[Tails-dev] What to do about I2P in Tails?

Nachricht löschen

Nachricht beantworten
Autor: intrigeri
Datum:  
To: tails-dev, zzz, Kill Your TV
Betreff: [Tails-dev] What to do about I2P in Tails?
Hi,

Note: what follows is *not* about finding a solution to the last
de-anonymization vulnerability found in I2P 0.9.13. I trust the I2P
team will do a proper job at it.

I2P is software, software has bugs, and some bugs have security
implications. In the last few days, those of us who were lucky enough
to read Exodus Intelligence's report have learned that there are quite
a few such bugs in I2P. I can't say much publicly right now, and I'm
no Java programmer, but given how these bugs look like, I would not be
surprised if there were quite a few other similar security issues
lurking somewhere in the I2P codebase. Shit happens, and oh well,
we're shipping Pidgin and a Firefox-based browser, too.

On the long-term, I'd like us to be able to go on shipping I2P in
Tails, without fearing too much about it.

So, the main goals I have in mind are:

 1. making it harder, for an attacker who compromises I2P running in
    Tails, to upgrade their attack to anything non-I2P;


 2. making it harder, for someone attacking a Tails user's web
    browsing over Tor, to take advantage of bugs in the I2P router
    console;


 3. protecting the Tails users who don't intend to use I2P at all,
    from vulnerabilities in I2P, by making it harder, for an attacker,
    to start I2P in Tails, or to trick a user into doing it.


Regarding #1:

 a) On the filesystem and privilege escalation side, I think we should
    sandbox I2P better. We're working on integrating AppArmor in
    Debian and Tails, and I think I2P would be a good candidate for
    confinement. @I2P folks: do you already have anything in the works
    in this area? Anyone else?


 b) On the network side (mostly de-anonymization), the solution that
    springs to mind would be to torify I2P. I'm told it would not work
    well and be ugly, but it's completely unclear to me what it means
    in practice, and I'd like to hear well-documented experience
    reports. Note that Liberte Linux did torify I2P back when they
    shipped it, so it must somehow work, I guess. Anyone?


    And, if this doesn't work, any alternative solution, other than
    crossing fingers?


Regarding #2, I think we should get rid of the Tor/I2P/LAN mix-up in
the Tor Browser we ship. The LAN part still needs some more thought
and discussion, but IMO the I2P part of the FoxyProxy configuration
should simply go away. The solution I have in mind would be to create
another browser dedicated to the I2P, running under a dedicated UID,
and that can only talk to the I2P proxy and router console. Note that
this would also help in addressing #1, possibly.

Technically speaking, I guess it could be easily implemented with the
same tricks we use for the Unsafe Browser. The only problem I expect
is a usability one: how to share files between the `amnesia' user and
this I2P browser. The good news is that we'll have to tackle the very
same problem if we ever sandbox applications using Linux namespaces,
and if we move the LAN browsing out of the Tor Browser. Both seem to
be due to happen at some point.

Regarding #3, I think we should replace the sudo credentials that
allow the `amnesia' user to start I2P, with an I2P option in Tails
Greeter. I assume the new Greeter that's currently worked on would
allow this.

So, these are plenty of ideas, of potential solutions that could be
worth discussing. I'm not *that* interested in the technical details
of these solutions right now. What I'd like to happen now is to decide
about a strategy and a time-line; and, I'd like to get a clearer view
of the commitments and responsibility boundaries regarding I2P in
Tails. In other words:

* What threat, among the aforementioned ones (and those I forgot),
do we want to address *now* to go on shipping I2P?

* If we keep I2P without adding any protection immediately, when do
we expect *which* protections to be ready? (reality check: we won't
have AppArmor before October; I guess the Greeter won't be ready
earlier either)

* On the Tails side, basically everyone skilled enough to work on
this have enough commitments until the end of the year, so if we
decide "we want $this to happen to keep I2P", then someone else
will have to step up. So: would I2P folks (I'm mainly thinking of
KillYourTV here), or anyone else, want to take responsibility for
part, or all, of the improvements we may decide are needed?
Of course, anyone volunteering will be involved in the
decision-making process :)

* Worst case, for how long would it be acceptable (even if sad) to
drop I2P from Tails until the protections we want are ready for
prime-time?

Cheers,
--
intrigeri