[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] corridor, a Tor traffic whitelisting gateway

Hash: SHA512

I think the topic Bridge Firewall is also related here:

(The topic didn't move there yet, but it's all very similar ideas
we're discussing here.)

>> What's the threat model here? As I understand, it's ensuring
>> stream isolation for one workstation while another workstation
>> is compromised.
> The goal is to make each workstation (or even each user on a
> shared workstation) responsible for building their own circuits and
> for using whatever policy they like when it comes to stream
> isolation. Consequently, streams from different workstations can
> never share a circuit.

>> The problem is, anyone, including adversaries can run Tor
>> relays.
> Interesting consideration. I'd prefer limiting the tor_routers
> ipset to relays with a Guard flag, which would make an attack more
> difficult to pull off.

Getting the guard flag isn't really difficult. It's an documented and
automated process.

> But a freshly installed Tor client will not necessarily fetch its
> first consensus through a Guard, right?

When using the public Tor network:
If TunnelDirConns is set to 1 (which is the default), quote Tor manual:
"...when a directory server we contact supports it, we will build a
one-hop circuit and make an encrypted connection via its ORPort..."

Some guards and directory mirrors are hardcoded in Tor.

See also:
- -
- -

When using bridges:
You'll get consensus from the bridge.

(Please someone correct me here, if it is wrong.)

>> I am wondering if the advantages of corridor and Whonix can be 
>> combined. Without running Tor over Tor, which is recommended
>> against.
> Maybe we misunderstand each other?
> You put a physical corridor box between your
> TBB/Tails/Whonix/Qubes workstation(s) and your router: That's not
> Tor over Tor, because corridor is not a proxy, it's a filter.
> A corridor gateway should never increase the chance of clearnet
> leaks, because you can always just treat it as untrusted, like you
> should probably treat your DSL router and definitely your ISP's
> network. But if the corridor box is in fact in a trustworthy state,
> it acts as the leak stopper of last resort.

Yes, a misunderstanding.

Corridor's advantages:
- - streams from different workstations can never share a circuit

Whonix's advantage:
- - malicious software on the workstation can not find out it's real
external IP address

I am wondering, can we get both advantages using just one gateway?

Whonix-Gateway could be modified to only allow connections to Tor
relays [guard flag, bridges, etc.]. But all the Tor clients running on
various workstations would itself be tunneled through Tor by
Whonix-Gateway. That would be a combination for corridor's and
Whonix's advantages. But it would also be Tor over Tor, thus
recommended against [reference in my last mail].

Another idea would be to leverage Tor's IsolateClientAddr option.
Quote Tor manual:
"Don’t share circuits with streams from a different client address.
(On by default and strongly recommended;..."
Whonix-Gateway profits from this. The problem is, any
Whonix-Workstation behind Whonix-Gateway - once compromised - can
claim to be another Whonix-Workstation, thus not being stream isolated

This could be solved, when there was a defense, that prevented
impersonating other workstations. VPN and/or Static ARP entries and/or
OpenSSH could be used for that purpose.

I wrote quite a lot about this topic already:
- -
- - https://www.whonix.org/wiki/Multiple_Whonix-Workstations

Documented some workarounds (multiple Whonix-Gateways or using
additional (isolated) network interfaces). These are inconvenient and
probably only used by a very few people.

Considering Whonix-Gateway would authenticate Whonix-Workstation's and
thus better enforce stream isolation, would this be a substitute for


tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsubscribe or change other settings go to