[Tails-dev] Switch to Privoxy?

Delete this message

Reply to this message
Author: intrigeri
Date:  
To: tails-dev, Jacob Appelbaum
Subject: [Tails-dev] Switch to Privoxy?
Hi fellow Tails developers, hi Jacob!


Context
=======

We've been under repeated pressure to replace Polipo with Privoxy in
Tails. Most of the time, such attempts were made without much
knowledge of the Tails context, and were backed with plain wrong
reasons. Recently, Jacob advised us to remove Polipo; I assume it's
for good reasons, that are still to be explained in details though.

Let's see what good reasons we may have to switch to Privoxy; there
are some. Let's look, with a fresh eye, what are the pros and cons of
these two pieces of software, as far as Tails is concerned.

Preliminary note: in Tails 0.10, only APT, wget and applications that
obey the HTTP_PROXY / http_proxy environment variables will use
Polipo. Iceweasel _won't_.


Polipo is not supported by anyone for anonymity reasons
=======================================================

Correct.

Who does support Privoxy for anonymity reasons?


Polipo does not support downloading big files
=============================================

With our current configuration, "big" means bigger than 64MB:
https://tails.boum.org/bugs/impossible_to_download_files_bigger_than_64M_with_Iceweasel/

AFAIK, in Tails 0.10, only wget will be affected. This is an annoying
limitation for command-line users (especially when you learn about it
*after* having waited hours of stalled download), but not *that*
critical now that iceweasel is not affected by it anymore.

Time to ship curl (that supports SOCKS5) instead of wget? It was
suggested to ship curl, plus a simplistic wrapper script called
"wget", that would pass curl the URL-looking arguments, and would
abort loudly, pointing at the curl documentation, if anything more
clever was attempted.


We already ship Polipo and know its possible weaknesses,
while we don't know Privoxy weaknesses yet
========================================================

Our Polipo configuration was inherited from Incognito. In the times
when Polipo was shipped in the TBB, it's been under severe scrutiny
for anonymity / privacy leaks, and more generally for security
problems. A few issues were discovered; AFAIK all such issues are
either fixed in the polipo package (1.0.4.1-1.1) shipped in Debian
Squeeze, or don't affect Tails. This should be double-checked, though:
https://tails.boum.org/todo/applications_audit/polipo/

Issues of the same kind may very well affect Privoxy too. If we were
to switch to it, we would have to gather existing research results on
this topic, check them, copy / design / adapt a configuration that
works around possible issues, etc.; we could probably start from
Liberté Linux's configuration, but this does not remove the need to
audit it in any way. Such work is non-trivial, and it's not obvious we
would gain anything at all, in the end, from a privacy or anonymity
point-of-view; even, the risk to make things worse exists.


Privoxy supports content filtering
==================================

Invalid for many reasons. Some of the most obvious ones are:

  - malicious content may be inserted as HTTPS to workaround filtering
    of the HTTP streams
  - if body filtering is enabled, Privoxy downloads every resource in
    full before starting to deliver bytes to the client => much higher
    latency experienced by the user; yeah, we don't care as we're not
    really talking of web browsing; but then, what advantage would
    body filtering provide to the APT and wget kind of usage, exactly?



Polipo has better latency / user-experience
===========================================

Invalid, as we're not thinking, TTBOMK, of inserting a HTTP proxy back
between Iceweasel and Polipo.


Privoxy allows one to designate different proxies for different URLs
====================================================================

This would allow command-line applications in Tails to support
eepsites. My take on this is that it would be welcome, but not
compelling enough to make the balance weight much more on the side
of change.


Polipo is what's been used by most Tor users for years
======================================================

TBB did ship Polipo, the Tor Debian / Ubuntu packages recommend Polipo
as the preferred alternative on top of Privoxy. Anonymity set++, etc.,
we all know the deal.


Polipo is not very well maintained upstream
===========================================

This is not to be easily ignored. IIRC the upstream author abandoned
it for a while; it was more or less forked / maintained by the Tor
project in the meantime; the upstream author came back, but the
improvements made by Tor were not all merged yet.

OTOH, apart of the file size download limit, it's not as if we had had
to report many bugs against it.


Polipo does caching
===================

We don't care, since we're not talking about web browsing anymore here.


Jacob wants us to remove Polipo
===============================

Jacob, you talked of "lots of reliability/security issues" and told us
that "Privoxy is a better http proxy for most things". Would you
please elaborate, after reading this very email, _what_ exact issues
you're thinking of, and _what_ makes Privoxy that much better?


Wanna add more pros and cons?

Cheers,
--
intrigeri <intrigeri@???>
| GnuPG key @ https://gaffer.ptitcanardnoir.org/intrigeri/intrigeri.asc
| OTR fingerprint @ https://gaffer.ptitcanardnoir.org/intrigeri/otr.asc
| Every now and then I get a little bit restless
| and I dream of something wild.