[tor-talk] torsocks is broken and unmaintained

s starwars1070 at gmail.com
Mon Dec 3 00:38:45 UTC 2012


i agree with adrelanos i use tor manly to run a bridge and a relay at my 
work {we set up a server for that} but i  find it difficult to Macaulay 
go into sock but on the occasion i use it which is rare besides to 
connect to an employe computer but if we had a library of tor connection 
optioned where say a developer could attach his programs and run it 
through there  when the  c level people go off to other countries we 
only allow them to use tor to connect back to us if hey don't want to 
use a vpn some don't but most will although it does make it difficult to 
make sure tor stays up to date one of the either one of my senior techs 
or myself have to go pull in the laptops and update them but it easier 
then somebody piggybacking on there vpn and getting into the databases  
On 12/2/2012 8:19 AM, adrelanos wrote:
> Matthew Finkel:
>> On 12/01/2012 06:14 PM, John Case wrote:
>>> On Fri, 2 Nov 2012, grarpamp wrote:
>>>
>>>>>> I don't agree. torsocks is still useful to prevent identity correlation
>>>>>> through circuit sharing. Pushing all traffic through Trans- and DnsPort
>>>>>> is not the answer.
>>>>> Also, I don't want all of my applications using Tor -- just some of
>>>>> them. Using Tails or TransPort wouldn't allow me to do this.
>>>> Some people do run multiple Tor's, jails, packet
>>>> filters, and apps. Largely to get around current
>>>> Tor limitations. Those people don't have this
>>>> singularity problem/position that you assume.
>>>> Torsocks is not required in that instance.
>>>
>>> There has to be a better way to simply "make an ssh connection over ToR".
>>>
>>> I don't want to run all of tails just to make a single ssh connection (2
>>> minutes to properly fire up vmware, massive cpu use, laptop gets hot,
>>> fans running, everything else comes to a crawl).
>>>
>>> I don't want to run a full-blown tor relay installation with all the
>>> bells and whistles and then maintain that full blown environment, watch
>>> advisories, run periodic tests, test for dns leakage, blah blah.
>>>
>>> I want this:
>>>
>>> cd /usr/ports/net/torssh
>>> make install
>>> torssh user at host.com
>>>
>>> Am I the only person that wants/needs this ?
>>>
>>> I understand that you can't go down the road of "make a custom tor app
>>> for everry possible client app that people want to run", but come on ...
>>> ssh ? If there was just a single app to do this for, it would be that,
>>> right ?
>> The real issue is that once they start providing torified-forks of
>> certain projects where do they draw the line? torFirefox for TBB, sure
>> (which may be coming down the pipe anyway)! torssh, why not? Tor Project
>> is already stretched thin which means third party devs would have to
>> implement most of the work and who would be able to audit all of them?
>>
>> "Torification" integrated into these projects would be a usability
>> god-send for most people. But that would ultimately be its undoing. At
>> this point many users don't understand that anonymity is not as simple
>> as flipping a switch, it's so much more complex than that. One possible
>> advantage of Tor being a little complex is that it makes people realize
>> that ensuring ones safety/privacy online is *not* easy and it's possible
>> that increasing the usability too much could put more people at risk.
>>
>> In addition to this, if different projects have tor integrated then that
>> would mean each one would have to keep state separately and each would
>> most likely have different guard nodes and such. The result, again,
>> would be putting the users more at risk.
>>
>> I understand the appeal of such packages, but if you think about this
>> then you'll see that running a single daemon and channeling connections
>> through it probably is the best and most resource efficient way. Just
>> think, if "x number of" programs you wanted to run were torified than
>> you would essentially being running x instances of tor, not ideal.
>>
>> For now, using built-in proxy support for an application, or torsocks if
>> it doesn't have it, is the best option we have and we still need to be
>> careful when we use any built-in proxy option.
> Hi!
>
> Many developers failed to add proper Tor socks proxy support. (DNS leaks
> etc.)
>
> See ticket:
> https://trac.torproject.org/projects/tor/ticket/5553
>
> In comparison many instant messenger developers messed up implementing
> their own encryption which is incompatible with others. OTR was a great
> invention to establish an respected, proven, cross compatible encryption
> library.
>
> Let alone the neglected torsocks which is affected by so many serious
> leak and other kinds of bugs. This goes for many other outdated and
> buggy proxifiers as well.
>
> And all the people messing up correct torification and using leaking
> applications and endless discussions and uncertainty if there are leaks
> or not...
>
> Compare this with the i2p network and applications designed for the i2p
> network. The i2p network has arguably a different threat model and
> security features but one thing you will (not) be missing in the i2p
> community: discussions whether applications do leak or do actually
> correctly use i2p.
>
> I think instead of inventing torsocks it would have been much better if
> there was a Tor connection library and applications could easily use it.
>
> Cheers,
> adrelanos
> _______________________________________________
> tor-talk mailing list
> tor-talk at lists.torproject.org
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk



More information about the tor-talk mailing list