[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] torsocks is broken and unmaintained



grarpamp:
>> I think instead of inventing torsocks it would have been much
>> better if there was a Tor connection library and applications
>> could easily use it.
> 
> Preload (as in torsocks) was invented to hook the network system
> calls for apps where there was no socks5 support. Expecting an app
> developer to code-in a secondary Tor lib when they haven't thought
> or bothered to implement the simple standard SOCK5... is a pretty
> far stretch.

Arguments sound good... But compare with i2p. They have less users,
less developers, zero paid full time developers, much less founding,
network is newer(?)... And? There are actually more applications
designed for i2p than designed for Tor.

> Besides, socks5 in a client has more uses than Tor in a client
> would. I would much rather see socks5 support in wget, elinks,
> mutt, fetchmail, etc than be limited by having to link them against
> Tor.

For other apps with socks5 support... If you ask the developers if
it's Tor-safe, they say: "use socks5". Designing a Tor safe
application is more than proper socks5 support.

Look into the TorifyHOWTO.
https://trac.torproject.org/projects/tor/wiki/doc/TorifyHOWTO

It's a real mess. Read the disclaimers in TorifyHOWTO. They seem to be
generally accepted. Who dares to say an application is Tor-safe? Only
TBB, TorBirdy and TorChat?

https://tails.boum.org/security/index.es.html
> Probable holes"

> Until an audit of the bundled network applications is done,
information leakages at the protocol level should be considered as â
at the very least â possible.

Who ever audited applications and protocols for Tor safety? TBB,
TorBirdy and TorChat... Any others? And even if they did, further
updates of the application would require new audits. I think it's
better to have applications designed for Tor from scratch and by purpose.

I think if a Tor library and instructions how to design a protocol
and/or application Tor-safe from scratch would have been created in
past, we wouldn't have this "protocol review" mess now.

> And as a bonus those apps would then use the socks option when
> compiled statically, as it is built in. Right now you're forced to
> stay dyn so preload works. Socks5 is thought a simple Tor
> connection library, it just doesn't do any native Tor things that
> linking to an actual Tor lib might do.
> 
>> Compare this with the i2p network and applications designed for
>> the i2p
> 
> I don't really like the idea of limiting myself to just the apps
> provided with a given network system.

Me neither. On the other hand the "protocol audit" mess is even worse.
So...

> I2P is a bit hard to use with your app of choice, even Tor is that
> way in some cases.

I suspect being based on Java is a major show stopper. It's hard to
explain to install a runtime environment first. It also feels like
Java applications are always slow and slow done the whole system.
Maybe there is a representative study proofing Java is disliked by
most/many people?

> That's why I generally advocate looking closer at Phantom, it works
> with any modern app (yes, that means IPv6).

Link?
_______________________________________________
tor-talk mailing list
tor-talk@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk