Hello,
I just pushed a fairly large update to or-ctl-filter, that lets you do lots of interesting things, most of them probably unsafe. In particular or-ctl-filter now ships with a SOCKS5 client/server implementation and a stub control port implementation.
A picture is worth a thousand words: https://raw.github.com/Yawning/or-ctl-filter/screenshots/or-ctl-filter-tor-i...
What it does:
* Filters the control port exposed to Tor Browser for things that (IMO) the browser has no business knowing just in terms of attack surface. In particular this intentionally breaks the circuit display feature as part of 4.5.x.
* Allows easy integration of Tor Browser with a system tor service
(NB: I run a system tor service with the Tor Browser circuit lifespan patch, if you do not, you will get behavior that is different from other users. You have been warned.)
* Supports transparently redirecting ".i2p" requests to an I2P instance. Tor does not need to be running for this.
* Enforces isolation to attempt to guard the local I2P web server and management interface from cross protocol trickery, evil Javascript and whatnot.
* Supports running without Tor or I2P at all, essentially changing Tor Browser into Firefox with a bunch of patches.
Limitations:
* NEWNYM does not affect I2P tunnels.
* "New Tor Circuit For This Site" does not affect I2P tunnels either.
* Only cookie authentication is supported because I'm lazy, and it is the superior authentication method.
* Launching Tor/I2P is not or-ctl-filter's problem and will never be part of the feature set. I have systemd for that.
Warning(s):
* Very alpha. It is entirely possible that I screwed up enforcing isolation. You can hard disable access to locally hosted i2p services like the management console in the config file.
It is still probably 3 million times better than using privoxy/random sketch addons to do something like this because I actually do look at circuit isolation from Tor Browser and propagate it to Tor (or enforce it as best as I can otherwise).
* If you enable logging, it will happily splatter destinations, authentication credentials, and everything else to the log, because it is a debugging feature, so don't.
* If you enable the option named "UnsafeAllowDirect" and disable Tor, it will happily connect directly to the internet, destroying your anonymity.
* Untested on Windows. Should work, don't care if it doesn't. Patches will sit in my INBOX forever; ignored, and unloved, just like the operating system they target. The same goes for OSX.[0]
Code: https://github.com/Yawning/or-ctl-filter/tree/master
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
On 06/03/2015 04:07 PM, Yawning Angel wrote:
Hello,
I just pushed a fairly large update to or-ctl-filter, that lets you do lots of interesting things, most of them probably unsafe. In particular or-ctl-filter now ships with a SOCKS5 client/server implementation and a stub control port implementation.
A picture is worth a thousand words: https://raw.github.com/Yawning/or-ctl-filter/screenshots/or-ctl-filter
- -tor-i2p.png
[snip]
Thanks Yawning, this looks very useful indeed.
- -Jeremy