[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] [Tails-dev] Please review Tails stream isolation plans

Nick Mathewson:
> On Sep 3, 2012 2:21 PM, "adrelanos" <adrelanos@xxxxxxxxxx> wrote:
>> intrigeri:
>>> Hi,
>>> Nick Mathewson wrote (30 Aug 2012 15:10:52 GMT) :
>>>> or using some kind of iptables trickery?
>>> I'm not sure how doable it is to use iptables to convert HTTP proxying
>>> to SOCKS, but I'd be happy to learn :)
>> Iptables can not translate from one protocol to another.
> But it can forward connections to a transparent proxy -- like, say, Tor's
> TransPort feature.  The tricky part here would be coming up with a way to
> forward only the correct connections.

I'd certainly help with rule creation, I experimented already with it.
The safest thing would be probable to start each application under their
own user account, or using other iptables -owner features, perhaps in
conjunction with a per destination port. But like said before, I don't
think this is a good solution.

> Failing that, torsocks is indeed a way pretty good option.

I don't think so. It's only a hack. Doesn't work on Windows. It can be
sufficient for distributions such as Tails or aos. For end users it's
much too hard to use torsocks for stream isolation. A clean solution is
much desirable. Reasons:

It has an IPv6 leak bug.

A patch flooding all console output (and therefore breaking applications
based on console applications) is still not merged upstream.

Fortunately intrigeri merged it into Debian.

Torsocks / usewithtor does not support choosing to which Tor SocksPort
you want to redirect. We need this to utilize stream isolation. I wrote
a hack.

It's far from perfect. Still requires a wrapper. How else people could
transparently use apt-get with stream isolation, without issuing
torsocks themselves. I mean, without a wrapper they had to use 'torsocks
apt-get' instant of a simple 'apt-get'.

For more reasons please referrer to my last mail on Tails-dev about this
https://mailman.boum.org/pipermail/tails-dev/2012-August/001422.html The
relevant part begins with "Unfortunately, not all applications support
socks settings...".
tor-talk mailing list