Hi,
Some number of years ago, a paper was written about how to cause
leakage outside of VPNs and it included Tails as an example target:
https://www.usenix.org/system/files/conference/foci12/foci12-final8.pdf
I've waited a while for folks to read it and I think at this point,
we're at year two or so of waiting. It seems like the easy thing is to
simply give up and advocate for a fix with a simple patch.
I have a local branch called 'vpwns' and it contains a single fix:
diff --git a/config/chroot_local-includes/etc/ferm/ferm.conf
b/config/chroot_local-includes/etc/ferm/ferm.conf
index 54ab253..56bb20a 100644
--- a/config/chroot_local-includes/etc/ferm/ferm.conf
+++ b/config/chroot_local-includes/etc/ferm/ferm.conf
@@ -103,15 +103,6 @@ domain ip {
proto udp dport domain ACCEPT;
}
- # Local network connections should not go through Tor but
DNS shall be
- # rejected.
- # (Note that we exclude the VirtualAddrNetwork used for
.onion:s here.)
- daddr (10.0.0.0/8 172.16.0.0/12 192.168.0.0/16) @subchain "lan" {
- proto tcp dport domain REJECT;
- proto udp dport domain REJECT;
- ACCEPT;
- }
-
# Tor is allowed to do anything it wants to.
mod owner uid-owner debian-tor ACCEPT;
The code running as uid-owner {clearnet, debian-tor, i2psvc} will
still contain the issues outlined in the paper. This change may
require some UI changes for enabling access to the local network. I
suggest that such access is disabled by default.
I think this is a critical security bug in the firewall configuration.
We may have users who wish to enable this leak but generally, I
suspect most users don't realize that they're vulnerable by default.
Nor do I think that most users realize that they're vulnerable even if
they want to talk to the local network for some reason.
All the best,
Jacob
