[Tails-dev] separate Tor streams

Supprimer ce message

Répondre à ce message
Auteur: adrelanos
Date:  
À: tails-dev
Sujet: [Tails-dev] separate Tor streams
I don't know your policy who is permitted to edit Tails's TODO items, so
I share my comments regarding separate Tor streams [1] here. For readers
who never heard about stream isolation please see the Tor manual.
(Isolate...) [7]

Thanks for considering separate Tor streams. Since I already added [5]
separate Tor streams to aos [2] I made a summary aos's implementation.

It is preferred to add one SocksPorts per application to /etc/torrc. Of
course only for applications which are expected to issue network
activity. Configure all applications, which support socks settings, to
point to their designated SocksPort.

Alternatively you could also re-use one SocksPort multiple times and use
different socks passwords. I preferred not to do that, because not all
applications do support socks passwords and because I trust applications
more to have a bug free socks port implementation than socks password
implementation. (Because much more users do use socks ports than socks
passwords.) Also for simplicity it was easier to use separate SocksPorts
for everything.

By the way, you may ask yourself, using ten or more SocksPorts does not
result in opening more circuits than usual, at least not that I ever
observed.

Unfortunately, not all applications support socks settings. Somehow they
have to be pointed to their own SocksPort anyway.

Tor does not include (multiple) HttpPort(s) [8] and it's not on the
horizon. I requested a similar feature for privoxy [9] but chances are
very low. There is another discussion about this on tor-talk [10] but
the suggested solution [11] is imho unfeasible and error prone.

torsocks's usewithtor unfortunately doesn't support choosing different
SocksPorts by using parameters. The torsocks configuration file has to
be changed. Also if the user types wget in console it should be
torified. Therefore I made a fork of torsocks's usewithtor, which I call
uwt. [13] [14] Wrappers are used (hint given by interigi) to let wget
etc. when issued in console or by other applications to use uwt, thus
getting separate SocksPorts.

(Adding that feature upstream is unlikely. torsocks is practically
unmaintained, no progress with torsocks's issues for a long time [15]
and other issues. [12] torsocks could need a new (co-)maintainer.)

A hack how to force non-socks (and non-proxy) aware applications to use
separate SocksPorts is documented. (uwt) [13]

Cheers,
adrelanos

[1] https://tails.boum.org/todo/separate_Tor_streams/
[2] https://trac.torproject.org/projects/tor/wiki/doc/TorBOX/
[3] https://trac.torproject.org/projects/tor/wiki/torbirdy#Privoxy
[4] https://lists.torproject.org/pipermail/tor-talk/2012-July/024782.html
[5]
https://trac.torproject.org/projects/tor/wiki/doc/TorBOX/ApplicationWarningsAndNotes#Identitycorrelationthroughcircuitsharing
[6]
https://github.com/adrelanos/aos/blob/devel/aos_shared/usr/local/bin/torcheck
[7] https://www.torproject.org/docs/tor-manual-dev.html.en
[8] https://trac.torproject.org/projects/tor/ticket/6060
[9]
http://sourceforge.net/tracker/?func=detail&aid=3541363&group_id=11118&atid=361118
[10] https://lists.torproject.org/pipermail/tor-talk/2012-June/024497.html
[11] https://lists.torproject.org/pipermail/tor-talk/2012-June/024498.html
[12] https://trac.torproject.org/projects/tor/ticket/6155
[13] https://trac.torproject.org/projects/tor/wiki/doc/torsocks
[14]
https://github.com/adrelanos/aos/blob/devel/aos_shared/usr/local/bin/uwt
[15] https://code.google.com/p/torsocks/
[16]
TorBrowser (socks proxy settings), XChat (socks proxy settings),
Thunderbird with TorBirdy (socks proxy settings to socks port, http
proxy to privoxy [3] [4] and privoxy also gets a separate SocksPort,
Instant Messenger (socks proxy settings), apt-get (uwt wrapper), gpg
(uwt wrapper), ssh (uwt wrapper), git (uwt wrapper), htpdate (uwt
wrapper), wget (uwt wrapper), torcheck [6] (uwt wrapper), BitCoin (socks
proxy settings), privoxy (socks proxy settings), polipo (socks proxy
settings)