Re: [Tails-dev] [tor-talk] Please review Tails stream isolat…

Supprimer ce message

Répondre à ce message
Auteur: intrigeri
Date:  
À: tor-talk
CC: tails-dev
Sujet: Re: [Tails-dev] [tor-talk] Please review Tails stream isolation plans
Hi,

Nick Mathewson wrote (30 Aug 2012 15:10:52 GMT) :
>> * Pidgin


> Not too scary, I think. You'd typically wind up with one destination
> per chat, or one per chat protocol?


Typically, per chat account.

>> * Liferea RSS feed reader


> This one is a little scary. Do I understand correctly that an RSS
> reader will make a separate connection for every RSS feed that you
> subscribe to? If so that might make some pretty serious load.


Yes, it will. I've personally been using per-destination separate
streams for >70 feeds in my own reader for a while. Shame on me for
loading the Tor network, maybe, but at least I can confirm it
works well.

Anyhow, I don't expect many Tails users to make such an intensive use
of the feed reader: RSS in itself is unlikely to grow in popularity,
and like it or not, "modern" uses involve a web-based RSS reader
rather than a desktop one...

>> Then you have a few command-line ones such as wget. Also, some
>> software that is not SOCKS aware, such as APT, goes through Polipo
>> (to be replaced with Privoxy, some day).


> Oh wow. Instead of shunting these applications' traffic through
> Polipo or privoxy, have you considered relinking against torsocks to
> *make* applications understand SOCKS,


We have not considered adding SOCKS support to APT and wget,
and given our limited resources, I doubt we'll do it.
We could probably run them using torsocks, though.

> or using some kind of iptables trickery?


I'm not sure how doable it is to use iptables to convert HTTP proxying
to SOCKS, but I'd be happy to learn :)

> When we stopped using those proxies, we weren't really thrilled with
> their security or their performance. It makes me uncomfortable to
> see "and here goes an HTTP proxy" in any Tor design these days.


Sure. Instead of investing time to move to Privoxy, we might as well
want to simply drop Polipo. I've updated our ticket on this topic
accordingly:
https://tails.boum.org/todo/replace_polipo_with_privoxy__63__/

Cheers,
--
intrigeri
| GnuPG key @ https://gaffer.ptitcanardnoir.org/intrigeri/intrigeri.asc
| OTR fingerprint @ https://gaffer.ptitcanardnoir.org/intrigeri/otr.asc