Re: [tor-talk] Designing a secure "Tor box" for safe web browsing?

[Maxim Kammerer <mk@xxxxxx>]

On Wed, Apr 4, 2012 at 23:46, intrigeri <intrigeri@xxxxxxxx> wrote:
> Maybe your conclusions on VM speed are simply too tightly bound
> to QEMU?

That's probably the case — QEMU is much slower than VMware and
VirtualBox even when virtualization extensions are available. The
reason I only tested QEMU is because it seemed like the only
lightweight option (a few MiB overall added to the image, if I
remember right).

> In the scenario this thread is about, I don't think it's that hard to
> find a way of splitting the memory that allows the user to perform
> their task, without being all too wasteful:
> Obviously, this gets much harder for applications VM.

True, my use case was using a VM for running the unsafe browser, not
as a thin layer for the whole system.

> These abstractions are probably the only reason why I think this
> approach would somehow make sense for Tails needs (even if I don't
> know if we will go this way in the end).

But if such abstractions are the target, perhaps there are better
alternatives than running everything in a VM? E.g., making the user
who establishes network connections different from the main user, and
preventing the main user from accessing any network information.

> This is hardly a technical question. It's obvious to me how the way
> you ask it, and the way I am answering, say much about how Tails and
> Liberté Linux differ in their approach of non-technical matters, in
> the ways we think our relationship to users.

I actually view this as a technical question (Liberté Linux does not
assume technically knowledgeable users either). The user is expected
to keep private information on the system (remember that Liberté had
persistence from the beginning, but this is often true even without
persistence). If the system is exploited, finding out the computer's
MAC / IP addresses will most likely be the least of the user's
problems. The only case where using a VM is justified then, in my
opinion, is for running specific untrusted applications inside it
(application VM above). This is different from, e.g., setting up a
hidden service server, where you expect it to be eventually exploited,
and take care to not keep any private or identifying information on
it.

I should also mention here that I never got an answer on this list
about whether Tor is actually designed to withstand active attacks
from within the client. It could be that running everything inside a
VM doesn't even help against discovering the externally exposed IP of
an exploited VM guest by some kind of active network probing attack.

>  But I absolutely don't
>  think that "learning how to choose, install and configure
>  virtualization software, and how to setup a Tails or Liberté VM in
>  there" belongs to the kind of knowledge that empowers people to make
>  their own security decisions properly.

Well, Liberté is distributed as an .ova bundle as one of the download
options — setting it up is as simple as opening the file in VMware /
VirtualBox. I devoted substantial efforts to making the .ova “just
work” for most users (OVF standard vs. reality is somewhat of a mess
currently). Providing instructions for installing a “good” host OS
should be enough in this case, I think.

> Because, while people can run Tails in a VM by themselves already,
> doing this certainly does not give them the same benefits as an
> integrated, pre-configured "Live amnesic host OS + Tor routing VM +
> desktop VM" Tails would:

I don't disagree, I just don't think that this advantage is important
enough to trump the inefficiency inherent in running everything in a
VM for everyone.

-- 
Maxim Kammerer
Liberté Linux (discussion / support: http://dee.su/liberte-contribute)
_______________________________________________
tor-talk mailing list
tor-talk@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk