Setup XMPP client to use onion hidden service

If you connect to Creep.im via Tor due to security concerns regarding your location or identity, you may want to use Creep.im's own hidden service address — creep7nissfumwyx.onion. This is a more preferable way to use XMPP over Tor, due to the fact that your traffic will not go through exit nodes which may run by some malicious third parties.

Here is a guide how to setup a new account with a popular client Pidgin, using Tor and Creep.im hidden service. It is assumed Tor and Pidgin are already installed and tested working.

Start Pidgin. Open Add Account dialog (Accounts > Manage Accounts > Add...).

On the first tab, Basic, you should pick and enter your username in the corresponding field, put creep.im as a domain, and enter your new password.

On the second tab, Advanced, you should put Creep.im's hidden service address creep7nissfumwyx.onion into the Connect server field.

On the third tab, Proxy, you'll need to select Tor/Privacy (SOCKS 5) from the Proxy type list and put the host and port where your Tor listens. In the absolute majority of cases it will be 127.0.0.1 and 9050.

Don't forget to check Create this new account on the server in the bottom of this window and push Add button.

After a couple of seconds the SSL Certificate Verification dialog will pop up:

This warning is completely normal. For now, certificates for .onion zone are only available for organizations, so Creep.im uses single certificate for all its XMPP connections. Do not accept it blindly, push View Certificate... to validate if it is legit. Certificate Information window will appear:

Here you can check if the provided certificate is really issued to creep.im. The screenshot above is here just for your reference and doesn't show actual data of the current certificate.

Current certificate's fingerprint (SHA-1) is 88:a5:b6:e1:29:a7:84:3a:02:22:aa:4c:b7:b9:23:19:78:af:20:58. Compare it to the one your client displays. If it is different, then something or someone tampers with your connection. Close the window and push Reject. If the fingerprint is intact, then it is legit, and you may push the Accept button.

If you accepted the certificate in the previous step, you are almost done. There will be additional window, where you should provide a username and a password one more time and solve a captcha challenge. Be aware, that captcha is served on the clearnet webpage, so you might want to use a Tor Browser or like to access it.

You're done!

If any questions, feel free to contact by XMPP or email.