Jump to: navigation, search

Stream Isolation

short stream isolation summary all information below

Introduction[edit]

If you install custom applications and do not explicitly take precaution against identity correlation through Tor circuit sharing, you risk that different activities, let's say Web (Chromium or similar) or IRC (mIRC or similar) go through the same Tor circuit and exit relay. Even though you would still be anonymous, i.e. the Tor exit relay would still not know your real IP/location, they can easily correlate those activities issued by different applications to the same pseudonym.

The following graphic illustrates the difference of using Tor SocksPort's compared to using Tor's TransPort. Using dedicated Tor SocksPort's per application results in taking different routes through the Tor network per application. Not necessarily all nodes (first, second, third) get replaced by Tor. Sometimes just the first, sometimes just the second, sometimes just the third, and sometimes multiple nodes change.

Stream Isolation Graphic

Whonix implements protection against identity correlation through Tor circuit sharing for preinstalled applications, however, for better privacy, you are still advised to understand a bit of the technical background. Since Tor version 0.2.3, different Socks,- Dns-, or TransPorts go through different Tor circuits, therefore preventing identity correlation. Whonix configures most applications that come preinstalled with Whonix to use different SocksPort, thus no identity correlation is at risk. Whonix uses either socks proxy settings to direct various applications to different SocksPorts or uwt (more information below).

Any other traffic (i.e. custom installed applications, misc applications, such as nslookup, go through Tor's Dns-, and/or TransPort (can be optionally disabled, see below).

List[edit]

Applications in Whonix, that are either prepared or fully pre-configured to prevent identity correlation through Tor circuit sharing:

By Settings[edit]

application pre-installed pre-configured stream isolation by method port comments
Tor Browser yes yes socks proxy settings 9150 [1] -
HexChat (see Chat) yes yes socks proxy settings 9101 -
Mozilla Thunderbird with TorBirdy no yes socks proxy settings - -
Instant Messenger (see Chat) no no (TODO) socks proxy settings port prepared, IP 10.152.152.10, port 9103 -
sdwdate yes yes socks proxy settings[2] - -
whonixcheck yes yes socks proxy settings 9110 -
BitCoin (see Money) no no socks proxy settings port prepared, IP 10.152.152.10, port 9111 -
privoxy no no socks proxy settings port prepared, IP 10.152.152.10, port 9112 -
polipo no no socks proxy settings port prepared, IP 10.152.152.10, port 9113 -
Tor Browser Downloader by Whonix yes yes socks proxy settings - -
Chat#Ricochet IM no yes socks proxy settings - connects only to hidden services
Mixmaster yes yes settings [3] - connects only to hidden services
KDE application wide proxy settings no yes socks proxy settings 9122 no KDE applications with network activity pre-installed -

By uwt wrapper[edit]

application pre-installed pre-configured stream isolation by method port comments
apt-get (see Update) yes yes uwt wrapper - -
aptitude yes yes uwt wrapper - -
gpg yes yes uwt wrapper - -
ssh yes yes uwt wrapper - -
git no yes uwt wrapper - -
wget yes yes uwt wrapper - -
curl yes yes uwt wrapper - -
mixmaster-update (see Mixmaster) yes yes uwt wrapper - -

none[edit]

application pre-installed pre-configured stream isolation by method port instructions
GNOME application wide proxy settings no no none no GNOME applications with network activity pre-installed -

Details[edit]

The required socks proxy settings are setup by various Whonix configuration packages or uwt wrappers, which are set up on Whonix-Gateway and on Whonix-Workstation. uwt is a wrapper around torsocks, which is also already installed to /usr/bin/uwt.

  • Example, each time you run a uwt wrapped application, i.e. simply type apt-get in console, the uwt wrapper /usr/bin/apt-get will run. It adds uwt before apt-get. For curiosity check nano /usr/bin/apt-get. Essentially, the uwt wrapper then runs /usr/bin/uwt /usr/bin/apt-get.anondist-orig. That is also the case for all other uwt wrapped applications.
  • If you ever want or must run a uwt wrapped application without uwt, do not run for example apt-get in console, do run apt-get.anondist-orig. Use cases could be if you want to connect to localhost. If you know what you are doing, you should also be able to deactivate any uwt wrappers you dislike, see #Deactivate_uwt_Stream_Isolation_Wrapper.
  • When running /usr/bin/apt-get.anondist-orig it directly goes through Tor's DnsPort and through Tor's TransPort and not through its own SocksPort.
  • uwt looks if the command contains the words localhost or 127.0.0.1, if that is the case, uwt will not be used. The command will be run without uwt. Thus, if a localhost connection is falsely detected it will leak, but only through Tor's DnsPort and through Tor's TransPort, which should be acceptable.

Isolate by destination address: Let's assume SSH goes over port 22 and you want to connect to different SSH servers and do not want an observer to be able to correlate that activity to the same pseudonym. If the SSH servers run on different IP's isolate by destination address might help.

Isolate by destination port: This doesn't seem to be useful for anything in Whonix, applications using different protocols (and therefore different ports) are already isolated through using different SOCKSPorts.

Isolate by destination port doesn't really achieve anything for web browsing: tor-talk Tor's stream isolation features defaults.

For more information about stream isolation refer to the Tor manual.

Different tabs and websites in Tor Browser are isolated by since Tor Browser version 4.5-alpha-1. [4]

Different Tor Hidden Services are automatically stream isolated. [5]

Footnotes[edit]

  1. Whonix-Workstation 127.0.0.1:9150 gets redirected to 10.152.152.10:9150 by rinetd. See on Whonix-Workstation file /etc/rinetd and package anon-ws-disable-stacked-tor. Changing proxy settings in Tor Browser has proven to be unreliable. At some point Tor Button may change its internals and therefore break something again. Keeping the default settings and not requiring any changes in Tor Browser seems like the best way to support compatibility in long run and also is simplest in case update-torbrowser breaks and manually updating Tor Browser is required again in future.
  2. https://github.com/Whonix/sdwdate-plugin-anon-shared-streamiso/blob/master/etc/sdwdate.d/31_anon_dist_stream_isolation_plugin
  3. (see also Dev/Mixmaster)
  4. https://trac.torproject.org/projects/tor/ticket/3455
  5. https://lists.torproject.org/pipermail/tor-talk/2012-September/025432.html

How to mitigate identity correlation[edit]

Basic Protection[edit]

If you install custom software on Whonix-Workstation, that uses the internet, and want to prevent identity correlation through Tor circuit sharing (which you should do), you have to manually configure them. This is not a Whonix specific problem. [1] Read also Software installation on Whonix-Workstation.

A #list of applications which come pre-installed with Whonix are pre-configured to prevent identity correlation through circuit sharing.

Traffic going through TransPort by default is whonixcheck when testing the TransPort. If that is of concern to you, it can be disabled in whonixcheck, see Advanced Security Guide#Prevent polluting TransPort.

All custom installed application's TCP traffic is routed through Tor's TransPort and all their DNS requests through Tor's DnsPort. This means different activities or "identities" in different applications (say browser, IRC, email) end up being routed through the same circuit, thus identity correlation is at risk. [2]

To protect against this, you have to set up per-application SOCKS ports in Whonix-Gateway.

On Whonix-Gateway in /usr/share/tor/tor-service-defaults-torrc are already a lot custom socks ports prepared for custom installed applications:

  • Without IsolateDestAddr and without IsolateDestPort: SocksPort 10.152.152.10:9153 to 9159
  • With IsolateDestAddr, but without IsolateDestPort: SocksPort 10.152.152.10:9160 to 9169
  • Without IsolateDestAddr, but with IsolateDestPort: SocksPort: 10.152.152.10:9170 to 9179
  • With IsolateDestAddr and with IsolateDestPort: SocksPort: 10.152.152.10:9180 to 9189
  • If they those are not enough, you can add your own ones.

What are IsolateDestAddr and IsolateDestPort? You can learn about them in the Tor manual. See also tor-talk mailing list: Tor's stream isolation features defaults. Usually, unless you know better, you are better off not using IsolateDestAddr or IsolateDestPort.

You can point your applications, where you want to prevent identity correlation though circuit sharing, to those SocksPorts. Each custom installed application has to be torified, for directions how to do that use the Torify HOWTO.

Additional comments regarding the Torify HOWTO:

  • Warnings about protocol related warnings you must honor. You are still better off with Whonix, as it offers best possible Protocol-Leak-Protection and Fingerprinting-Protection.
  • Whonix's setup provides protection against IP leaks through protocol leaks.
  • If you do not correctly torify either no connections will be possible or traffic will either continue going through Tor's TransPort (unless you disable that, as explained below).
  • If you redirect more than one application to the same SocksPort, identity correlation is at risk.
  • DNS related warnings still apply, though to a lesser extent - an attack could only make correlations but still couldn't figure out your IP. You can prevent that, be out commenting (# in front) DnsPort in /etc/tor/torrc on the Whonix-Gateway and by removing the DNS redirection firewall rule from /usr/bin/whonix_firewall.
    • Do not use a local DNS resolver, as all DNS requests would be executed by the same circuit.
  • Other leaks, such as applications not honoring the proxy settings / wrapper, ICMP or UDP leaks do not apply to Whonix.
  • The SafeSocks setting is for rejecting unsafe variants of socks that might cause DNS leaks. The Whonix design model mitigates DNS leaks by redirecting all requests to Tor's DnsPort. Enabling this setting would give marginal benefit in this situation but would complicate debugging.

Better Protection[edit]

For best protection against identity correlation:

Read the advice above and on Whonix-Gateway:

Deactivate KDE / GNOME - application wide proxy settings...

  • Because those proxy settings are not application specific, but rather force all KDE / GNOME applications through the same SocksPort (no KDE / GNOME applications which use the internet preinstalled by default), deactivating those KDE / GNOME - wide proxy settings gives better control about stream isolation.

To deactivate TransPort and DnsPort...

Modify Whonix User Firewall Settings.

Note: Initially, if you have not made any changes to Whonix Firewall Settings, then Whonix User Firewall Settings File /etc/whonix_firewall.d/50_user.conf appears empty, because it does not exist. This is expected.

If you are using Qubes-Whonix, complete the following steps:

Qubes App Launcher (blue/grey "Q") -> Template: whonix-gw -> Whonix User Firewall Settings

If you are using a graphical Whonix-Gateway, complete the following steps:

Start Menu -> Applications -> Settings -> User Firewall Settings

If you are using a terminal-only Whonix-Gateway, complete the following steps:

sudo nano /etc/whonix_firewall.d/50_user.conf

For more help, press on expand on the right.

Note: Whonix Global Firewall Settings File /etc/whonix_firewall.d/30_default.conf contains default settings and explanatory comments what these settings purpose. It gets opened read-only by default. By default you are not supposed to directly edit the file. Below, we recommend to open the file without root rights. The file contains an explanatory comment on how to change firewall settings.

## Please use "/etc/whonix_firewall.d/50_user.conf" for your custom configuration,
## which will override the defaults found here. When Whonix is updated, this
## file may be overwritten.

See also Whonix modular flexible .d style configuration folders.

To view the file, complete the following steps.

If you are using Qubes-Whonix, complete the following steps:

Qubes App Launcher (blue/grey "Q") -> Template: whonix-gw -> Whonix Global Firewall Settings

If you are using a graphical Whonix-Gateway, complete the following steps:

Start Menu -> Applications -> Settings -> Global Firewall Settings

If you are using a terminal-only Whonix-Gateway, complete the following steps:

nano /etc/whonix_firewall.d/30_default.conf

Add.

WORKSTATION_TRANSPARENT_TCP=0
WORKSTATION_TRANSPARENT_DNS=0

Save.

3) Reload Whonix-Gateway Firewall.

If you are using Qubes-Whonix, complete the following steps:

Qubes App Launcher (blue/grey "Q") -> Whonix-Gateway ProxyVM (commonly named sys-whonix) -> Reload Whonix Firewall

If you are using a graphical Whonix-Gateway, complete the following steps:

Start Menu -> Applications -> System -> Reload Whonix Firewall

If you are using a terminal-only Whonix-Gateway, run:

sudo whonix_firewall

[3]

This will disable transparent proxying. All applications not configured to use a SocksPort by socks proxy settings or forced to use a SocksPort by a socksifier will not be able to establish connections. This is the only way to ensure, that different SocksPorts are used and that also DNS is remotely resolved through that SocksPort.

Total protection is only possible, if you honor the advice above and only use one application per session and always revert to a fresh image or Multiple Whonix-Workstations. [4]

Deactivate Stream Isolation[edit]

Easy[edit]

How to disable stream isolation. Most easy and common methods only. For more options, see below.

Deactivate uwt Stream Isolation Wrapper[edit]

OPTIONAL. Usually not required. Only for special setups and people who know what they are doing.

Temporary[edit]

anondist-orig Method[edit]

Append .anondist-orig to the command you want to run. For example, instead of using.

curl 38.229.72.22

Use.

UWT_DEV_PASSTHROUGH=1 curl 38.229.72.22

Environment Variable Method[edit]

Use the UWT_DEV_PASSTHROUGH environment variable. [5]

Example. Set the UWT_DEV_PASSTHROUGH environment variable. This will disable using torsocks for all following invocations.

export UWT_DEV_PASSTHROUGH="1"
curl 38.229.72.22

When running as user and using sudo, do not forget sudo's -E parameter which stands for preserve environment.

sudo -E apt-get update

Permanently[edit]

Introduction[edit]

You can enable/disable all uwt stream isolation wrappers globally or enable/disable specific stream isolation wrappers, see uwt /etc/uwt.d/30_uwt_default configuration file.

deactivate all uwt wrappers permanently[edit]

To deactivate all uwt wrappers permanently... To deactivate stream isolation for all uwt wrapped applications... To make all uwt wrapped applications use the system default networking again... See below...

(Otherwise, if you want more fine granulated control of uwt wrapper deactivation, see Stream_Isolation#Deactivate_uwt_Stream_Isolation_Wrapper.)

Open /etc/uwt.d/50_user.conf in an editor with root rights.

If you are using a graphical Whonix or Qubes-Whonix, run:

kdesudo kwrite /etc/uwt.d/50_user.conf

If you are using a terminal-only Whonix, run:

sudo nano /etc/uwt.d/50_user.conf

And add.

uwtwrapper_global="0"

Save.

Deactivate Misc Proxy Settings[edit]

On the Stream Isolation page, there is a list of applications that are pre-configured to use socks proxy settings using application configuration files. If you want to disable this...

You must go to the applications settings and remove what Whonix has applied by default.

TODO: document, expland

For some applications this is impossible.

  • sdwdate
  • Ricochet IM

Those can only talk to Tor Hidden Services directly. You cannot configure them to use the system default. You can only deactivate sdwdate and/or not use Ricochet IM.

Tor Browser Remove Proxy Settings[edit]

If you would like to remove proxy settings from Tor Browser, see below.

Introduction
Applying this configuration would result in Tor Browser no longer using proxy settings. In other words, setting to no proxy. Thereby Tor Browser would be using the (VM) system's default networking. Just like any other application inside the workstation that is not explicitly configured through socks proxy settings or a socksifier to use Tor. This is also called transparent torification. [6] It would break Stream Isolation for Tor Browser as well as break Tor Browser's tab isolation by socks user name feature, thereby worsen your web fingerprint and be pseudonymous rather than anonymous. (To limit the risks, consider using More than one Tor Browser in Whonix or better Multiple Whonix-Workstations.)

If you change these settings, Tor Button showing a red sign and 'Tor Disabled' if you hover over it by mice is expected.

If you want to set it to no proxy... You could set the TOR_TRANSPROXY=1 environment variable. There are various methods to do so. #/etc/environment Method is the simplest one.

For other methods with more fine granulated settings, please press on expand on the right.

<span id="
od"></span> Command Line Method
Get into your Tor Browser folder.

cd ~/tor-browser_en-US

Every time you start Tor Browser, run the following command to set the TOR_TRANSPROXY=1 environment variable.

TOR_TRANSPROXY=1 ./start-tor-browser.desktop

start-tor-browser Method
This applies to the one instance/folder of Tor Browser that you configure only. This method might not persist when Tor Browser is updated.

Find and open start-tor-browser in the Tor Browser folder in an editor.

Most likely in ~/tor-browser_en-US/Browser/start-tor-browser below #!/usr/bin/env bash.

export TOR_TRANSPROXY=1

/etc/environment Method
This applies to the whole environment. I.e. any possible custom locations of Tor Browser installation folders.[7]

Open /etc/environment in an editor with root rights.

If you are using a graphical Whonix or Qubes-Whonix, run:

kdesudo kwrite /etc/environment

If you are using a terminal-only Whonix, run:

sudo nano /etc/environment

Add the following content.

TOR_TRANSPROXY=1

Save.

Reboot.

Undo
Undoing this setting is undocumented. Simply no longer setting that environment variable will not do the trick. This is because of limitations of Tor Browser. The easiest way to undo these instructions would be to start over with a fresh installation of Tor Browser. Please contribute these instructions.

Forget about Tor Button's Open Network Settings
Forget about Tor Button's -> Open Network Settings. See footnote, if you want to know why.[8]

Development[edit]

Tests[edit]

1. Applications which internally use curl.

sudo update-command-not-found
sudo update-flashplugin-nonfree --install --verbose

2. Applications which is uwt wrapped itself and internally uses ssh.

git push origin master

3. Enigmail.

Debugging / List of all uwt wrappers[edit]

sudo dpkg-divert --list
ls -la /usr/bin/ssh

Deactivating an uwt wrapper[edit]

Example:

sudo unlink /usr/bin/ssh
sudo dpkg-divert --rename --remove /usr/bin/ssh

Check if Transparent DNS is disabled[edit]

Test.

nslookup check.torproject.org ; echo $?

Should show.

;; connection timed out; no servers could be reached

1

If it shows something else, such as a resolved IP, the Transparent DNS is enabled.

Check if Transparent TCP is disabled[edit]

Test.

UWT_DEV_PASSTHROUGH=1 curl 138.201.14.212 ; echo $?

Should show.

curl: (7) couldn't connect to host
7

If it shows something else, such as the html source code, then Transparent TCP is enabled.

Check if Transparent Proxying is disabled[edit]

Test.

UWT_DEV_PASSTHROUGH=1 curl https://check.torproject.org/ ; echo $?

Should show.

curl: (6) Couldn't resolve host 'check.torproject.org'
6

If it shows something else, such as the html source code, then Transparent Proxying is enabled.

Sources[edit]

Stream Isolation Graphic has been contributed by: Cuan Knaggs – graphic and web design revlover print media – web design – web development – cms – e-commerce

References[edit]

  1. If you used to use only one SocksPort with the common torification methods, the same thing happened.
  2. What about UDP? See Tor#UDP.
  3. Although not strictly required, you could alternatively/additionally add to /etc/tor/torrc. Open /etc/tor/torrc.

    If you are using Qubes-Whonix, complete the following steps:

    Qubes App Launcher (blue/grey "Q") -> Whonix-Gateway ProxyVM (commonly named sys-whonix) -> Tor User Config (Torrc)
    

    If you are using a graphical Whonix-Gateway, complete the following steps:

    Start Menu -> Applications -> Settings -> /etc/tor/torrc
    

    If you are using a terminal-only Whonix-Gateway, complete the following steps:

    sudo nano /etc/tor/torrc

    Add.

    TransPort 0
    DnsPort 0

    Save.

    And then Reload Tor.

    After editing /etc/tor/torrc you must reload Tor so your changes take effect. (Note: if after completing all these steps and you are not able to connect to Tor, you have most likely done something wrong. Go back and check your /etc/tor/torrc and redo the steps outlined in the sections above. If your are able to connect to Tor, then you have completed your changes correctly.)

    For Qubes-Whonix, complete the following steps:

    Qubes App Launcher (blue/grey "Q") -> Whonix-Gateway ProxyVM (commonly named 'sys-whonix') -> Reload Tor
    

    For graphical Whonix-Gateway, complete the following steps:

    Start Menu -> Applications -> Settings -> Reload Tor
    

    For terminal-only Whonix-Gateway, press on expand on the right.

    Complete the following steps:

    Reload Tor.

    sudo service tor@default reload

    Check Tor's daemon status.

    sudo service tor@default status

    It should include a a message saying.

    Active: active (running) since ...

    In case of issues, try the following debugging steps.

    Check Tor's config.

    sudo -u debian-tor tor --verify-config

    Should show something like the following.

    Sep 17 17:40:41.416 [notice] Read configuration file "/etc/tor/torrc".
    Configuration was valid

  4. Multiple Whonix-Workstations using different internal IP's are automatically separated by Tor (IsolateClientAddr is Tor's default).
  5. https://github.com/Whonix/uwt/blob/master/usr/bin/uwt#L49
  6. That term was coined in context of a Tor Transparent Proxy. A simple gateway that routes all connections through Tor and does not provide Stream Isolation.
  7. Unless you manually unset this environment variable before starting Tor Browser.
  8. When using the regular Tor Browser Bundle from The Tor Project without Whonix, that menu can be used to change network settings inside Tor. It has the same effects as editing Tor's config file torrc.

    Using this graphical user interface isn't possible in Whonix, because for security reasons, in Whonix there is only limited access to Tor's control port. (See Dev/CPFP for more information.) (You could change such settings manually in /etc/tor/torrc on Whonix-Gateway. (See also VPN/Tunnel suppprt for more information.)

    We are setting environment variable export TOR_NO_DISPLAY_NETWORK_SETTINGS=1 to disable the "TorButton" -> "Open Network Settings..." menu item. It is not useful and confusing to have on a workstation, because Tor must be configured on the gateway, which is for security reasons forbidden from the workstation.

Random News:

We are looking for maintainers (developers).


Impressum | Datenschutz | Haftungsausschluss

https | (forcing) onion
Share: Twitter | Facebook | Google+
This is a wiki. Want to improve this page? Help welcome, volunteer contributions are happily considered! See Conditions for Contributions to Whonix, then Edit! IP addresses are scrubbed, but editing over Tor is recommended. Edits are held for moderation. Whonix (g+) is a licensee of the Open Invention Network. Unless otherwise noted above, content of this page is copyrighted and licensed under the same Free (as in speech) license as Whonix itself.