[Whonix-devel] [qubes-devel] Re: Circuit isolating proxy?
Marek Marczykowski-Górecki
marmarek at invisiblethingslab.com
Mon Dec 12 00:42:02 CET 2016
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
On Sun, Dec 11, 2016 at 11:13:00PM +0000, Patrick Schleizer wrote:
> > Possible solution: a piece of software intended to be used on
> > whonix-gw which opens one network interface per circuit,
>
> It's an interesting idea.
>
> So the application talks to a virtual network interface directly rather
> than directly to a Tor SocksPort?
>
> - Then this virtual network interface would eventually talk to a Tor
> SocksPort?
> - Okay, if I got that right, the application couldn't try to exploit a
> bug in Tor's socks implementation. So the tun2socks application would
> have to be more resistant against exploitation than Tor's socks code?
I think it is *REALLY BAD* idea to add additional, hand-crafted IP
packet parser (tun2socks). Pretty much the same data will reach tor
socks anyway, but you'll add another attack surface of tun2socks.
Socks protocol isn't that complex to worth hiding behind such complex
thing like tun2socks. Socks is just a request packet ("where connect
to") followed by unmodified TCP stream. Tor needs to parse only that
initial request packet.
What is worth guarding, it tor control socket, and it isn't directly
exposed. There is "control-port-filter-python" (or something else in new
Whonix version?) to filter it. IMO it would be much better if control
port wouldn't be exposed at all, but unfortunately some applications do
require it.
- --
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQEcBAEBCAAGBQJYTeRJAAoJENuP0xzK19csDrAH/1KuaQ90ip4soQ1DyXZP0M01
uj9nZIM5uM+4g7zvb0/Vsu2DANxDXlCU35+6H43Zq7H1vQ83nUj9iBvJoHRy8PAF
3a86AaVID2/nhtrfVdcEsleH6wz3bGfumGQJJQqamyRf6Lr/tXc/dQtTCYNmnajS
IYyDz1COommbZ69u9gBx6xjbAPTqKj6kkS8z0eKfjfn2Xw+Oo8hRL6xGmvZ8Ziqe
hkNrZYSq9DKkuSJ0kD1Fp9aUySMDZkdpd56hK7uYbh7AOQxo11482L6bs+/YH403
qbUDHYHH+jeq6Rr9jv67uLm/qQUfewRHXULwiRNdHzpuHH/snsge5Srm/TE2LFE=
=HhTu
-----END PGP SIGNATURE-----
More information about the Whonix-devel
mailing list