Re: [Tails-dev] [tor-talk] Please review Tails stream isolat…

Delete this message

Reply to this message
Author: adrelanos
Date:  
To: tor-talk, tails-dev
Subject: Re: [Tails-dev] [tor-talk] Please review Tails stream isolation plans
Nick Mathewson:
> On Sep 3, 2012 2:21 PM, "adrelanos" <adrelanos@???> wrote:
>>
>> intrigeri:
>>> Hi,
>>>
>>> Nick Mathewson wrote (30 Aug 2012 15:10:52 GMT) :
>>>> or using some kind of iptables trickery?
>>>
>>> I'm not sure how doable it is to use iptables to convert HTTP proxying
>>> to SOCKS, but I'd be happy to learn :)
>>
>> Iptables can not translate from one protocol to another.
>
> But it can forward connections to a transparent proxy -- like, say, Tor's
> TransPort feature. The tricky part here would be coming up with a way to
> forward only the correct connections.


I'd certainly help with rule creation, I experimented already with it.
The safest thing would be probable to start each application under their
own user account, or using other iptables -owner features, perhaps in
conjunction with a per destination port. But like said before, I don't
think this is a good solution.

> Failing that, torsocks is indeed a way pretty good option.
>


I don't think so. It's only a hack. Doesn't work on Windows. It can be
sufficient for distributions such as Tails or aos. For end users it's
much too hard to use torsocks for stream isolation. A clean solution is
much desirable. Reasons:

It has an IPv6 leak bug.
https://trac.torproject.org/projects/tor/wiki/doc/torsocks#WorkaroundforIPv6leakbug

A patch flooding all console output (and therefore breaking applications
based on console applications) is still not merged upstream.
https://code.google.com/p/torsocks/issues/detail?id=3

Fortunately intrigeri merged it into Debian.

Torsocks / usewithtor does not support choosing to which Tor SocksPort
you want to redirect. We need this to utilize stream isolation. I wrote
a hack.
https://trac.torproject.org/projects/tor/wiki/doc/torsocks

It's far from perfect. Still requires a wrapper. How else people could
transparently use apt-get with stream isolation, without issuing
torsocks themselves. I mean, without a wrapper they had to use 'torsocks
apt-get' instant of a simple 'apt-get'.

For more reasons please referrer to my last mail on Tails-dev about this
topic.
https://mailman.boum.org/pipermail/tails-dev/2012-August/001422.html The
relevant part begins with "Unfortunately, not all applications support
socks settings...".