[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] corridor, a Tor traffic whitelisting gateway

Hi Patrick,

Patrick Schleizer:
> Do you know Whonix [0]?

I know the design, but haven't used it so far.

> What's the threat model here? As I understand, it's ensuring stream
> isolation for one workstation while another workstation is
> compromised.

The goal is to make each workstation (or even each user on a shared
workstation) responsible for building their own circuits and for using
whatever policy they like when it comes to stream isolation.
Consequently, streams from different workstations can never share a circuit.

> The problem is, anyone, including adversaries can run Tor relays.

Interesting consideration. I'd prefer limiting the tor_routers ipset to
relays with a Guard flag, which would make an attack more difficult to
pull off. But a freshly installed Tor client will not necessarily fetch
its first consensus through a Guard, right?

> I am wondering if the advantages of corridor and Whonix can be
> combined. Without running Tor over Tor, which is recommended against.

Maybe we misunderstand each other?

You put a physical corridor box between your TBB/Tails/Whonix/Qubes
workstation(s) and your router: That's not Tor over Tor, because
corridor is not a proxy, it's a filter.

A corridor gateway should never increase the chance of clearnet leaks,
because you can always just treat it as untrusted, like you should
probably treat your DSL router and definitely your ISP's network. But if
the corridor box is in fact in a trustworthy state, it acts as the leak
stopper of last resort.


Attachment: signature.asc
Description: OpenPGP digital signature

tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsubscribe or change other settings go to