On Sat, Aug 21, 2010 at 5:55 PM, Gregory Maxwell <gmaxw...@gmail.com> wrote: > ... > I think it's obvious that the best way of using tor is running your > torrified apps in a VM which can only access the outside world via > TOR. This provides the highest protection from network leaks and also > partially thwarts fingerprinting. But I can only assume that the > 'cost' (performance, complexity, etc) of using a VM for tor is too > high for many people— otherwise we would insist that anyone who wants > anonymity operate that way.
not a silver bullet, but tends to fail safer. the "costs" include: - elevated privs for accelerated virtualization / para-virtualization. Tor by default does not require such. - additional resource consumption. isolated os, network stacks, and applications require additional memory and CPU. - only solve part of the problem; you still need Torbutton and other application level protections, even if direct proxy-bypass type disclosures of endpoint or identity are mitigated. ideally this model would apply across the entire user experience, see qubes: http://qubes-os.org/Home.html > Has anyone looked into using the SELINUX sandbox > (http://danwalsh.livejournal.com/28545.html) to prevent leaks? The > sandbox provides a high degree of application isolation. It looks > like it would be pretty much trivial to add an option to the sandbox > front end program to only allow accesses to the tor socks port from > the isolated app. developing and maintaining a robust RSBAC policy is non-trivial. that said, these are complementary techniques. a strong RSBAC model around and within virtual machine based isolation provides additional defense against application errors, vm break-outs, etc. it doesn't help that a lot of the good SELinux policy development / management tools are closed source / proprietary. it's not the only game in town... > With this users on a supporting platforms wouldn't have to use > wireshark to figure out if, say, pidgin, is leaking via DNS. They > could simply run the app inside the sandbox and be sure of it. there's RSBAC bypass just like vm break-out; anyone claiming infallibility is smoking something or selling you lies... > Does this sound like a practice which should be refined and recommended? absolutely! you could submit a series of policies for various Tor modes of operation and solicit feedback / commit to contrib. *********************************************************************** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talk in the body. http://archives.seul.org/or/talk/
