On Sun, Nov 26, 2017 at 03:07:38AM -0800, Yuraeitha wrote: > On Friday, November 24, 2017 at 6:48:13 PM UTC, entr0py wrote: > > Yuraeitha: > > > On Friday, November 24, 2017 at 9:01:24 AM UTC, Bernhard wrote: > > >> Hello, > > >> > > >> one of the most useful features of tor-browser is Ctl-Shift-L to change > > >> the tor-path (and so, with high proba, the exit node IP) : this way, > > >> websites that block a specific exit node for a certain time can be still > > >> loaded (of course some fascist websites block all tor-exits and so that > > >> this measure does not help) . > > >> > > >> I feel that the same feature would be useful in other applications (in > > >> particular in thunderbird). How can this be done? Maybe a "forced > > >> reconnect" of IMAP connections suffices, but apart totally restarting > > >> thunderbird I don't see how this can be done. Any hints? Or is there > > >> good reason not to torify mail-fetching? Or never via IMAP? > > >> > > >> thank you, Bernhard > > > > Each request to your Tor client (in sys-whonix) via SocksPort is > > accompanied by a SOCKS username and password. By clicking "New Tor Circuit > > for this Site" in Tor Browser, you are changing the password component, > > which causes the Tor client to generate a new circuit for the same > > first-person domain when a request is received. > > > > Thunderbird is torrified by an extension called TorBirdy. Your requested > > feature has been tracked for quite some time (5 years) but appears nearing > > implementation now that Thunderbird-related roadblocks have been cleared. > > (https://trac.torproject.org/projects/tor/ticket/6359) Also, the main > > reason for that ticket is not circuit swapping but stream isolation. At > > present (Whonix bonus), each different email server you connect to is given > > a different circuit. With #6359, multiple accounts at the same email > > provider can also be isolated by circuit. > > > > Currently, you can generate new circuits for all future Tor requests by > > using the "New Identity" feature via one of the following equivalent > > options: > > 1. From anon-whonix, use "New Identity" in Tor Browser. (applies to all Tor > > connections, not just the browser.) > > 2. From sys-whonix, use arm/nyx (monitoring tool) to send New Identity > > request > > 3. From sys-whonix, send SIGNAL NEWNYM via telnet to 127.0.0.1:9051 > > > > > > > More specially towards the question at hand, I think it's tricky to do > > > something like that in Thunderbird, but I'm not a programmer, so I > > > wouldn't know for sure. However, if you think about how it works in > > > Qubes/Whonix/Tor, then the Tor browser appears to be tunneling > > > Tor-Browser within Tor(Sys-whonix), basically doubling the onion layers > > > compared to a regular Tor browser. I'm not entirely sure if this is the > > > case, it's just something I figured must be the case. > > > > This is not correct. Tor-over-Tor is discouraged[1] and unlikely to work in > > the future[2]. Whonix prevents Tor-over-Tor.[3][4] > > > > [1] https://trac.torproject.org/projects/tor/wiki/doc/TorifyHOWTO#ToroverTor > > [2] https://trac.torproject.org/projects/tor/ticket/2667 > > [3] https://www.whonix.org/wiki/DoNot#Prevent_Tor_over_Tor_Scenarios > > [4] https://www.whonix.org/wiki/Dev/anon-ws-disable-stacked-tor > > ah, good I made a disclaimer :') > Though, it does seem rather unsafe to run multiple of qubes over the same > exit nodes in the Tor network. > > The most dangerous security issue out there, imho at least, is the assumption > you are safe, when you are not. If what you're saying is true, and I'm > confident it is given your background, then this might cause some dangerous > user habits on Qubes in particular, beyond that what is a concern by using > just Whonix/Tor? Similar issue probably exits between Whonix and Tor, but to > a lesser extent as Qubes does not have any warnings about this, which is > particular a concern when it's easier to mess up in Qubes, and run the same > applications over the same exit nodes, at the same time. > > I did hear the warning of not running Tor over Tor before, though it was so > long back that only the Tor browser was around back then. I had assumed it'd > been fixed by now on Whonix and in particular Qubes. Especially considering > the dangerous trap Whonix and in particular Qubes creates when running more > on the same exit node. >
You misunderstand. It's not that qubes run over the same EXIT NODES, as you say. Because of stream isolation they may run over the same entry node, but have different circuits, so will probably exit Tor over different exit nodes. There is nothing to "fix" in Tor over Tor - you can do this if you wish, (except in Whonix), but the behaviour carries risks. If you are concered about running qubes over the same ENTRY node then you can use different TorVMs or Whonix-gws as proxies for different sets of qubes, so ensuring complete isolation of the Tor circuits between the qubes you wish to keep separate. Qubes and Whonix make this simple. unman -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20171126134917.3fztphb2guihjeck%40thirdeyesecurity.org. For more options, visit https://groups.google.com/d/optout.
