Re: [Tails-dev] [tor-talk] Please review Tails stream isolation plans
On 9/3/12, adrelanos wrote: > Nick Mathewson: >> Failing that, torsocks is indeed a way pretty good option. > I don't think so. It's only a hack. Doesn't work on Windows. APT doesn't work on Windows either. Robert Ransom ___ tails-dev mailing list tails-dev@boum.org https://mailman.boum.org/listinfo/tails-dev
Re: [Tails-dev] [tor-talk] Please review Tails stream isolation plans
Nick Mathewson: > On Sep 3, 2012 2:21 PM, "adrelanos" wrote: >> >> intrigeri: >>> Hi, >>> >>> Nick Mathewson wrote (30 Aug 2012 15:10:52 GMT) : or using some kind of iptables trickery? >>> >>> I'm not sure how doable it is to use iptables to convert HTTP proxying >>> to SOCKS, but I'd be happy to learn :) >> >> Iptables can not translate from one protocol to another. > > But it can forward connections to a transparent proxy -- like, say, Tor's > TransPort feature. The tricky part here would be coming up with a way to > forward only the correct connections. I'd certainly help with rule creation, I experimented already with it. The safest thing would be probable to start each application under their own user account, or using other iptables -owner features, perhaps in conjunction with a per destination port. But like said before, I don't think this is a good solution. > Failing that, torsocks is indeed a way pretty good option. > I don't think so. It's only a hack. Doesn't work on Windows. It can be sufficient for distributions such as Tails or aos. For end users it's much too hard to use torsocks for stream isolation. A clean solution is much desirable. Reasons: It has an IPv6 leak bug. https://trac.torproject.org/projects/tor/wiki/doc/torsocks#WorkaroundforIPv6leakbug A patch flooding all console output (and therefore breaking applications based on console applications) is still not merged upstream. https://code.google.com/p/torsocks/issues/detail?id=3 Fortunately intrigeri merged it into Debian. Torsocks / usewithtor does not support choosing to which Tor SocksPort you want to redirect. We need this to utilize stream isolation. I wrote a hack. https://trac.torproject.org/projects/tor/wiki/doc/torsocks It's far from perfect. Still requires a wrapper. How else people could transparently use apt-get with stream isolation, without issuing torsocks themselves. I mean, without a wrapper they had to use 'torsocks apt-get' instant of a simple 'apt-get'. For more reasons please referrer to my last mail on Tails-dev about this topic. https://mailman.boum.org/pipermail/tails-dev/2012-August/001422.html The relevant part begins with "Unfortunately, not all applications support socks settings...". ___ tails-dev mailing list tails-dev@boum.org https://mailman.boum.org/listinfo/tails-dev
Re: [Tails-dev] [tor-talk] Please review Tails stream isolation plans
intrigeri: > Hi, > > Nick Mathewson wrote (30 Aug 2012 15:10:52 GMT) : >> or using some kind of iptables trickery? > > I'm not sure how doable it is to use iptables to convert HTTP proxying > to SOCKS, but I'd be happy to learn :) Iptables can not translate from one protocol to another. The closest thing you could do is using something like redsocks. [1] With iptables you can redirect packages based on their destination IP, destination port, linux user account, and or process/session id. Redsocks accepts them and can forward them to another http or socks proxy. But what's the point? It's a real hack. A clean solution would be to add http proxy support to Tor [2] or to add socks support to the applications. Torsocks can be used as a hack. [1] http://darkk.net.ru/redsocks/ [2] https://trac.torproject.org/projects/tor/ticket/6060 ___ tails-dev mailing list tails-dev@boum.org https://mailman.boum.org/listinfo/tails-dev
Re: [Tails-dev] [tor-talk] Please review Tails stream isolation plans
Hi, Nick Mathewson wrote (30 Aug 2012 15:10:52 GMT) : >> * Pidgin > Not too scary, I think. You'd typically wind up with one destination > per chat, or one per chat protocol? Typically, per chat account. >> * Liferea RSS feed reader > This one is a little scary. Do I understand correctly that an RSS > reader will make a separate connection for every RSS feed that you > subscribe to? If so that might make some pretty serious load. Yes, it will. I've personally been using per-destination separate streams for >70 feeds in my own reader for a while. Shame on me for loading the Tor network, maybe, but at least I can confirm it works well. Anyhow, I don't expect many Tails users to make such an intensive use of the feed reader: RSS in itself is unlikely to grow in popularity, and like it or not, "modern" uses involve a web-based RSS reader rather than a desktop one... >> Then you have a few command-line ones such as wget. Also, some >> software that is not SOCKS aware, such as APT, goes through Polipo >> (to be replaced with Privoxy, some day). > Oh wow. Instead of shunting these applications' traffic through > Polipo or privoxy, have you considered relinking against torsocks to > *make* applications understand SOCKS, We have not considered adding SOCKS support to APT and wget, and given our limited resources, I doubt we'll do it. We could probably run them using torsocks, though. > or using some kind of iptables trickery? I'm not sure how doable it is to use iptables to convert HTTP proxying to SOCKS, but I'd be happy to learn :) > When we stopped using those proxies, we weren't really thrilled with > their security or their performance. It makes me uncomfortable to > see "and here goes an HTTP proxy" in any Tor design these days. Sure. Instead of investing time to move to Privoxy, we might as well want to simply drop Polipo. I've updated our ticket on this topic accordingly: https://tails.boum.org/todo/replace_polipo_with_privoxy__63__/ Cheers, -- intrigeri | GnuPG key @ https://gaffer.ptitcanardnoir.org/intrigeri/intrigeri.asc | OTR fingerprint @ https://gaffer.ptitcanardnoir.org/intrigeri/otr.asc ___ tails-dev mailing list tails-dev@boum.org https://mailman.boum.org/listinfo/tails-dev
Re: [Tails-dev] [tor-talk] Please review Tails stream isolation plans
Hi, Nick Mathewson wrote (29 Aug 2012 13:22:36 GMT) : > I'd need an actual list of applications to think about > IsolateDestAddr. Which ones did you have in mind? Thank you for having a look. The main network applications shipped in Tails, that would get IsolateDestAddr according to our plan, are: * Claws Mails (replaced with icedove / Thunderbird, some day) * Pidgin * Liferea RSS feed reader * Gobby Then you have a few command-line ones such as wget. Also, some software that is not SOCKS aware, such as APT, goes through Polipo (to be replaced with Privoxy, some day). Basically, that's it. Note, however, that Tails users may choose to install whatever they want from the Debian archive, or hand-compile whatever they feel like, but I doubt the ones who will do so, and unfortunately pick applications that don't play well with IsolateDestAddr, will be that many to make a measurable difference. ___ tails-dev mailing list tails-dev@boum.org https://mailman.boum.org/listinfo/tails-dev
Re: [Tails-dev] [tor-talk] Please review Tails stream isolation plans
On Mon, Aug 27, 2012 at 6:33 AM, intrigeri wrote: > While I'm at it, we wanted to ask whether it is reasonable for Tails > to ship with IsolateDestAddr enabled by default (but for the web > browser) as described in our plans, or if it is doomed to put too high > a load on the Tor network. (Not that there are tht many Tails > users, and I guess these options were not added in order not to be > used, but still.) I'd need an actual list of applications to think about IsolateDestAddr. Which ones did you have in mind? ___ tails-dev mailing list tails-dev@boum.org https://mailman.boum.org/listinfo/tails-dev
Re: [Tails-dev] [tor-talk] Please review Tails stream isolation plans
Hi, Thank you for having had a look. adrelanos wrote (28 Aug 2012 23:53:01 GMT) : >> Consider Pidgin with several accounts configured for different >> identities. If you connect with all of the accounts at the same >> time, they'll all get the same circuit, so the identities can be >> correlated. While Tails does not formally support using multiple >> contextual identities at the same time, Pidgin generally opens very >> few network connections, so the performance impact of using >> IsolateDestAddr should be small. Given how cheap it is, it looks >> like it is worth having Pidgin use a (not necessarily dedicated) >> SocksPort that has IsolateDestAddr and IsolateDestPort enabled. > True. Difficult to document. I don't think we want to document that at all: documenting it would look like we support using multiple contextual identities at the same time, while we don't. > I initially proposed the feature for Tails Well, I think Jacob did (in 2011). > and now I am considering your improvements for aos. Nice! I'm glad this may be useful for aos :) Cheers, -- intrigeri | GnuPG key @ https://gaffer.ptitcanardnoir.org/intrigeri/intrigeri.asc | OTR fingerprint @ https://gaffer.ptitcanardnoir.org/intrigeri/otr.asc ___ tails-dev mailing list tails-dev@boum.org https://mailman.boum.org/listinfo/tails-dev
Re: [Tails-dev] [tor-talk] Please review Tails stream isolation plans
Thus spake Robert Ransom (rransom.8...@gmail.com): > On 8/28/12, adrelanos wrote: > > > I really think before you activate IsolateDestAddr/Port for web, Nick's > > or Roger's option is required. > > Nick or Roger would say no. But they are planning to specifically > leave those options disabled for the web browser. (That's what > “enabled by default (but for the web browser)” meant.) Here's the ticket for implementing Tor Browser's use of the circuit isolation feature: https://trac.torproject.org/projects/tor/ticket/3455 Summary: we plan on using some variation of the "url bar isolation" property from https://www.torproject.org/projects/torbrowser/design/#privacy to guide our circuit reuse implementation. So long as the url bar stays the same, we'll use the same circuit for sure. This shouldn't be *too* tricky to do using mozIThirdPartyUtil. I'm still debating if we should *also* try to track user click-nagivation, and use the same circuit so long as the user is clicking on links (as opposed to entering a fresh new value in the URL bar). This could be modeled by tracking the referer, or the last url bar domain to be entered. This will be trickier to implement, but will reduce client circuit creation. Either route will require a patch to Firefox, since it is not possible to set SOCKS usernames+passwords from a .xpi right now. Roger also wants to turn this into a research project of some kind to determine the optimal circuit isolation mechanism network-wide, but that seems like a waste of time to me, since what I'm proposing doesn't strike me as very resource-intensive in the common case. I'm open to suggestions on how to make it less painful, though. -- Mike Perry signature.asc Description: Digital signature ___ tails-dev mailing list tails-dev@boum.org https://mailman.boum.org/listinfo/tails-dev
Re: [Tails-dev] [tor-talk] Please review Tails stream isolation plans
On 8/28/12, adrelanos wrote: > I really think before you activate IsolateDestAddr/Port for web, Nick's > or Roger's option is required. Nick or Roger would say no. But they are planning to specifically leave those options disabled for the web browser. (That's what “enabled by default (but for the web browser)” meant.) Robert Ransom ___ tails-dev mailing list tails-dev@boum.org https://mailman.boum.org/listinfo/tails-dev
Re: [Tails-dev] [tor-talk] Please review Tails stream isolation plans
intrigeri: > Hi, > > we are told that Tor 0.2.3.x is good enough for Tails, > so a bunch of Tails developers have eventually spent some time > thinking what could be the initial step towards basic usage of Tor > stream isolation within Tails. > > The resulting plans are waiting to be reviewed there: > > https://tails.boum.org/todo/separate_Tor_streams/ > > While I'm at it, we wanted to ask whether it is reasonable for Tails > to ship with IsolateDestAddr enabled by default (but for the web > browser) as described in our plans, or if it is doomed to put too high > a load on the Tor network. (Not that there are tht many Tails > users, and I guess these options were not added in order not to be > used, but still.) > > Cheers, > My review: I really think before you activate IsolateDestAddr/Port for web, Nick's or Roger's option is required. Overall looks pretty well for "basic" stream isolation. For "full" stream isolation, also ssh, apt-get and any other (preinstalled) application with network traffic should be stream separated. > For performance reasons, we will start with not using IsolateDestAddr/IsolateDestPort for iceweasel we ship: nowadays, loading a mere web page often requires fetching resources from a dozen or more remote sources. Yes. > (Also, it looks like the use of IsolateDestAddr in a modern web browser may create very uncommon HTTP behaviour patterns, that could ease fingerprinting.) Safe to assume. > Consider Pidgin with several accounts configured for different identities. If you connect with all of the accounts at the same time, they'll all get the same circuit, so the identities can be correlated. While Tails does not formally support using multiple contextual identities at the same time, Pidgin generally opens very few network connections, so the performance impact of using IsolateDestAddr should be small. Given how cheap it is, it looks like it is worth having Pidgin use a (not necessarily dedicated) SocksPort that has IsolateDestAddr and IsolateDestPort enabled. True. Difficult to document. "Multiple accounts are separated, if they are on different server IP's (not DNS entries). They can get correlated if they share the same jabber server IP. If your internet connection gets lost for any reason, your system crashes for any reason, or you disconnect all accounts at once (close Pidgin), all accounts will go offline at the same time. Therefore if an adversary controls several IP's he can still guess they are all owned by the same pseudonym." Good thoughts on that page. And to make the fingerprinting issues a bit more complicated... Someone using stream isolation can probable be fingerprinted form someone not using stream isolation. Example: view sourceforge.org with a torified webbrowser, look at the ssh documentation site. Ssh to sf.net over another stream. Now it's clear, someone is using aos (or similar project, or stream isolation,) or Tails with "full" stream isolation. But I think that's fine. You already trust sourceforge.org by connecting to it with a webbrowser and ssh while giving the exit node less information. Very theoretical, right now there are more urgent fingerprinting issues with the web browser. If you link your implementation, I'll review it as well. I initially proposed the feature for Tails and now I am considering your improvements for aos. Nice! ___ tails-dev mailing list tails-dev@boum.org https://mailman.boum.org/listinfo/tails-dev
Re: [Tails-dev] [tor-talk] Please review Tails stream isolation plans
intrigeri: > While I'm at it, we wanted to ask whether it is reasonable for Tails > to ship with IsolateDestAddr enabled by default (but for the web > browser) as described in our plans, or if it is doomed to put too high > a load on the Tor network. (Not that there are tht many Tails > users, and I guess these options were not added in order not to be > used, but still.) Without comments. Just related information: https://gitweb.torproject.org/torspec.git/blob/HEAD:/proposals/171-separate-streams.txt https://lists.torproject.org/pipermail/tor-talk/2012-May/024401.html https://lists.torproject.org/pipermail/tor-talk/2012-May/024403.html ___ tails-dev mailing list tails-dev@boum.org https://mailman.boum.org/listinfo/tails-dev