Skip to content

Instantly share code, notes, and snippets.

@mroystonward

mroystonward/bctor.md

Last active December 16, 2020 02:16
Show Gist options
  • Star 1 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save mroystonward/aec1fa678186fe62c692b1d5b9d129c2 to your computer and use it in GitHub Desktop.
Save mroystonward/aec1fa678186fe62c692b1d5b9d129c2 to your computer and use it in GitHub Desktop.
Download ZIP
Bandcamp Onion
Raw
bctor.md

This file is mirrored on Tor at bctorowb7blvvryo.onion

The whole of Bandcamp has been mirrored/proxied over Tor using Alec Muffett's EOTK (https://github.com/alecmuffett/eotk).

The Bandcamp mirror can be found at bandc2v6rbqrn6vx.onion

As EOTK uses self signed certificates this solution isn't ideal and generates several security warnings. I would hope that Bandcamp would consider implementing this themselves and using a proper SSL certificate.

HTTPS/SSL isn't necessary when browsing .onion addresses as they are already cryptographically secured. However it is not recommended to downgrade from HTTPS to HTTP and Bandcamp (rightly) uses HTTPS as standard. If they implemented a .onion mirror their certifcate would provide addtional proof of ownership but not additional security.

I recomended reading more about this rather than just taking my word for it (there's more in the EOTK pages; https://www.digicert.com/blog/anonymous-facebook-via-tor/; https://blog.torproject.org/facebook-hidden-services-and-https-certs).

Back to EOTK, the results of HTTPS as described above is a game of certificate 'whack-a-mole' when we need to add security exceptions for mirrored domains.

Bandcamp uses several subdomains and CDN domains in addition to artist/account subdomains.

Below is a list of the basic underlying domains which will need exceptions to get the best browsing experience.

I recommend opening each of the links in a new tab, accepting the security exception and then moving on to the main bandcamp domain.

As you browse around different artist pages you will need to keep adding certificate exceptions but the underlying images, css and js should work now so things will display.

Streaming/downloads/purchases do work but any data transmitted outside of bandcamp's domains will not be onionised.

If you are trying to remain anonymous I wouldn't log in either (though this should be reasonably well supported should you want to).

Add security exceptions for these domains:

Bandcamp front page:

bandc2v6rbqrn6vx.onion

Artist's pages i.e.:

mroystonward.bandc2v6rbqrn6vx.onion

Performance may vary and the current implementation isn't setup 'yet' for scale. If things are flaky sorry, let me know in the comments and I'll try and grow this as needed.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment