Re: [Freedombox-discuss] Privoxy via Tor, and APT via Privoxy?
On Wed, 2014-04-16 at 18:37 +0200, Petter Reinholdtsen wrote: > Yeah. I asked for SOCKS support today in > http://bugs.debian.org/744934 >. If someone got time to provide > the C++ patch needed, I am sure it would be well received. SOCKS support is fairly difficult. However, it turns out to be quite easy to add a new apt transport - I can create a package 'apt-transport-tor' that can handle URLs like "tor://http.debian.net/debian". I've got some very very rough but working code here: https://github.com/diocles/apt-transport-tor One advantage of this is that the package can be backported. A patch to apt proper will take some time to get into "real" apt, and then Debian wheezy users can't benefit. Also, it's probably harder to mess up this way - it's very obvious when looking at the URLs fly past that they're coming via tor. -- Tim Retout signature.asc Description: This is a digitally signed message part ___ Freedombox-discuss mailing list Freedombox-discuss@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/freedombox-discuss
Re: [Freedombox-discuss] Privoxy via Tor, and APT via Privoxy?
On Wed, 2014-04-16 at 18:37 +0200, Petter Reinholdtsen wrote: > > I'm surprised that apt doesn't support SOCKS proxies directly - > > random people on the internet seem to think that it does, but > > there's no mention in apt's source code. > > Yeah. I asked for SOCKS support today in > http://bugs.debian.org/744934 >. If someone got time to provide > the C++ patch needed, I am sure it would be well received. It looks complicated. :) The HTTP, FTP and HTTPS transports are implemented almost completely separately - I'm just looking at whether it can be patched into the bit that makes the connection. It's important to get the DNS requests to also go over the SOCKS proxy, to prevent DNS leaks (and make cdn.debian.net work properly). And also, apt doesn't depend on any high-level networking library at the moment. > An alternative which Nick mentioned on IRC today, is > https://code.google.com/p/badvpn/wiki/tun2socks >. The idea is > to not confiture apt and privoxy, but instead change the IP setup on > the machine to send everything via tor. Perhaps a better option? But > that package is not in Debian, as far as I know. Personally I am not quite convinced that all traffic should go over Tor. Apart from anything else, there will be no UDP support, so it would be more difficult to get e.g. VoIP working, I think. A third idea: if we could guarantee that apt was always called via plinth, then we could always call it via torify or something. Ugly. :) -- Tim Retout signature.asc Description: This is a digitally signed message part ___ Freedombox-discuss mailing list Freedombox-discuss@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/freedombox-discuss
Re: [Freedombox-discuss] Privoxy via Tor, and APT via Privoxy?
[Tim Retout] > I think this idea is worth trying - even if secure apt prevents > someone putting fake packages onto your machine, this will stop > people seeing which software they need to find zero-day > vulnerabilities in. :) Yeah. :) > What's the best apt mirror to use with tor? Maybe http.debian.net? > It's probably important to preserve anonymity that everyone uses the > same mirror. Either cdn.debian.net or http.debian.net I believe. I've had some problems using both from time to time, but I do not believe we have any better option. > I'm surprised that apt doesn't support SOCKS proxies directly - > random people on the internet seem to think that it does, but > there's no mention in apt's source code. Yeah. I asked for SOCKS support today in http://bugs.debian.org/744934 >. If someone got time to provide the C++ patch needed, I am sure it would be well received. > s/provixy/privoxy/ Thanks > Privoxy cannot proxy ftp traffic, according to its FAQ. You might > want to add https, but I don't think anyone uses that? Aha. On second thought, I believe it is better to put this functionallity in plinth, behind an option, instead of in freedombox-setup. The option should probably be enabled by default. The options for apt can be to use privoxy, and for privoxy to use tor. I would prefer to have one option for apt to use tor, but without SOCKS support, that is not trivial. An alternative which Nick mentioned on IRC today, is https://code.google.com/p/badvpn/wiki/tun2socks >. The idea is to not confiture apt and privoxy, but instead change the IP setup on the machine to send everything via tor. Perhaps a better option? But that package is not in Debian, as far as I know. -- Happy hacking Petter Reinholdtsen ___ Freedombox-discuss mailing list Freedombox-discuss@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/freedombox-discuss
Re: [Freedombox-discuss] Privoxy via Tor, and APT via Privoxy?
On Wed, 2014-04-16 at 14:14 +0200, Petter Reinholdtsen wrote: > One thing mentioned by Jacob Appelbaum in his talk the other day, was > the advantages of upgrading packages via Tor, to make it harder to > target a given machine with fake packages. > > I suggest we implement this in the Freedombox, by asking Provixy to > send all requests via Tor, and ask APT to fetch data via Privoxy. > What do the rest of you think about doing this? I think this idea is worth trying - even if secure apt prevents someone putting fake packages onto your machine, this will stop people seeing which software they need to find zero-day vulnerabilities in. :) What's the best apt mirror to use with tor? Maybe http.debian.net? It's probably important to preserve anonymity that everyone uses the same mirror. I'm surprised that apt doesn't support SOCKS proxies directly - random people on the internet seem to think that it does, but there's no mention in apt's source code. Comments below: > The following untested patch for freedombox-setup should implement the > feature, redirection APT via privoxy through Tor. I've tested the > configuration, but not a freedombox-setup package with these scripts > in place to set up this change. We could also include the > /etc/apt/apt.conf.d/10freedombox-setup-privoxy file as part of the > package, but then APT on machines with the package installed but no > configured provixy running will stop working. The privoxy setup do > not handle IPv6. Not quite sure how to fix that. > > diff --git a/setup.d/91_privoxy b/setup.d/91_privoxy > index d975a42..9fbfd5a 100755 > --- a/setup.d/91_privoxy > +++ b/setup.d/91_privoxy > @@ -4,3 +4,15 @@ apt-get install -y privoxy > > # Listen on all interfaces > sed -i 's/listen-address localhost:8118/listen-address *:8118/' > /etc/privoxy/config > + > +# Send outgoing connections via Tor > +if grep -q ^forward-socks5 ; then > +: > +else > +cat >> /etc/privoxy/config < +forward-socks5 / 127.0.0.1:9050 . > +forward 192.168.*.*/ . > +forward10.*.*.*/ . > +forward 127.*.*.*/ . > +EOF > +fi > diff --git a/setup.d/92_privoxy_apt b/setup.d/92_privoxy_apt > new file mode 100755 > index 000..818965d > --- /dev/null > +++ b/setup.d/92_privoxy_apt > @@ -0,0 +1,12 @@ > +#!/bin/sh > +# > +# Tell APT to use provixy. s/provixy/privoxy/ > +# > +# The pipeline change is to avoid https://bugs.debian.org/56 >. > +# Not sure if it affect privoxy. > + > +cat > /etc/apt/apt.conf.d/10freedombox-setup-privoxy < +Acquire::http::Proxy "http://localhost:8118/";; > +Acquire::ftp::Proxy "http://localhost:8118/";; Privoxy cannot proxy ftp traffic, according to its FAQ. You might want to add https, but I don't think anyone uses that? > +Acquire::http::Pipeline-Depth 0; > +EOF > -- Tim Retout signature.asc Description: This is a digitally signed message part ___ Freedombox-discuss mailing list Freedombox-discuss@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/freedombox-discuss