[Tails-dev] Tails control port filter proxy in Whonix?

This message is part of the following thread:
M--+\the complete thread tree sorted by date
M-\MM 
M\MMManonym at ->
Delete this message

Reply to this message
Author: Patrick Schleizer
Date:  
To: The Tails public development discussion list
CC: Michael Carbone, Patrick Schleizer
Subject: [Tails-dev] Tails control port filter proxy in Whonix?
Hi,

as discussed elsewhere, yes, it would be great if we could share code bases!

Does it support simultaneous connections? (Such as two applications
using ephemeral Tor hidden services plus Tor Browser at once.)

Does Tails control port filter proxy support events? I mean, can a
client application ask for something and Tor will maybe answer a long
time later?

Whonix control-port-filter-python TODO, also stuff we need before we can
use it:

>> - https://phabricator.whonix.org/T561

Is something we must use in Whonix. Not a cpfpy missing feature but a
general issue. In essence, for example the onionshare localhost server
listener will not be reachable. We somehow must force it listen on all
interfaces so Tor running on the gateway can access it.

>> - https://phabricator.whonix.org/T562

This is about parsing add_onion and whitelisting sane commands rather
than letting through everything.

add_onion is not a whitelist/not whitelist.

Buggy applications or by user mistake, they could choose the add_onion
flag nonanonymous, which would be a disaster. We also don't know what
Tor control protocol upgrades are coming in the years to come. So I
strongly suggest a only letting through whitelisted syntaxes.

Malicious applications could make the Tor HS listener bind on the wrong
interface. In Whonix-Gateway, maliciously listen on Whonix-Gateway.
Which could be fatal if we had also a real Tor ControlPort open there.
Does that make sense? I am not sure it applies to Tails, that depends on
your design and threat model, but it is however an interesting thought
that can inspire to finding more security issues with it.

Also it may be worth making sure it can only bind to specified (and
configureable) local ports?

For connectivity, we need to remove 127.0.0.1 and replace it with
Whonix-Workstation IP. That is currently done with the following code
block that I was going to merge with T562.

https://github.com/Whonix/control-port-filter-python/blob/6a131266a8dc8f98ff22a3b83fae9d43e38b3127/usr/sbin/cpfpd#L345-L375

>> - https://phabricator.whonix.org/T564

Protecting cpfpy from DDOS from client applications. Not sure that
matters for Tails?

>> - https://phabricator.whonix.org/T565

Similar to above.

>> - https://phabricator.whonix.org/T566

The unit test for T562.

Other required features:

- Configurable by dropping .d-style[7] configuration snippets. (ex:
/etc/cpfpy.d)
- Debian packaging.

Lesser important features:

- Supports logging.
- Honors signals sigterm, sigint, keyboard interrupt.
- systemd support
- When request is 'getinfo net/listeners/socks' answer with a lie
'250-net/listeners/socks="127.0.0.1:9150"'.

Cheers,
Patrick


This message was posted to the following mailing lists:
tails-dev
Mailing List Info | Nearby Messages		<-Re: [Tails-dev] Memory Erasure DevelopmentRe: [Tails-dev] Tails control port filter proxy in Whonix?->
lists.autistici.org administrated by postmasterLurker (version 2.3)