Re: [Tails-dev] Tails 0.14 rc1 virtualization testing & howt…

Delete this message

Reply to this message
Author: adev
Date:  
To: The Tails public development discussion list
Subject: Re: [Tails-dev] Tails 0.14 rc1 virtualization testing & howto install virtualbox and vmplayer
> anonym:
>>> * Allows stronger enforcement of tor-only connections, an attacker must
>>> > break out of a virtual machine, in addition to previous steps taken.
>>> A VM
>>> > can be configured to only be able to send traffic through the tor
>>> process
>>> > running on the host machine.
>> Sure, but to configure the applications in the guest to use the host's
>> Tor is non-trivial for most users (and would require us to make Tor's
>> ports listen on more than localhost). I'd like a way so a whole VM is
>> Torified without additional configuration inside the VM. Here's some an
>> article one can find inspiration from:
>>
>> <http://www.howtoforge.com/how-to-set-up-a-tor-middlebox-routing-all-virtualbox-virtual-machine-traffic-over-the-tor-network>
>>
>> (Added to the todo item)
>>
>
> What about identity corelation since all VM traffic would go through a
> single Tor socks port?
> (Added to the todo item)
> _______________________________________________
> tails-dev mailing list
> tails-dev@???
> https://mailman.boum.org/listinfo/tails-dev
>



My thoughts on this are that I am in favor of apps not being network aware
unless being specifically configured to be so

Eg using host-only networking for the virtual machines network card, and
then configuring specific apps in the virtual machine to connect to a
socks port on the tails-livecd-host host-only network adapter

The livecd tor would need to listen on various socks ports (for stream
isolation) on the virtualbox host-only host network adapter

A well thought out firewall policy would be needed.


Yes this would be more work than simply saying "torify the whole VM" but
it does have its advantages:

* Existing strategy of stream isolation is preserved, as virtual apps can
still have isolated streams by connecting to a dedicated socks port

* Sometimes apps misbehave, or you install an app and it goes to
auto-update itself before you can tell it not too, but it has an insecure
update mechanism, if the whole VM is torified it would insecurely update
over tor.

If apps only work with Tor because the software came preconfigured, we get
greater control over which apps can communicate with the network or not

* Its not really that hard to tell the host tor to listen on socks ports
on an additional host-only network adapter, and telling the virtual apps
to use a socks-ports on the virtual hostonly adapter is much the same as
how existing apps are configured



Thoughts?