[Whonix-devel] [qubes-devel] Re: Circuit isolating proxy?
bill at eff.org
Mon Dec 12 09:02:42 CET 2016
I wasn't aware of the IsolateClientAddr option within tor. With the assurance that each source ip will be stream isolated, no `tun2socks` proxy or equivalent is necessary, given that whonix-ws is transparently torified. For applications that do not require direct tor port access, separating them into their own VM and modifying iptables rules on sys-whonix so that these VMs have no access to the tor ports should work for my intended purpose.
Since the browser is such a large attack surface, for whonix-ws VMs which only use Tor Browser, I wonder if access to the control port could be fully denied? It seems so. Since the Tor Launcher isn't actually bootstrapping tor, the control port is only used for the "New Identity" functionality, so you'll lose that. But if you kill the `socat` process forwarding 9151, the browser seems to work fine. It seems like the "New Identity" functionality could be implemented on the whonix-gw side: https://blog.torproject.org/category/tags/new-identity
Looks like the Tor Browser use of the control port isn't going away, though. And in fact may be increasing in the future: https://trac.torproject.org/projects/tor/ticket/9675
On Mon, 12 Dec 2016 00:42:02 +0100, Marek Marczykowski-Górecki wrote:
> On Sun, Dec 11, 2016 at 11:13:00PM +0000, Patrick Schleizer wrote:
> > > Possible solution: a piece of software intended to be used on
> > > whonix-gw which opens one network interface per circuit,
> > It's an interesting idea.
> > So the application talks to a virtual network interface directly rather
> > than directly to a Tor SocksPort?
> > - Then this virtual network interface would eventually talk to a Tor
> > SocksPort?
> > - Okay, if I got that right, the application couldn't try to exploit a
> > bug in Tor's socks implementation. So the tun2socks application would
> > have to be more resistant against exploitation than Tor's socks code?
> I think it is *REALLY BAD* idea to add additional, hand-crafted IP
> packet parser (tun2socks). Pretty much the same data will reach tor
> socks anyway, but you'll add another attack surface of tun2socks.
> Socks protocol isn't that complex to worth hiding behind such complex
> thing like tun2socks. Socks is just a request packet ("where connect
> to") followed by unmodified TCP stream. Tor needs to parse only that
> initial request packet.
> What is worth guarding, it tor control socket, and it isn't directly
> exposed. There is "control-port-filter-python" (or something else in new
> Whonix version?) to filter it. IMO it would be much better if control
> port wouldn't be exposed at all, but unfortunately some applications do
> require it.
> Best Regards,
> Marek Marczykowski-Górecki
> Invisible Things Lab
> A: Because it messes up the order in which people normally read text.
> Q: Why is top-posting such a bad thing?
More information about the Whonix-devel