[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] [Tails-dev] Please review Tails stream isolation plans



On Wed, Aug 29, 2012 at 10:04 AM, intrigeri <intrigeri@xxxxxxxx> wrote:
> Hi,
>
> Nick Mathewson wrote (29 Aug 2012 13:22:36 GMT) :
>> I'd need an actual list of applications to think about
>> IsolateDestAddr.  Which ones did you have in mind?
>
> Thank you for having a look.

You're welcome!

Now here's the email where I show how little I actually know about
protocols not called "Tor".  ;)

> The main network applications shipped in Tails, that would get
> IsolateDestAddr according to our plan, are:
>
>   * Claws Mails (replaced with icedove / Thunderbird, some day)

Not  too scary.   A typical mail program will make connections to,
like, one SMTP server and a small handful of POP/IMAP servers, right?
So this isn't a lot of circuits; seems like a fine idea.  You could
probably get a little better by allowing the SMTP and POP stuff for
each email account to share a circuit, if you can figure out a way to
make that work.

>   * Pidgin

Not too scary, I think.  You'd typically wind up with one destination
per chat, or one per chat protocol?

>   * Liferea RSS feed reader

This one is a little scary.  Do I understand correctly that an RSS
reader will make a separate connection for every RSS feed that you
subscribe to?  If so that might make some pretty serious load.

>   * Gobby

This has one destination per open session?  Seems fine.

> Then you have a few command-line ones such as wget. Also, some
> software that is not SOCKS aware, such as APT, goes through Polipo (to
> be replaced with Privoxy, some day).

Oh wow.  Instead of shunting these applications' traffic through
Polipo or privoxy, have you considered relinking against torsocks to
*make* applications understand SOCKS, or using some kind of iptables
trickery?   When we stopped using those proxies, we weren't really
thrilled with their security or their performance.  It makes me
uncomfortable to see "and here goes an HTTP proxy" in any Tor design
these days.

> Basically, that's it.

Cool.

> Note, however, that Tails users may choose to install whatever they
> want from the Debian archive, or hand-compile whatever they feel like,
> but I doubt the ones who will do so, and unfortunately pick
> applications that don't play well with IsolateDestAddr, will be that
> many to make a measurable difference.
> _______________________________________________
> tor-talk mailing list
> tor-talk@xxxxxxxxxxxxxxxxxxxx
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
_______________________________________________
tor-talk mailing list
tor-talk@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk