[Tails-dev] vpwned

Delete this message

Reply to this message
Author: Jacob Appelbaum
Date:  
To: The Tails public development discussion list
New-Topics: Re: [Tails-dev] vpwned
Subject: [Tails-dev] vpwned
Hi,

Some number of years ago, a paper was written about how to cause
leakage outside of VPNs and it included Tails as an example target:

https://www.usenix.org/system/files/conference/foci12/foci12-final8.pdf

I've waited a while for folks to read it and I think at this point,
we're at year two or so of waiting. It seems like the easy thing is to
simply give up and advocate for a fix with a simple patch.

I have a local branch called 'vpwns' and it contains a single fix:

diff --git a/config/chroot_local-includes/etc/ferm/ferm.conf
b/config/chroot_local-includes/etc/ferm/ferm.conf
index 54ab253..56bb20a 100644
--- a/config/chroot_local-includes/etc/ferm/ferm.conf
+++ b/config/chroot_local-includes/etc/ferm/ferm.conf
@@ -103,15 +103,6 @@ domain ip {
                 proto udp dport domain ACCEPT;
             }


-            # Local network connections should not go through Tor but
DNS shall be
-            # rejected.
-            # (Note that we exclude the VirtualAddrNetwork used for
.onion:s here.)
-            daddr (10.0.0.0/8 172.16.0.0/12 192.168.0.0/16) @subchain "lan" {
-                proto tcp dport domain REJECT;
-                proto udp dport domain REJECT;
-                ACCEPT;
-            }
-
             # Tor is allowed to do anything it wants to.
             mod owner uid-owner debian-tor ACCEPT;


The code running as uid-owner {clearnet, debian-tor, i2psvc} will
still contain the issues outlined in the paper. This change may
require some UI changes for enabling access to the local network. I
suggest that such access is disabled by default.

I think this is a critical security bug in the firewall configuration.
We may have users who wish to enable this leak but generally, I
suspect most users don't realize that they're vulnerable by default.
Nor do I think that most users realize that they're vulnerable even if
they want to talk to the local network for some reason.

All the best,
Jacob