Hi Patrick, Patrick Schleizer: > Do you know Whonix [0]? I know the design, but haven't used it so far. > What's the threat model here? As I understand, it's ensuring stream > isolation for one workstation while another workstation is > compromised. The goal is to make each workstation (or even each user on a shared workstation) responsible for building their own circuits and for using whatever policy they like when it comes to stream isolation. Consequently, streams from different workstations can never share a circuit. > The problem is, anyone, including adversaries can run Tor relays. Interesting consideration. I'd prefer limiting the tor_routers ipset to relays with a Guard flag, which would make an attack more difficult to pull off. But a freshly installed Tor client will not necessarily fetch its first consensus through a Guard, right? > I am wondering if the advantages of corridor and Whonix can be > combined. Without running Tor over Tor, which is recommended against. Maybe we misunderstand each other? You put a physical corridor box between your TBB/Tails/Whonix/Qubes workstation(s) and your router: That's not Tor over Tor, because corridor is not a proxy, it's a filter. A corridor gateway should never increase the chance of clearnet leaks, because you can always just treat it as untrusted, like you should probably treat your DSL router and definitely your ISP's network. But if the corridor box is in fact in a trustworthy state, it acts as the leak stopper of last resort. Rusty
Attachment:
signature.asc
Description: OpenPGP digital signature
-- tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk