Use Stealth Hidden Services

[ioerror]

As I mentioned in issue #4, I suggest using Stealth Hidden Services. This is not necessarily a replacement for the CA/x509 authentication related configuration - though I would probably just the Stealth Hidden Services keys and be done with it.

[dolanjs]

Since the CA/x509 certs for the journalist interface doesn't require user interaction past the initial browser import, would rather leave that in place. I have not played with stealth hidden services but know what I'm doing this weekend now.

[ioerror]

Are the connections that use the x509 certificates using Tor as their
network transport? If so, I'd add stealth hidden service support. If
not, I'd also add it but I'd reconsider the point of using x509 at all.

[dolanjs]

No currently access to the journalist interface is restricted to the admin's and journalist's internal vpn address and is just using server/client ssl certificates. To remove the vpn we would also have to provide admin access to the environment through tor also.

[ioerror]

At the very least, I would have this go via Tor - I would drop the VPN connection and replace it with stealth hidden services.