteaMirror commented

2026-04-21 19:24:56 -05:00

@suprstarrd commented on GitHub (Oct 30, 2023):

oh wait no it won't close the issue i may be a slight dumbass

@suprstarrd commented on GitHub (Oct 30, 2023): oh wait no it won't close the issue i may be a slight dumbass

Sign in to join this conversation.

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/cobalt#7482