Re: [Tails-dev] please look at Comparison of Whonix, Tails a…

Delete this message

Reply to this message
Autor: intrigeri
Data:  
A: adrelanos
CC: The Tails public development discussion list
Assumpte: Re: [Tails-dev] please look at Comparison of Whonix, Tails and TBB
Hi,

adrelanos wrote (27 Sep 2012 04:27:33 GMT) :
> I created a Comparison of Whonix, Tails and TBB


Thanks a lot for doing that work!

I must say I'm very happy to see someone explore the gateway /
workstation design both practically and theoretically -- we still have
not made up our mind on that one within Tails, and current hardware is
probably not ready for it yet in a Live system setting, but I do
believe that the work that happens on this topic in Whonix today will
benefit Tails in the future.

> If there is anything wrong, I'll correct it right away.


Generally, I found this comparison just fine, but perhaps a tiny bit
too simplistic, and unfortunately it looks like those simplifications
always happen in the same way: e.g. for "Protection against root
exploits", Whonix gets a Yes, Tails gets a No... and one has to read
the footnote to understand this is about root exploits in
Whonix-Workstation only. See what I mean? I acknowledge it's probably
much harder to root the Whonix-Gateway than Tails, but still...

Another similar occurrence is the "Amnesic" security property
comparison. I find it misleading to state that it is an "Optional
Feature" (via VM snapshots, pointing to a barely documented process)
in Whonix, and a Yes in Tails, as if it was the same kind of amnesia.
For the former, it's "let's hope the host OS won't write my secrets to
disk", right? While for the latter, it's a basic design principle,
that I think is pretty well enforced. Feel free to tell me I should
read the Whonix design doc, if I'm totally wrong on that one :)

About "IP/DNS protocol leak protection" and "Icedove (Thunderbird)
leaks the real IP address": I do acknowledge the Whonix way (the
workstation apps don't know the IP address at all) gives additional
by-design protection, but please make it clear that such leaks are
made now waaay less likely in Tails since we dropped
transparent torification.

More generally, I suggest that you define the compared security
properties next to the comparison tables, else I already imagine less
technical users, reading that Tails gets a No for "Hides hardware
serials", conclude that Tails sends hardware serials over the Internet
by default, and go crazy on our web forum. I'd rather avoid that.

> ^2^ In case Tails gets rooted, the adversary can simply run ifconfig
> and see the user's IP. Or he could tamper with firewall rules and
> bypass them.


I'm not sure how useful it is to mention the ifconfig trick, given
1. it's a bit misleading to put it like that, as in most cases, it
will provide a mostly useless RFC-1918 address
2. the second attack (breaking the firewall) is easy and always works.

About "pidgin leaks the real IP": it would be very nice of you to
mention that this bug only existed in Git, and no released version of
amnesia was affected. Second, I've not studied all of Whonix design
doc yet, so I beg your pardon if my question is naive: in case the
Whonix gateway's firewall was not started / erroneously configured due
to some tiny studid mistake (like the one that amnesia bug was about),
what prevents Whonix workstation from connecting "in the clear" to the
Internet (without going through Tor)?

OT, but on the same giant page: the "Squeeze only contains Tor
0.2.2 while Wheezy contains Tor 0.2.3" argument in favor of using
Debian testing is a bit feable, considering weasel maintains backports
of 0.2.3 in TTP's APT repository.

OT too: I've got a feeling that you will soon join my efforts to
improve AppArmor support in Debian :)

Cheers!