[Whonix-devel] [qubes-devel] Re: Circuit isolating proxy?
Patrick Schleizer
patrick-mailinglists at whonix.org
Mon Dec 12 21:02:00 CET 2016
William Budington:
> Since the browser is such a large attack surface, for whonix-ws VMs
> which only use Tor Browser, I wonder if access to the control port
> could be fully denied? It seems so. Since the Tor Launcher isn't
> actually bootstrapping tor, the control port is only used for the
> "New Identity" functionality, so you'll lose that. But if you kill
> the `socat` process forwarding 9151, the browser seems to work fine.
[Btw to kill all socat for testing one can use: "sudo service
anon-ws-disable-stacked-tor stop"]
> It seems like the "New Identity" functionality could be implemented
> on the whonix-gw side:
> https://blog.torproject.org/category/tags/new-identity
>
> Looks like the Tor Browser use of the control port isn't going away,
> though. And in fact may be increasing in the future:
> https://trac.torproject.org/projects/tor/ticket/9675
Yes. That's why we have the filter.
Btw the full rationale can be found here:
https://www.whonix.org/wiki/Dev/Control_Port_Filter_Proxy
Best regards,
Patrick
More information about the Whonix-devel
mailing list