[tor-talk] Tor and TBB Issues Needing Good Advice

Mirimir mirimir at riseup.net
Sun Jan 21 22:05:01 UTC 2018

On 01/21/2018 04:52 AM, Andreas Krey wrote:
> On Sun, 21 Jan 2018 09:13:29 +0000, Wanderingnet wrote:
>> So far I have been unable to gain a working torrc and iptables setup for either tor, or, particularly, Tor Browser Bundle.
> TBB works right out of the box. Dear casual reader, please don't be alarmed by this post.

It does indeed. But it's a fragile thing, in that there's no protection
against malware that bypasses Tor. FBI's NIT is a clear demonstration.
There's no firewall, unless the user configures one.

>> And believe me, I've read, searched and tried - alot. Funnily, many of the security advantages of using Tor are defeated by the need for heavy research
> You fail to indicate what research is needed, and for that matter why.

Documentation for using Tor as a standalone service is rather iffy and
poorly maintained, is it not? Especially for Windows. Not that I'd
encourage anyone to use Tor in Windows.

> ...
>> For examples, TBB does not run as a service as tor does,
> Well yes, that is the point. TBB is something a user starts.
> How do you want to run a browser in a service (and for that matter,
> what even is a 'service' under unix)?


> ...
>> 1. A clear explanation of how Linux solicits and maintains network connections, particularly with regard to public wifi negotiation.
> How is that specific to tor?
>> 3. A clear explanation of all required allowances in iptables, of Tor, including by port if possible, and including of addresses like those for LAN et al. NAT table routing has proven particularly challenging.
> Wat? The only thing tor connects to are either some guards, or some
> bridges, and at least for the former there is no way to predict what IP
> addresses or ports they have.
> The question is what you want to achieve with iptable rules regarding
> tor. tor does only do outbound connections, and those are to unpredicable
> addr/ports, and the question is what you want iptables to prevent. If you
> have a good tor there is nothing to protect against, and if you somehow
> got a subverted tor, it will not be as stupid as to use separate outbound
> TCP connections for phoning home, but instead do that through tor.

Maybe "a subverted tor" wouldn't be stupid enough to do that, but that's
what FBI's NIT does. And that's how many Tor users got pwned by it.

> So basically, while you could go on and download the consensus to find
> out what addresses tor should be able to connect to, you can just as well
> trust it do to exactly that.

Yes, it doesn't work to secure Tor using iptables rules that are based
on IPs and ports. What does work is only allowing outbound traffic from
the Tor process. Or better yes, running Tor in a separate gateway
machine/VM, and allowing the workspace machine/VM to connect only to Tor
in the gateway. Which is what Whonix does, right out of the box.

>> 4. A method for running TBB with custom torrc, observing the failure of default port specification (which is part of port securing in custom hashed passwords, etc.)
> What do you mean with 'failure of default port specification'?
>> 6. A walkthrough for advanced isolation methods like dedicated user accounts, which have so far proven impossible to run with TBB from a separate account,
> Huh? Create separate account, run tbb there via 'ssh -X account .../tor-browser-me/Browser/start-tor-browser'?
>> and network namespaces, which appear to be a potentially powerful isolation solution but which I have not seen adapted to this purpose yet, despite being considerably lighter than complete OS virtualisation/containers.
> https://hub.docker.com/r/hkjn/tor-browser/
> https://blog.jessfraz.com/post/running-a-tor-relay-with-docker/

This _is_ good stuff.

> ...
>> Any helpful advice would be appreciated.
> It would also help to state in more detail what you want to achieve,
> and what you want to guard against.
> - Andreas

More information about the tor-talk mailing list