[tor-talk] How to force redirect each application through separate SocksPorts? (preventing identity correlation)

Fabian Keil freebsd-listen at fabiankeil.de
Sat Jun 30 16:00:00 UTC 2012


<proper at secure-mail.biz> wrote:

> freebsd-listen at fabiankeil.de wrote:
> > <proper at secure-mail.biz> wrote:
> >
> > > <freebsd-listen at fabiankeil.de> wrote:
> > > > That's incorrect. Privoxy can change the forwarding settings based
> > on
> > > > tags:
> > > >
> > > > http://www.privoxy.org/user-manual/actions-file.html#CLIENT-HEADER-TAGGER
> >
> > >
> > > Excuse me, if I misunderstood. It doesn't look like anyone done that
> >
> > > ever before (and documented that online). And for that reason, it were
> >
> > > nice, if you could create two examples.
> >
> > The documentation above has been available for years and already
> > contains an example. Are you looking for something specific that
> > the current documentation doesn't answer?
> >
> > > You suggest tagging the applications by user agent and forward-override?
> >
> >
> > Yes.
> >
> > > That sounds like a nightmare.
> >
> > I've been doing it for years and think it's convenient,
> > but of course it's a matter of opinion.
> >
> > >                               I wouldn't know how to find gpg's user
> >
> > > agent, other than digging into the source code. And if they decide the
> >
> > > change the user agent with the next version of gpg, the function gets
> >
> > > broken.
> >
> > The User-Agent can be discovered by letting the proxy (or nc) log it.
> > It is also usually constant between updates, so checking it once
> > per update should do.
> >
> > gpg doesn't seem to set a User-Agent, but that not a problem
> > as you can either let it use the default forwarding proxy or
> > change the forwarding based on other criteria like the address
> > of the keyserver.
 
> Imho it's very improbable, that a significant amount of people
> will be able to do it that way.

That's probably true, but I also think a significant amount
of people doesn't care about this anyway.

> It's also complicated and error prone (human mistakes).

I don't see why it should be more complicated and error
prone than using the port number.

Once either method has been configured correctly and tested
it should work reliably until the environment changes.

> I am working on an anonymous operating system (TorBOX [1]) and made
> a modification to torsocks, called uwt [2].
> 
> Using uwt breaks down to "sudo ip=127.0.0.1 port=9053 uwt apt-get update"
> or "ip=127.0.0.1 port=9054 uwt gpg". It's also possible to create wrapper
> scripts, which do that in an automated way. (Documented under [2].)
> It's only a hack and a clean solution is much desirable.

If you are using TransPort anyway, I don't see the benefit of
additionally using torsocks.

> Feature request:
> I don't know how much effort it were or how much time you still like
> to spend on privoxy... Could you add a feature?
> 
> - privoxy may provide multiple (http) listen ports

It already does.
http://www.privoxy.org/user-manual/config.html#LISTEN-ADDRESS

> - each (http) listen port may be forwarded to a different parent proxy ip/port

I thought about this a while ago, but as you can already get the
use-a-different-forwarder-for-each-listen-address functionality
be using a different IP address for each listen-address it didn't
seem worthwhile at the time.

Fabian
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 196 bytes
Desc: not available
URL: <http://lists.torproject.org/pipermail/tor-talk/attachments/20120630/be242465/attachment.pgp>


More information about the tor-talk mailing list