Re: [Tails-dev] please look at Comparison of Whonix, Tails …

Delete this message

Reply to this message
Author: adrelanos
Date:  
To: tails-dev
New-Topics: Re: [Tails-dev] please look at Comparison of Whonix, Tails and TBB #2
Subject: Re: [Tails-dev] please look at Comparison of Whonix, Tails and TBB #2
intrigeri:
> Hi,
>
> adrelanos wrote (04 Feb 2013 20:19:24 GMT) :
>> I just updated the Whonix comparison of Whonix, Tails and Tor Browser
>> Bundle page. [1] Hopefully it's this time much more precise and correct
>> from the beginning.
>
>> If there is anything wrong, I'll correct it right away.
>
> I've seen nothing terribly wrong, but a few unclear, outdated or
> misleading statements.


> On the Whonix fingerprint page, "Whonix is exclusively generating Tor
> activity on the network" might perhaps benefit from a clarification:
> doesn't Whonix send DHCP requests?


In case of virtual machine images: no. (Well, DHCP is used against the
Virtual Box virtual DHCP server.) The host most likely used DHCP.

In case of physical isolation: whatever the Gateway has been set up to.

I added a line to clarify it.

> "Includes Tor Browser" in the general security comparison should be
> updated for Tails.


Not sure about this one. I have read:
- https://tails.boum.org/support/known_issues/index.en.html#index10h2
- https://tails.boum.org/todo/evaluate_web_fingerprint/
- https://tails.boum.org/todo/replace_iceweasel_with_Torbrowser/ (noting
the todo item does not get updated after the todo is done)
- https://tails.boum.org/contribute/design/#index39h3
- dead link: config/chroot local-includes/etc/iceweasel/

Tor Browser
- Based on Mozilla Firefox ESR
- + Tor Browser patches
- + Tor Button
- + https everywhere + noscript
- shipped by torproject.org
- prefs.js

- Tails Browser
- Based on Debian Iceweasel source package (Iceweasel is a Firefox
fork), ESR? squeeze? wheezy?
- + (almost all?) Tor Browser patches
- + Tor Button
- + https everywhere + noscript
- + Cookie Monster + Adblock plus + FoxyProxy
- own prefs.js?

It would be nice if you could expand the design a bit or explain it here.

> "Network fingerprint: ISP can guess which anonymity software is being
> used because of tordate": how about adding a few lines that explain
> why to this web page?


Done. Added a footnote.

> In "Circumventing Proxy Obedience Design", it's not obvious to me why
> "Tails in a VM" fails against "Protocol IP leak"


I don't know what I thought when I wrote that. It was already the case
when I last time asked for review. I think it's a mistake and has been
corrected. Same goes for TBB inside VM. At the moment, I think the VM
obscures the internal IP and proxy bypass is prevented by the firewall.
So I split that up into Proxy Bypass IP leak and Protocol IP leak.

> and "vm exploit".


If Tails/Whonix run in a VM and someone manages to send a VM exploit for
example though the browser, the attacker gets access to the host. Does
that make sense?

> Also, maybe I'm nitpicking, but IMHO "vm exploit + exploit against
> physically isolated Whonix-Gateway" should be marked an "non
> applicable" for "Tails in a VM", rather a fail.


The idea was, the vm exploit is already enough and the second exploit
isn't required anymore. Does that make sense? Extra footnote perhaps?

And actually, Tails can run (as any Debian / OS) behind a physically
isolated Whonix-Gateway. After running do_not_ever_run_me, configuring
the network to use the gateway, un-configuring misc proxy settings
(browser), it should work. I made a short test but didn't fully document
it yet.

> This has quite some amount of outdated information:
> http://sourceforge.net/p/whonix/wiki/FAQ/#why-dont-you-merge-with-tails-and-join-efforts
> (at first glance: Using Tor Browser, Multi language support,
> obfsproxy...)


What's the Tails requirement for multi language support?

I hope I updated everything.

> Please make it clear what versions you are comparing, because it's
> quite clear it will lag behind sometimes, and I'm sure you absolutely
> don't want to spread wrong information forever about Tails :)


Yes, this is good. Done.

> Also, the "Hidden service support" section implicitly suggests one
> cannot use HS in Tails, which is wrong.


I updated that.

Tails: Can be used using ordinary mechanisms with torrc.; Todo:
[persistence preset -
tor](https://tails.boum.org/todo/persistence_preset_-_tor/)

And added.

* Hidden Server configuration GUI:
    * Whonix: No.
    * Tails Todo: [Tails server: Self-hosted services behind
Tails-powered Tor hidden
services](https://tails.boum.org/todo/server_edition/)


> Also, please update all places that link to our "Pidgin ctcp
> replies" ticket. It's been closed for a while.


Done.

> Thanks for you work!


Thanks for reviewing!