Re: [Tails-dev] What to do about I2P in Tails?

Delete this message

Reply to this message
Author: Kill Your TV
Date:  
To: Jacob Appelbaum, intrigeri
CC: zzz, The Tails public development discussion list
Subject: Re: [Tails-dev] What to do about I2P in Tails?
On Sun, 27 Jul 2014 14:33:45 +0000 (UTC)
Jacob Appelbaum <jacob@???> wrote:

> On 7/27/14, Kill Your TV <killyourtv@???> wrote:
> > On Fri, 25 Jul 2014 11:08:19 +0000 (UTC)
> > intrigeri <intrigeri@???> wrote:
> >
> >> Note: what follows is *not* about finding a solution to the last
> >> de-anonymization vulnerability found in I2P 0.9.13. I trust the I2P
> >> team will do a proper job at it.
> >
> > A new release is out that resolves this recent XSS and a few other
> > issues, but it has had very, very little testing. Perhaps there are
> > other problems lurking which haven't been reported yet; people are
> > certainly giving I2P more attention *now*.
>
> Is it possible to disable the I2P console entirely until it has been
> audited?


Yes, this is very easy to do.

> > (Exodus reported *multiple*
> > 0days incl RCE affecting Tails. See also
> > http://www.twitlonger.com/show/n_1s2jibg. Are these others in I2P?
> > Tor? Something else? Will these other 0 days be disclosed or are
> > they to be sold?)
> >
>
> I have a similar concern. I think that this suggests that we need to
> get our act together and audit audit audit. We should also work to
> mitigate these kinds of bugs - assuming that we've missed something as
> we have probably missed something. :(


I agree wholeheartedly.

> > WRT to the last I2P release: I do know that the filtering is a
> > little too strict and broke retrieving torrent metainfo, so I think
> > that there will be a point release relatively soon (Perhaps the
> > I2P-users on Tails don't bother with this feature?).
>
> Will the Debian packages be updated sometime soon?


I (occasionally) cherry-pick what I think are important but very
low-risk fixes for the debs. If the router console is disabled within
Tails then the problem I mentioned here would not be applicable. I
think that any potential I2P point release would solely address
functionality or security of the console itself. Thus far, I've only
found breakage in the I2P-contained torrent client; on the bright side,
it shows the filtering is working.

The point release for any problems caused by overly strict XSS
filtering--or any other problems reported--is planned to be done by
Aug 11 or thereabouts.

> > I still haven't had a chance to play 'catch-up' with the posts,
> > Redmine, and/or IRC to give the level of detail that they deserve,
> > but a few quick things:
> >
> > apparmor: This was in my plans prior to this bug but of course its
> > priority has been raised.
>
> Wouldn't any policy that blocks the latest RCE also block the way that
> I2P actually functions?


I need to familiarize myself with how apparmor works before I can make
an informed comment on this.

> > 'router console access': How many on Tails on I2P just visit I2P
> > internal sites? How many look at or change settings here? Should
> > this be disabled by default?
>
> Yes, please disable it, if that is possible. Or perhaps make a web
> view or something similar with it?


Instead of opening the 'console' perhaps an informative static HTML
page could be opened instead? Perhaps with the same "in console"
information but without the ability to edit any settings. Anyone that
wants to do anything fancier would be able to use the administrative
password and edit the configs to manually enable it.

The actual disabling of the console's starting is straight-forward.

> > greeter or boot option: Seems like a reasonable compromise. I
> > suppose could also allow the "I2P-specific" rules to be set
> > if-and-only-if this option is specified.
>
> I think it would be good to privilege separate administration of I2P
> (eg: console) from usage of I2P (eg: touching the network).
>
> >
> > More will be forthcoming.
>
> Sounds good. I look forward to hearing more and I'm happy to help.
> What do you think about routing all I2P traffic over Tor? That seems
> like something that may happen as a stop gap. Thoughts on that are
> really needed.


It'll "work". Liberté was shipping with I2P routed over Tor. Whonix
recommends that users wishing to run I2P install it on the workstation,
effectively routing everything over Tor.

I don't know what the impact on the network (=I2P & Tor) would be.
Speculating, I'm not sure that it'd be /that/ bad for I2P due to I2P on
Tails being configured to run in "hidden mode" (outside of I2P
lingo, this essentially means that the router address isn't published
I2P's netdb).

I do not have any further insight on the topic of I2P-over-Tor at
this time. I'll have to come back to this.

--
GPG ID: 0x5BF72F42D0952C5A
Fingerprint: BD12 65FD 4954 C40A EBCB F5D7 5BF7 2F42 D095 2C5A