[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
Re: [tor-talk] [Tails-dev] Please review Tails stream isolation plans
> On Sep 3, 2012 2:21 PM, "adrelanos" <adrelanos@xxxxxxxxxx> wrote:
>>> Nick Mathewson wrote (30 Aug 2012 15:10:52 GMT) :
>>>> or using some kind of iptables trickery?
>>> I'm not sure how doable it is to use iptables to convert HTTP proxying
>>> to SOCKS, but I'd be happy to learn :)
>> Iptables can not translate from one protocol to another.
> But it can forward connections to a transparent proxy -- like, say, Tor's
> TransPort feature. The tricky part here would be coming up with a way to
> forward only the correct connections.
I'd certainly help with rule creation, I experimented already with it.
The safest thing would be probable to start each application under their
own user account, or using other iptables -owner features, perhaps in
conjunction with a per destination port. But like said before, I don't
think this is a good solution.
> Failing that, torsocks is indeed a way pretty good option.
I don't think so. It's only a hack. Doesn't work on Windows. It can be
sufficient for distributions such as Tails or aos. For end users it's
much too hard to use torsocks for stream isolation. A clean solution is
much desirable. Reasons:
It has an IPv6 leak bug.
A patch flooding all console output (and therefore breaking applications
based on console applications) is still not merged upstream.
Fortunately intrigeri merged it into Debian.
Torsocks / usewithtor does not support choosing to which Tor SocksPort
you want to redirect. We need this to utilize stream isolation. I wrote
It's far from perfect. Still requires a wrapper. How else people could
transparently use apt-get with stream isolation, without issuing
torsocks themselves. I mean, without a wrapper they had to use 'torsocks
apt-get' instant of a simple 'apt-get'.
For more reasons please referrer to my last mail on Tails-dev about this
relevant part begins with "Unfortunately, not all applications support
tor-talk mailing list