[tor-talk] Operating system updates / software installation behind Tor Transparent Proxy

[proper at secure-mail.biz]

<snip>
>
> I'm more
> worried about the risks to user anonymity.  It sucks to be
> the user reading
> about some sensitive subject when your apt cron job
> decides to poke every
> package source you install from.  “Oh, that guy
> who keeps reading about Foozer's
> Disease must be in the
> Antarctica/McMurdo time zone!”

We disabled automatic updates. Time zone is UTC.

> > The transparent
> proxy feature is great, it offers to reduce the risk of
> > leaks and offers
> an anonymous torified operating system. Operating system
> > updates behind
> Tor are a dilemma. It's several hundred of megabytes.
>
> It's probably not anonymous.
>
> Tor's
> goal is to provide unlinkability between the source of a
> connection and its
> destination.  Tor Browser Bundle and Tails aim to
> provide unlinkability at
> destinations between connections from a
> single source.  Anonymity requires
> the latter
property.
>
> Of course, if you want to link your connections together,
> you
> certainly can -- I log into GMail over Tor using a username and
> password
> linked to my real name and to a location where I live.  I'm
> not anonymous,
> nor even pseudonymous, but Tor still prevents GMail
> from determining my current
> location.
>
> An operating-system installation which was set up without Tor, then
> stuck
> behind a Tor transparent proxy, receives location privacy from
> Tor.  If the
> person who set up that system was careful to turn off all
> the automatic network
> operations that could otherwise make a system's
> traffic identifiable, the
> system could even be anonymous.  You aren't
> likely to get there from a Debian
> or FreeBSD system without serious
> effort.  I don't think it's possible at
> all with Windows.

Only talking about Ubuntu here. NTP has been uninstalled (and wouldn't
be able to do anything anyway, as UDP traffic is dropped, Tor can not forward it anyway). Automatic updates are disabled. If you know any other background network activity please share.

>
> > Once users have an anonymous torified operating system,
> they use
> > "apt-get upgrade", they won't bother with offline
> updates, as they
> > are complicated and possible leaks (creates signature).
>
> ‘apt-get
> upgrade’ should be fairly well-behaved for a bulk-download
> client.  Sucks
> that ‘apt-get upgrade’ tells your exit node what Debian
> mirror you installed
> from and what updates you want to install.  Sucks
> that the apt cron job told
> the exit node that you were reading about
> an embarassing medical condition
> through what Debian mirror you
> installed from and what time zone your VM is
> set for.

Time zone is UTC. We recommend (soon) to switch identity before/after manual updating.
If there are remaining issues, please share.

> Anonymity is hard!  Let's do crypto.
>
>
> > So what do you suppose to
> do with the Transparent Proxy feature? How do you
> > want to solve the operating
> system update dilemma? Can the Tor network
> > handle the load?
> >
> > Resolutions
> possible:
> > a) Propose a solution.
>
> (That sounds like politician-speak.)
>
> Use
> Tor 0.2.3.x-alpha, give the user 10 or more SocksPorts and 10 or
> more DNSPorts
> to point things which really need to be anonymous at,
> and no TransPort.
>
> In
> the VM you're trying to ‘anonymize’, run 10 or more
> transparent-proxy-through-SOCKS
> stubs (one for each user ID in which
> you run a non-SOCKS-friendly application
> that you want to
> ‘anonymize’), and set up iptables rules.

I think I understood what you mean. If the user starts piding or chat with a pseudonym and starts the Tor Browser afterwards,
the exit node may link all that to the same pseudonym. What I don't see here is, how does this affect specially transparent proxying? A user with who uses what most users do, a normal Tor installation with SocksPort and socksified applications, then the same thing may happen.

> > b) Leave it
> complicated, a nice addon for power users only.
>
> Using a SocksPort safely is
> complicated.

Feel free to throw some problems. I'll try to find solutions and afterwards I'll create a user friendly howto to handle all that stuff.

> If you couldn't bother to
> SOCKSify an application's source code
> properly, did you audit it for
> all the possible information leaks that could
> nuke what little anonymity

Application level leaks are problematic. We have a page which describes many of these problems including with workarounds (we recommend Tor Browser etc.).

You are right. We are unable to review
the source code of all applications for protocol leaks. On the other hand I don't get why this is a problem should be more acute with transparent proxying compared with socksifying.

Anyway, transparent proxying should be still safer then socksifying.

Something like this [1] can not happen with transparent proxying. The transparently proxied operating system does not know it's real external IP, only it's Tor exit IP. And can therefore never leak it's real external IP. (An adversary would have to to break into the transparently proxied operating system and into the transparent Tor proxy afterwards, but that is a different story.)

All other application level leaks may also happen when socksifying applications. When people do not like to socksify, they don't know how or when it's impossible they use torsocks/usewithtor or the leaking [2] windows alternatives. Also here transparent proxying
is not more unsafe. Actually it's safer. DNS / UDP leaks are impossible. Real IP may also not leak, the operating system doesn't have a way to find it out.

> you had left after the cron jobs?

No cron jobs for auto updating. Answered above.

> > c) Encourage
> people to extensively use it.
>
> Let's not. <snip>

Of couse we should not if we can not raid all the drawbacks. I am interested if there will remaining drawbacks after answering and if we can raid them.

>
> > d) Leave the situation as it is. Tell me, not
> to release a easy
> > per-configured package for an anonymous torified operating
> system.
>
> s/anonymous //
>
> You can prevent a system from making non-Torified connections
> without
> having to mash all of its traffic into the same Tor ‘identity’ with
> a
> single transparent proxy.

Isn't that the current state? What most Tor users do? They download and install Tor,
use one SocksPort and socksify all their applications to use that one SocksPort?

We could recommend to use the non-Torified protected system only for one task (example: hosting a hidden service). And assign different SocksPort to other machines.

> > e) Remove the TransPort feature, make it even
> more complicated to use. So we
> > have to use transsocks again if we really
> want.
>
> Sounds like a good piece to split into a separate program, but
> splitting
> Tor's link protocols into separate processes is more
> immediately important.
>
> >
> f) Propose more, better solutions.
>
> (That sounds like politician-speak, too.)
>
> I'm
> all for auditing more applications, and then SOCKSifying them
> properly, so
> no one will need a transparent proxy.

That's difficult for many applications. That's why torsocks/usewithtor exists. Dunno if that also counts as socksify for you? So why transparent
proxy has been implemented?

<snip>>
> >         If someone were
> to promote an easy-to-use per-configured
> > anonymous torified operating
> system, this could (I don't know,
> > that's why I ask here.) overload the
> network. This someone could be
> > me. I won't do it if you tell me not to
> do it, because I don't want
> > to kill the network I use. And someone else
> is probable not up to
> > it. The demand for such as thing is there, but
> no one started
> > working on it for years.
>
> Most of the people who were ‘up
> to it’ considered other tasks more
> important than developing an easy-to-misuse
> transparent proxy kit,
> and/or did not consider themselves qualified to make
> a
> transparent-proxied system (other than possibly Tails) ‘anonymous’.
> (I no
> longer think I'm capable of setting up an anonymous Debian
> system using a
> transparent proxy.  Fortunately, I never got
around to
> that back when I did
> think I was capable of it.)

I think we did a good start. It's now much more clear than before with the wiki article transparent proxy. All the issues and (if possible) workarounds we come up here, will also be documented (and possibly fixed).

[1] https://tails.boum.org/security/IP_address_leak_with_icedove/index.en.html
[2] https://trac.torproject.org/projects/tor/wiki/doc/SupportPrograms#WindowsSOCKShttpForwardersproxychains

______________________________________________________
powered by Secure-Mail.biz - anonymous and secure e-mail accounts.