Hi,
another concern I have with the current state of
feature/unsafe-browser is that the clearnet user is allowed to connect
to Tor, Polipo, pdnsd and ttdnsd, which may make possible some classes
of new deanonymization attacks against Tails users.
I guess it would be relatively easy to implement stricter permissions,
similar to Liberté's policy on the loopback network interface (see
src/usr/local/sbin/fw-reload in their source tree).
IIRC it was also suggested to simply shutdown Tor altogether while the
unsafe-browser is running, which might be simpler than
a iptables-based solution to this problem (independently from that,
I think a stricter iptables policy would be a welcome hardening
improvement anyway).
What do you think?
(I can't find any summary of our previous thinking on this topic, so
if we already dismissed it for good reasons, at least it should be
made explicit in the design notes.)
Cheers,
--
intrigeri
| GnuPG key @ https://gaffer.ptitcanardnoir.org/intrigeri/intrigeri.asc
| OTR fingerprint @ https://gaffer.ptitcanardnoir.org/intrigeri/otr.asc
