[tor-bugs] #6060 [Tor Client]: add http proxy support to Tor

Tor Bug Tracker & Wiki torproject-admin at torproject.org
Fri Sep 28 07:35:08 UTC 2012 

#6060: add http proxy support to Tor
----------------------------+-----------------------------------------------
    Reporter:  proper       |       Owner:  arma               
        Type:  enhancement  |      Status:  reopened           
    Priority:  normal       |   Milestone:  Tor: very long term
   Component:  Tor Client   |     Version:                     
  Resolution:               |    Keywords:                     
      Parent:               |      Points:                     
Actualpoints:               |  
----------------------------+-----------------------------------------------
Changes (by ioerror):

  * status:  closed => reopened
  * resolution:  wontfix =>


Comment:

 Replying to [comment:28 nickm]:
 > Replying to [comment:26 ioerror]:
 > > Replying to [comment:23 nickm]:
 > > > Replying to [comment:16 ioerror]:
 > > > > Replying to [comment:15 nickm]:
 > > > > > "Audit shim and bring it up-to-date" is a reasonable thing to
 do.
 > > > >
 > > > > I'm not sure what it needs - it compiles without warnings (yay)
 and it seems to function just as it should. It looks "finished" in as much
 as any C program. :)
 > > > >
 > > > > It does need compiler hardening and all that stuff added, of
 course.
 > > >
 > > > What it needs IMO is auditing for security and standards compliance.
 > >
 > > Ok - I think both of those are reasonable. What is the absolute
 canonical git repo? Is it yours?
 >
 > There is none; mine is the closest there is.

 Ok, I've forked it and I'll take it under my wing.

 >
 > > If so, I'd be willing to perform both of those audits. I would like
 some guidance of which standards matter to us and what specific security
 issues that concern us.
 >
 > Well, if it's going to claim to be an HTTP proxy, it should implement
 some version of HTTP. Probably 1.1?
 >

 Sure, I think that is reasonable - I'm not sure that it makes sense to
 support _all_ of HTTP 1.1 if for example there is a subset that is
 commonly accepted for a non-caching proxy to implement, I'd shoot for that
 goal.

 > I don't know which specific security issues most affect http proxies.
 >

 Ok.

 > [...]
 > > Any requirements of such a thing - regardless of where we put it - I'm
 open to considering and trying to resolve.
 > >
 > > >
 > > > > > Somebody would need to take on the responsibility of being shim
 maintainer.  I don't know that shipping shim by default would make senese.
 > > > >
 > > > > The open question for me is - "what would it take to make an HTTP
 proxy port a Tor configuration line as we have with SOCKSPort?"
 > > >
 > > > For me, that's not a goal.  Tor is not an all-singing all-dancing
 all-purpose application launcher, nor do I want to push '''more''' code
 into the main Tor process.  I'd like us to move in the direction of moving
 functionality ''out'' of Tor.
 > > >
 > >
 > > Ok, I think our goals aren't so different here. I don't want a full
 HTTP proxy with caching - I want the most minimal thing that will help
 reduce harm for our users. I think there is a balance to be struck and
 that is what happened with DNSPort - it is a minimal thing that at least
 gives '''some''' of the features that our users need. It has been
 extremely handy, even if imperfect or limited; it isn't standards
 compliant but holy cow, it is useful!
 > >
 > > I am hoping to solve this with a clean design in #6948 - so I totally
 hear you. I'm '''also''' in favor of that as a reality, sooner rather than
 later. If we can solve #6948, I would say we could break out each of these
 things quite nicely and move more and more code out of Tor proper. I am
 totally a fan of that '''while''' also being concerned that we may not
 succeed anytime soon.
 >
 > Is *that* what #6948 was about? I have no idea what a zygote is, or why
 shared memory mutexes were something we needed, so I kinda assumed it was
 an 'implementation technique' ticket, not a 'better architecture' ticket.
 >

 Ah - there has been a long standing discussion with Mike about this topic.
 I think at this point I owe a large set of tickets to trac that outline
 the design I've drawn up. It has been in the queue, so I'll get it done
 sometime soon.

 >  [...]
 > > Ok. That settles it, I guess. If both options are rejected, even as a
 thread that doesn't loop to a SocksPort, I'll continue with designs in
 #6948.
 >
 > Well, nothing is ''settled'' -- I can be wrong, and I hope I can change
 my mind if I am.
 >

 I understand. I think that the key is the energy to be spent with changing
 your mind is a lot more than if you found the idea compelling. So in that
 sense, I feel like it is easier to simply spent that energy on this zygote
 design.

 It seems rather straight forward to me to provide the most minimal HTTP
 interface possible so as to reduce harm; that didn't convince you and
 largely because I offered shim as a thing to provide it.

 Shim is already a program, so that means it sounds like Tor is a launcher
 or some such thing. I understand why you wouldn't want Tor to just include
 another full program. Though I also think that could be fine, I don't
 think it is important enough to discuss further. I do think a thread that
 opens an HTTP port is that important but again, as it is a pretty serious
 uphill battle, I feel demotivated.

 > But I don't think I'm wrong here.  HTTP is a very complex protocol, and
 I think about 100% of what you'd need to do with an HTTP proxy can be done
 out-of-process from Tor, as I understand it.
 >

 I think a port that provides support for CONNECT is probably not too
 complicated and that is why I mentioned the DNSPort - we don't have to do
 everything but if we do something, we can do a lot of good, where
 otherwise, people are screwed or software just breaks badly.

 > If the only argument against a separate proxy is "but then you would
 have to run two programs", I don't think it's a great one, since having
 more processes is the direction we should IMO be moving towards, for
 better security and modularity.

 The main argument is one of harm reduction where today, TorBirdy will need
 to solve this problem, likely by becoming an HTTP proxy. We actually found
 some code from Moxie that will do the trick (and make us GPL, ironically).
 If Tor provided that, we'd just depend on Tor and we'd call it a day. That
 is how a JonDos user is kept safe.

 As an aside and part of why I'm working on the zygote is that TorBirdy
 will also likely have to include a Tor and be a Tor controller. That also
 means that if the user ever later installs Tor, they'll have two Tor
 clients on a given machine. We'll try to be smart but boy, we really do
 need to find a better solution.  In theory, we can have TorBirdy users run
 privoxy. In practice, other than Tails users and very advanced users, no
 one does it - so most users are in harms way, especially if they use GnuPG
 with TorBirdy (and SOCKS) or any other HTTP proxy only app.

 So the general issue for me is one of overall integration and the specific
 is one of proving a kind of interface, slightly different from what we
 already provide, because it would reduce harm. How we reduce that harm
 only matters in that it _must_ be zero config and not fail open.

-- 
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/6060#comment:31>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list