[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] torsocks is broken and unmaintained



Matthew Finkel:
> On 12/01/2012 06:14 PM, John Case wrote:
>>
>> On Fri, 2 Nov 2012, grarpamp wrote:
>>
>>>>> I don't agree. torsocks is still useful to prevent identity correlation
>>>>> through circuit sharing. Pushing all traffic through Trans- and DnsPort
>>>>> is not the answer.
>>>>
>>>> Also, I don't want all of my applications using Tor -- just some of
>>>> them. Using Tails or TransPort wouldn't allow me to do this.
>>>
>>> Some people do run multiple Tor's, jails, packet
>>> filters, and apps. Largely to get around current
>>> Tor limitations. Those people don't have this
>>> singularity problem/position that you assume.
>>> Torsocks is not required in that instance.
>>
>>
>> There has to be a better way to simply "make an ssh connection over ToR".
>>
>> I don't want to run all of tails just to make a single ssh connection (2
>> minutes to properly fire up vmware, massive cpu use, laptop gets hot,
>> fans running, everything else comes to a crawl).
>>
>> I don't want to run a full-blown tor relay installation with all the
>> bells and whistles and then maintain that full blown environment, watch
>> advisories, run periodic tests, test for dns leakage, blah blah.
>>
>> I want this:
>>
>> cd /usr/ports/net/torssh
>> make install
>> torssh user@xxxxxxxx
>>
>> Am I the only person that wants/needs this ?
>>
>> I understand that you can't go down the road of "make a custom tor app
>> for everry possible client app that people want to run", but come on ...
>> ssh ? If there was just a single app to do this for, it would be that,
>> right ?
> 
> The real issue is that once they start providing torified-forks of
> certain projects where do they draw the line? torFirefox for TBB, sure
> (which may be coming down the pipe anyway)! torssh, why not? Tor Project
> is already stretched thin which means third party devs would have to
> implement most of the work and who would be able to audit all of them?
> 
> "Torification" integrated into these projects would be a usability
> god-send for most people. But that would ultimately be its undoing. At
> this point many users don't understand that anonymity is not as simple
> as flipping a switch, it's so much more complex than that. One possible
> advantage of Tor being a little complex is that it makes people realize
> that ensuring ones safety/privacy online is *not* easy and it's possible
> that increasing the usability too much could put more people at risk.
> 
> In addition to this, if different projects have tor integrated then that
> would mean each one would have to keep state separately and each would
> most likely have different guard nodes and such. The result, again,
> would be putting the users more at risk.
> 
> I understand the appeal of such packages, but if you think about this
> then you'll see that running a single daemon and channeling connections
> through it probably is the best and most resource efficient way. Just
> think, if "x number of" programs you wanted to run were torified than
> you would essentially being running x instances of tor, not ideal.
> 
> For now, using built-in proxy support for an application, or torsocks if
> it doesn't have it, is the best option we have and we still need to be
> careful when we use any built-in proxy option.

Hi!

Many developers failed to add proper Tor socks proxy support. (DNS leaks
etc.)

See ticket:
https://trac.torproject.org/projects/tor/ticket/5553

In comparison many instant messenger developers messed up implementing
their own encryption which is incompatible with others. OTR was a great
invention to establish an respected, proven, cross compatible encryption
library.

Let alone the neglected torsocks which is affected by so many serious
leak and other kinds of bugs. This goes for many other outdated and
buggy proxifiers as well.

And all the people messing up correct torification and using leaking
applications and endless discussions and uncertainty if there are leaks
or not...

Compare this with the i2p network and applications designed for the i2p
network. The i2p network has arguably a different threat model and
security features but one thing you will (not) be missing in the i2p
community: discussions whether applications do leak or do actually
correctly use i2p.

I think instead of inventing torsocks it would have been much better if
there was a Tor connection library and applications could easily use it.

Cheers,
adrelanos
_______________________________________________
tor-talk mailing list
tor-talk@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk