[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] Tor as a sort of "library/dependancy" for third party software

To: tor-talk@xxxxxxxxxxxxxxxxxxxx
Subject: Re: [tor-talk] Tor as a sort of "library/dependancy" for third party software
From: Jacob Appelbaum <jacob@xxxxxxxxxxxxx>
Date: Wed, 28 Sep 2011 12:41:13 -0700
Delivered-to: archiver@xxxxxxxx
Delivery-date: Wed, 28 Sep 2011 17:44:50 -0400
In-reply-to: <4E832288.3030707@xxxxxxxxxxxxxxx>
List-archive: <http://lists.torproject.org/pipermail/tor-talk>
List-help: <mailto:tor-talk-request@lists.torproject.org?subject=help>
List-id: "This mailing list is for all discussion about theory, design, and development of Onion Routing." <tor-talk.lists.torproject.org>
List-post: <mailto:tor-talk@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk>, <mailto:tor-talk-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-talk>, <mailto:tor-talk-request@lists.torproject.org?subject=unsubscribe>
Openpgp: id=42DDE84F; url=http://www.appelbaum.net/gpg.asc
References: <4E832288.3030707@xxxxxxxxxxxxxxx>
Reply-to: tor-talk@xxxxxxxxxxxxxxxxxxxx
Sender: tor-talk-bounces@xxxxxxxxxxxxxxxxxxxx
User-agent: mutt

On 09/28/2011 06:35 AM, Fabio Pietrosanti (naif) wrote:
> Hi all,
> 
> at GlobaLeaks (http://globaleaks.org) we are discussing whenever to plan
> for a GlobaLeaks Desktop application that would allow secure and
> anonymous whistleblowing submission without using a 'web interface'.
> 
> In such context we would like to provide something *really easy* and
> that means bundling everything into a single, portable, digitally signed
> .exe .
> 

Makes sense. Thanks for driving the field forward!

> To do that we would need to bundle Tor binaries/configuration along with
> GlobaLeaks application.
> 
> Are there other third party application bundling Tor together that we
> can look at?
> 

torsocks has some basic c functions that safely wrap sockets - it uses a
Tor proxy but your C program can simply use the torsocks C API rather
than doing anything with socks. If you look in torsocks.c you'll see the
following:

/*
  API for users linking against libtorsocks. Expands to function
definitions for:

    torsocks_connect()
    torsocks_close()
    torsocks_poll()
    torsocks_sendmsg
    torsocks_sendto
    torsocks_res_query()
    torsocks_res_search()
    torsocks_res_send()
    torsocks_res_querydomain()
    torsocks_gethostbyname()
    torsocks_gethostbyaddr()
    torsocks_getaddrinfo()
    torsocks_getipnodebyname()

  See also torsocks.h
*/

You should be able to safely link against torsocks and then use
torsocks_connect() rather than connect() or similar calls. If you
additionally bake in some .onions, I think you'll be in good shape.

> Which would the best/right way to do it?

There are a few designs - I think that using the torsocks socket API is
a reasonable way. Alternatively, it might make sense to use the above
API and then change the backend in torsocks to use something like a unix
socket rather than a TCP connection for SOCKS.

> -naif
> 
> p.s. The alternative to provide the same degree of security/usability is
> to use a Java Applet with file upload+file encryption+silvertunnel as a
> Tor Client layer.

I don't think silvertunnel is a good idea - the code is based on
OnionCoffee which has major problems. I would suggest JTor but only
after a careful audit and some serious work ensuring that it's safe.

All the best,
Jake
_______________________________________________
tor-talk mailing list
tor-talk@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Follow-Ups:
- Re: [tor-talk] Tor as a sort of "library/dependancy" for third party software
  - From: Nick Mathewson

References:
- [tor-talk] Tor as a sort of "library/dependancy" for third party software
  - From: Fabio Pietrosanti (naif)

Prev by Author: Re: [tor-talk] Bitcoin client - Tor safe?
Next by Author: [tor-talk] Using `msmtp` and etc. with post servers under hidden services
Previous by thread: [tor-talk] Tor as a sort of "library/dependancy" for third party software
Next by thread: Re: [tor-talk] Tor as a sort of "library/dependancy" for third party software
Index(es):
- Author
- Thread