[tor-talk] Please review Tails stream isolation plans

adrelanos adrelanos at riseup.net
Tue Aug 28 23:53:01 UTC 2012


intrigeri:
> Hi,
> 
> we are told that Tor 0.2.3.x is good enough for Tails,
> so a bunch of Tails developers have eventually spent some time
> thinking what could be the initial step towards basic usage of Tor
> stream isolation within Tails.
> 
> The resulting plans are waiting to be reviewed there:
> 
>   https://tails.boum.org/todo/separate_Tor_streams/
> 
> While I'm at it, we wanted to ask whether it is reasonable for Tails
> to ship with IsolateDestAddr enabled by default (but for the web
> browser) as described in our plans, or if it is doomed to put too high
> a load on the Tor network. (Not that there are thaaaat many Tails
> users, and I guess these options were not added in order not to be
> used, but still.)
> 
> Cheers,
> 

My review:

I really think before you activate IsolateDestAddr/Port for web, Nick's
or Roger's option is required.

Overall looks pretty well for "basic" stream isolation. For "full"
stream isolation, also ssh, apt-get and any other (preinstalled)
application with network traffic should be stream separated.

> For performance reasons, we will start with not using
IsolateDestAddr/IsolateDestPort for iceweasel we ship: nowadays, loading
a mere web page often requires fetching resources from a dozen or more
remote sources.

Yes.

> (Also, it looks like the use of IsolateDestAddr in a modern web
browser may create very uncommon HTTP behaviour patterns, that could
ease fingerprinting.)

Safe to assume.

> Consider Pidgin with several accounts configured for different
identities. If you connect with all of the accounts at the same time,
they'll all get the same circuit, so the identities can be correlated.
While Tails does not formally support using multiple contextual
identities at the same time, Pidgin generally opens very few network
connections, so the performance impact of using IsolateDestAddr should
be small. Given how cheap it is, it looks like it is worth having Pidgin
use a (not necessarily dedicated) SocksPort that has IsolateDestAddr and
IsolateDestPort enabled.

True. Difficult to document.
"Multiple accounts are separated, if they are on different server IP's
(not DNS entries). They can get correlated if they share the same jabber
server IP. If your internet connection gets lost for any reason, your
system crashes for any reason, or you disconnect all accounts at once
(close Pidgin), all accounts will go offline at the same time. Therefore
if an adversary controls several IP's he can still guess they are all
owned by the same pseudonym."

Good thoughts on that page.

And to make the fingerprinting issues a bit more complicated... Someone
using stream isolation can probable be fingerprinted form someone not
using stream isolation. Example: view sourceforge.org with a torified
webbrowser, look at the ssh documentation site. Ssh to sf.net over
another stream. Now it's clear, someone is using aos (or similar
project, or stream isolation,) or Tails with "full" stream isolation.
But I think that's fine. You already trust sourceforge.org by connecting
to it with a webbrowser and ssh while giving the exit node less
information. Very theoretical, right now there are more urgent
fingerprinting issues with the web browser.

If you link your implementation, I'll review it as well.

I initially proposed the feature for Tails and now I am considering your
improvements for aos. Nice!


More information about the tor-talk mailing list