Re: [qubes-users] Re: sys-whonix / tor / thunderbird
On Sunday, November 26, 2017 at 1:49:21 PM UTC, Unman wrote: > On Sun, Nov 26, 2017 at 03:07:38AM -0800, Yuraeitha wrote: > > On Friday, November 24, 2017 at 6:48:13 PM UTC, entr0py wrote: > > > Yuraeitha: > > > > On Friday, November 24, 2017 at 9:01:24 AM UTC, Bernhard wrote: > > > >> Hello, > > > >> > > > >> one of the most useful features of tor-browser is Ctl-Shift-L to change > > > >> the tor-path (and so, with high proba, the exit node IP) : this way, > > > >> websites that block a specific exit node for a certain time can be > > > >> still > > > >> loaded (of course some fascist websites block all tor-exits and so that > > > >> this measure does not help) . > > > >> > > > >> I feel that the same feature would be useful in other applications (in > > > >> particular in thunderbird). How can this be done? Maybe a "forced > > > >> reconnect" of IMAP connections suffices, but apart totally restarting > > > >> thunderbird I don't see how this can be done. Any hints? Or is there > > > >> good reason not to torify mail-fetching? Or never via IMAP? > > > >> > > > >> thank you, Bernhard > > > > > > Each request to your Tor client (in sys-whonix) via SocksPort is > > > accompanied by a SOCKS username and password. By clicking "New Tor > > > Circuit for this Site" in Tor Browser, you are changing the password > > > component, which causes the Tor client to generate a new circuit for the > > > same first-person domain when a request is received. > > > > > > Thunderbird is torrified by an extension called TorBirdy. Your requested > > > feature has been tracked for quite some time (5 years) but appears > > > nearing implementation now that Thunderbird-related roadblocks have been > > > cleared. (https://trac.torproject.org/projects/tor/ticket/6359) Also, the > > > main reason for that ticket is not circuit swapping but stream isolation. > > > At present (Whonix bonus), each different email server you connect to is > > > given a different circuit. With #6359, multiple accounts at the same > > > email provider can also be isolated by circuit. > > > > > > Currently, you can generate new circuits for all future Tor requests by > > > using the "New Identity" feature via one of the following equivalent > > > options: > > > 1. From anon-whonix, use "New Identity" in Tor Browser. (applies to all > > > Tor connections, not just the browser.) > > > 2. From sys-whonix, use arm/nyx (monitoring tool) to send New Identity > > > request > > > 3. From sys-whonix, send SIGNAL NEWNYM via telnet to 127.0.0.1:9051 > > > > > > > > > > More specially towards the question at hand, I think it's tricky to do > > > > something like that in Thunderbird, but I'm not a programmer, so I > > > > wouldn't know for sure. However, if you think about how it works in > > > > Qubes/Whonix/Tor, then the Tor browser appears to be tunneling > > > > Tor-Browser within Tor(Sys-whonix), basically doubling the onion layers > > > > compared to a regular Tor browser. I'm not entirely sure if this is the > > > > case, it's just something I figured must be the case. > > > > > > This is not correct. Tor-over-Tor is discouraged[1] and unlikely to work > > > in the future[2]. Whonix prevents Tor-over-Tor.[3][4] > > > > > > [1] > > > https://trac.torproject.org/projects/tor/wiki/doc/TorifyHOWTO#ToroverTor > > > [2] https://trac.torproject.org/projects/tor/ticket/2667 > > > [3] https://www.whonix.org/wiki/DoNot#Prevent_Tor_over_Tor_Scenarios > > > [4] https://www.whonix.org/wiki/Dev/anon-ws-disable-stacked-tor > > > > ah, good I made a disclaimer :') > > Though, it does seem rather unsafe to run multiple of qubes over the same > > exit nodes in the Tor network. > > > > The most dangerous security issue out there, imho at least, is the > > assumption you are safe, when you are not. If what you're saying is true, > > and I'm confident it is given your background, then this might cause some > > dangerous user habits on Qubes in particular, beyond that what is a concern > > by using just Whonix/Tor? Similar issue probably exits between Whonix and > > Tor, but to a lesser extent as Qubes does not have any warnings about this, > > which is particular a concern when it's easier to mess up in Qubes, and run > > the same applications over the same exit nodes, at the same time. > > > > I did hear the warning of not running Tor over Tor before, though it was so > > long back that only the Tor browser was around back then. I had assumed > > it'd been fixed by now on Whonix and in particular Qubes. Especially > > considering the dangerous trap Whonix and in particular Qubes creates when > > running more on the same exit node. > > > > You misunderstand. > It's not that qubes run over the same EXIT NODES, as you say. > Because of stream isolation they may run over the same entry node, but have > different circuits, so will probably exit Tor over different exit nodes. > > There is nothing to "fix" in Tor over Tor - you can do
Re: [qubes-users] Re: sys-whonix / tor / thunderbird
On Sun, Nov 26, 2017 at 03:07:38AM -0800, Yuraeitha wrote: > On Friday, November 24, 2017 at 6:48:13 PM UTC, entr0py wrote: > > Yuraeitha: > > > On Friday, November 24, 2017 at 9:01:24 AM UTC, Bernhard wrote: > > >> Hello, > > >> > > >> one of the most useful features of tor-browser is Ctl-Shift-L to change > > >> the tor-path (and so, with high proba, the exit node IP) : this way, > > >> websites that block a specific exit node for a certain time can be still > > >> loaded (of course some fascist websites block all tor-exits and so that > > >> this measure does not help) . > > >> > > >> I feel that the same feature would be useful in other applications (in > > >> particular in thunderbird). How can this be done? Maybe a "forced > > >> reconnect" of IMAP connections suffices, but apart totally restarting > > >> thunderbird I don't see how this can be done. Any hints? Or is there > > >> good reason not to torify mail-fetching? Or never via IMAP? > > >> > > >> thank you, Bernhard > > > > Each request to your Tor client (in sys-whonix) via SocksPort is > > accompanied by a SOCKS username and password. By clicking "New Tor Circuit > > for this Site" in Tor Browser, you are changing the password component, > > which causes the Tor client to generate a new circuit for the same > > first-person domain when a request is received. > > > > Thunderbird is torrified by an extension called TorBirdy. Your requested > > feature has been tracked for quite some time (5 years) but appears nearing > > implementation now that Thunderbird-related roadblocks have been cleared. > > (https://trac.torproject.org/projects/tor/ticket/6359) Also, the main > > reason for that ticket is not circuit swapping but stream isolation. At > > present (Whonix bonus), each different email server you connect to is given > > a different circuit. With #6359, multiple accounts at the same email > > provider can also be isolated by circuit. > > > > Currently, you can generate new circuits for all future Tor requests by > > using the "New Identity" feature via one of the following equivalent > > options: > > 1. From anon-whonix, use "New Identity" in Tor Browser. (applies to all Tor > > connections, not just the browser.) > > 2. From sys-whonix, use arm/nyx (monitoring tool) to send New Identity > > request > > 3. From sys-whonix, send SIGNAL NEWNYM via telnet to 127.0.0.1:9051 > > > > > > > More specially towards the question at hand, I think it's tricky to do > > > something like that in Thunderbird, but I'm not a programmer, so I > > > wouldn't know for sure. However, if you think about how it works in > > > Qubes/Whonix/Tor, then the Tor browser appears to be tunneling > > > Tor-Browser within Tor(Sys-whonix), basically doubling the onion layers > > > compared to a regular Tor browser. I'm not entirely sure if this is the > > > case, it's just something I figured must be the case. > > > > This is not correct. Tor-over-Tor is discouraged[1] and unlikely to work in > > the future[2]. Whonix prevents Tor-over-Tor.[3][4] > > > > [1] https://trac.torproject.org/projects/tor/wiki/doc/TorifyHOWTO#ToroverTor > > [2] https://trac.torproject.org/projects/tor/ticket/2667 > > [3] https://www.whonix.org/wiki/DoNot#Prevent_Tor_over_Tor_Scenarios > > [4] https://www.whonix.org/wiki/Dev/anon-ws-disable-stacked-tor > > ah, good I made a disclaimer :') > Though, it does seem rather unsafe to run multiple of qubes over the same > exit nodes in the Tor network. > > The most dangerous security issue out there, imho at least, is the assumption > you are safe, when you are not. If what you're saying is true, and I'm > confident it is given your background, then this might cause some dangerous > user habits on Qubes in particular, beyond that what is a concern by using > just Whonix/Tor? Similar issue probably exits between Whonix and Tor, but to > a lesser extent as Qubes does not have any warnings about this, which is > particular a concern when it's easier to mess up in Qubes, and run the same > applications over the same exit nodes, at the same time. > > I did hear the warning of not running Tor over Tor before, though it was so > long back that only the Tor browser was around back then. I had assumed it'd > been fixed by now on Whonix and in particular Qubes. Especially considering > the dangerous trap Whonix and in particular Qubes creates when running more > on the same exit node. > You misunderstand. It's not that qubes run over the same EXIT NODES, as you say. Because of stream isolation they may run over the same entry node, but have different circuits, so will probably exit Tor over different exit nodes. There is nothing to "fix" in Tor over Tor - you can do this if you wish, (except in Whonix), but the behaviour carries risks. If you are concered about running qubes over the same ENTRY node then you can use different TorVMs or Whonix-gws as proxies for different sets of qubes, so ensuring complete
Re: [qubes-users] Re: sys-whonix / tor / thunderbird
On Friday, November 24, 2017 at 6:48:13 PM UTC, entr0py wrote: > Yuraeitha: > > On Friday, November 24, 2017 at 9:01:24 AM UTC, Bernhard wrote: > >> Hello, > >> > >> one of the most useful features of tor-browser is Ctl-Shift-L to change > >> the tor-path (and so, with high proba, the exit node IP) : this way, > >> websites that block a specific exit node for a certain time can be still > >> loaded (of course some fascist websites block all tor-exits and so that > >> this measure does not help) . > >> > >> I feel that the same feature would be useful in other applications (in > >> particular in thunderbird). How can this be done? Maybe a "forced > >> reconnect" of IMAP connections suffices, but apart totally restarting > >> thunderbird I don't see how this can be done. Any hints? Or is there > >> good reason not to torify mail-fetching? Or never via IMAP? > >> > >> thank you, Bernhard > > Each request to your Tor client (in sys-whonix) via SocksPort is accompanied > by a SOCKS username and password. By clicking "New Tor Circuit for this Site" > in Tor Browser, you are changing the password component, which causes the Tor > client to generate a new circuit for the same first-person domain when a > request is received. > > Thunderbird is torrified by an extension called TorBirdy. Your requested > feature has been tracked for quite some time (5 years) but appears nearing > implementation now that Thunderbird-related roadblocks have been cleared. > (https://trac.torproject.org/projects/tor/ticket/6359) Also, the main reason > for that ticket is not circuit swapping but stream isolation. At present > (Whonix bonus), each different email server you connect to is given a > different circuit. With #6359, multiple accounts at the same email provider > can also be isolated by circuit. > > Currently, you can generate new circuits for all future Tor requests by using > the "New Identity" feature via one of the following equivalent options: > 1. From anon-whonix, use "New Identity" in Tor Browser. (applies to all Tor > connections, not just the browser.) > 2. From sys-whonix, use arm/nyx (monitoring tool) to send New Identity request > 3. From sys-whonix, send SIGNAL NEWNYM via telnet to 127.0.0.1:9051 > > > > More specially towards the question at hand, I think it's tricky to do > > something like that in Thunderbird, but I'm not a programmer, so I wouldn't > > know for sure. However, if you think about how it works in > > Qubes/Whonix/Tor, then the Tor browser appears to be tunneling Tor-Browser > > within Tor(Sys-whonix), basically doubling the onion layers compared to a > > regular Tor browser. I'm not entirely sure if this is the case, it's just > > something I figured must be the case. > > This is not correct. Tor-over-Tor is discouraged[1] and unlikely to work in > the future[2]. Whonix prevents Tor-over-Tor.[3][4] > > [1] https://trac.torproject.org/projects/tor/wiki/doc/TorifyHOWTO#ToroverTor > [2] https://trac.torproject.org/projects/tor/ticket/2667 > [3] https://www.whonix.org/wiki/DoNot#Prevent_Tor_over_Tor_Scenarios > [4] https://www.whonix.org/wiki/Dev/anon-ws-disable-stacked-tor ah, good I made a disclaimer :') Though, it does seem rather unsafe to run multiple of qubes over the same exit nodes in the Tor network. The most dangerous security issue out there, imho at least, is the assumption you are safe, when you are not. If what you're saying is true, and I'm confident it is given your background, then this might cause some dangerous user habits on Qubes in particular, beyond that what is a concern by using just Whonix/Tor? Similar issue probably exits between Whonix and Tor, but to a lesser extent as Qubes does not have any warnings about this, which is particular a concern when it's easier to mess up in Qubes, and run the same applications over the same exit nodes, at the same time. I did hear the warning of not running Tor over Tor before, though it was so long back that only the Tor browser was around back then. I had assumed it'd been fixed by now on Whonix and in particular Qubes. Especially considering the dangerous trap Whonix and in particular Qubes creates when running more on the same exit node. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/d56719b1-dcaf-4cd8-bc24-249ca7455989%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Re: sys-whonix / tor / thunderbird
2017-11-25 20:19 GMT-02:00 entr0py <3n7r0...@gmail.com>: > Not sure what you mean by "AppVM level" but "New Identity" marks ALL > circuits dirty regardless of where it's invoked. So using "New Identity" in > anon-whonix-6 is the same as using it in sys-whonix for purposes of > generating new circuits for Thunderbird. TorButton (in Tor Browser) > performs a few additional tasks as described in link below compared to arm, > but as it relates to circuits, they both send SIGNAL NEWNYM. > > https://stem.torproject.org/faq.html#how-do-i-request-a- > new-identity-from-tor > https://www.torproject.org/projects/torbrowser/design/#new-identity > I wasn't aware of that, good to know! -- iuri.neocities.org -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/CAF0bz4QdZ2Ts4thWCAnhNeLVrrF9N8fgeYTEZ4E%3DYnMctTPjBg%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Re: sys-whonix / tor / thunderbird
Desobediente: > I think the most straightforward way to achieve this would be to leave the > arm terminal open > > KDE/XCFE Menu > sys-whonix > Arm - Tor Controller > > Then press 'n' for a new identity whenever desired. > > This will make a new tor circuit for every AppVM connected to sys-whonix. > > For the AppVM level, you may do as suggested - use the "new identity" > feature on a Tor Browser inside the same AppVM as thunderbird is running. > It could be anon-whonix, a clone of anon-whonix or any other AppVM using > whonix-ws as template. > > You could clone whonix-ws and install needed software in the cloned > template as well. > Not sure what you mean by "AppVM level" but "New Identity" marks ALL circuits dirty regardless of where it's invoked. So using "New Identity" in anon-whonix-6 is the same as using it in sys-whonix for purposes of generating new circuits for Thunderbird. TorButton (in Tor Browser) performs a few additional tasks as described in link below compared to arm, but as it relates to circuits, they both send SIGNAL NEWNYM. https://stem.torproject.org/faq.html#how-do-i-request-a-new-identity-from-tor https://www.torproject.org/projects/torbrowser/design/#new-identity -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/fb1af417-a554-7abd-26fd-9480fe9c39ae%40gmail.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Re: sys-whonix / tor / thunderbird
haaber: > On 11/24/17 13:47, entr0py wrote: >> Yuraeitha: >>> On Friday, November 24, 2017 at 9:01:24 AM UTC, Bernhard wrote: Hello, one of the most useful features of tor-browser is Ctl-Shift-L to change the tor-path (and so, with high proba, the exit node IP) : this way, websites that block a specific exit node for a certain time can be still loaded (of course some fascist websites block all tor-exits and so that this measure does not help) . I feel that the same feature would be useful in other applications (in particular in thunderbird). How can this be done? Maybe a "forced reconnect" of IMAP connections suffices, but apart totally restarting thunderbird I don't see how this can be done. Any hints? Or is there good reason not to torify mail-fetching? Or never via IMAP? thank you, Bernhard >> >> Each request to your Tor client (in sys-whonix) via SocksPort is accompanied >> by a SOCKS username and password. By clicking "New Tor Circuit for this >> Site" in Tor Browser, you are changing the password component, which causes >> the Tor client to generate a new circuit for the same first-person domain >> when a request is received. >> >> Thunderbird is torrified by an extension called TorBirdy. Your requested >> feature has been tracked for quite some time (5 years) but appears nearing >> implementation now that Thunderbird-related roadblocks have been cleared. >> (https://trac.torproject.org/projects/tor/ticket/6359) Also, the main reason >> for that ticket is not circuit swapping but stream isolation. At present >> (Whonix bonus), each different email server you connect to is given a >> different circuit. With #6359, multiple accounts at the same email provider >> can also be isolated by circuit. >> >> Currently, you can generate new circuits for all future Tor requests by >> using the "New Identity" feature via one of the following equivalent options: >> 1. From anon-whonix, use "New Identity" in Tor Browser. (applies to all Tor >> connections, not just the browser.) >> 2. From sys-whonix, use arm/nyx (monitoring tool) to send New Identity >> request >> 3. From sys-whonix, send SIGNAL NEWNYM via telnet to 127.0.0.1:9051 > > Thank you for this detailed answer. I read over the ticket & it seems > that socks was the problem & should be fine now. I wanted to copy the > "network-connections" config form tor-browser into a thunderbird, but I > do not understand anything there. It uses > file:///var/run/anon-ws-disable-stacked-tor/127.0.0.1_9150.sock > This folder contains a lot of 0-byte special files that are past my > understanding. Link [4] Did not help me :( > > Or should I better run thunderbird inside anon-whonix? Or clone > anon-whonix and run it there? > > Thanks, Bernhard > Wait, what are we talking about? I thought you were asking about "New Tor Circuit for this Site". Do you need help torrifying Thunderbird? If you are using Thunderbird in a non-whonix-workstation VM, you can install the TorBirdy extension and point it to your sys-whonix IP and Port 9102. Thunderbird is installed and torrified by default in anon-whonix already. You can use anon-whonix, clone it, make a new appVM based on whonix-ws, whatever fits your needs. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/94de539b-9760-e3cf-5e20-70283ab60e05%40gmail.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Re: sys-whonix / tor / thunderbird
I think the most straightforward way to achieve this would be to leave the arm terminal open KDE/XCFE Menu > sys-whonix > Arm - Tor Controller Then press 'n' for a new identity whenever desired. This will make a new tor circuit for every AppVM connected to sys-whonix. For the AppVM level, you may do as suggested - use the "new identity" feature on a Tor Browser inside the same AppVM as thunderbird is running. It could be anon-whonix, a clone of anon-whonix or any other AppVM using whonix-ws as template. You could clone whonix-ws and install needed software in the cloned template as well. -- iuri.neocities.org -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/CAF0bz4SQJJLHet5mBMGxH-%2BffhS9eSSNY%2B_EJ6Y-37QmP%2B3F%3Dg%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Re: sys-whonix / tor / thunderbird
On 11/24/17 13:47, entr0py wrote: > Yuraeitha: >> On Friday, November 24, 2017 at 9:01:24 AM UTC, Bernhard wrote: >>> Hello, >>> >>> one of the most useful features of tor-browser is Ctl-Shift-L to change >>> the tor-path (and so, with high proba, the exit node IP) : this way, >>> websites that block a specific exit node for a certain time can be still >>> loaded (of course some fascist websites block all tor-exits and so that >>> this measure does not help) . >>> >>> I feel that the same feature would be useful in other applications (in >>> particular in thunderbird). How can this be done? Maybe a "forced >>> reconnect" of IMAP connections suffices, but apart totally restarting >>> thunderbird I don't see how this can be done. Any hints? Or is there >>> good reason not to torify mail-fetching? Or never via IMAP? >>> >>> thank you, Bernhard > > Each request to your Tor client (in sys-whonix) via SocksPort is accompanied > by a SOCKS username and password. By clicking "New Tor Circuit for this Site" > in Tor Browser, you are changing the password component, which causes the Tor > client to generate a new circuit for the same first-person domain when a > request is received. > > Thunderbird is torrified by an extension called TorBirdy. Your requested > feature has been tracked for quite some time (5 years) but appears nearing > implementation now that Thunderbird-related roadblocks have been cleared. > (https://trac.torproject.org/projects/tor/ticket/6359) Also, the main reason > for that ticket is not circuit swapping but stream isolation. At present > (Whonix bonus), each different email server you connect to is given a > different circuit. With #6359, multiple accounts at the same email provider > can also be isolated by circuit. > > Currently, you can generate new circuits for all future Tor requests by using > the "New Identity" feature via one of the following equivalent options: > 1. From anon-whonix, use "New Identity" in Tor Browser. (applies to all Tor > connections, not just the browser.) > 2. From sys-whonix, use arm/nyx (monitoring tool) to send New Identity request > 3. From sys-whonix, send SIGNAL NEWNYM via telnet to 127.0.0.1:9051 Thank you for this detailed answer. I read over the ticket & it seems that socks was the problem & should be fine now. I wanted to copy the "network-connections" config form tor-browser into a thunderbird, but I do not understand anything there. It uses file:///var/run/anon-ws-disable-stacked-tor/127.0.0.1_9150.sock This folder contains a lot of 0-byte special files that are past my understanding. Link [4] Did not help me :( Or should I better run thunderbird inside anon-whonix? Or clone anon-whonix and run it there? Thanks, Bernhard -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/89991eca-5825-16d3-5169-94efdc0d299d%40web.de. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Re: sys-whonix / tor / thunderbird
Yuraeitha: > On Friday, November 24, 2017 at 9:01:24 AM UTC, Bernhard wrote: >> Hello, >> >> one of the most useful features of tor-browser is Ctl-Shift-L to change >> the tor-path (and so, with high proba, the exit node IP) : this way, >> websites that block a specific exit node for a certain time can be still >> loaded (of course some fascist websites block all tor-exits and so that >> this measure does not help) . >> >> I feel that the same feature would be useful in other applications (in >> particular in thunderbird). How can this be done? Maybe a "forced >> reconnect" of IMAP connections suffices, but apart totally restarting >> thunderbird I don't see how this can be done. Any hints? Or is there >> good reason not to torify mail-fetching? Or never via IMAP? >> >> thank you, Bernhard Each request to your Tor client (in sys-whonix) via SocksPort is accompanied by a SOCKS username and password. By clicking "New Tor Circuit for this Site" in Tor Browser, you are changing the password component, which causes the Tor client to generate a new circuit for the same first-person domain when a request is received. Thunderbird is torrified by an extension called TorBirdy. Your requested feature has been tracked for quite some time (5 years) but appears nearing implementation now that Thunderbird-related roadblocks have been cleared. (https://trac.torproject.org/projects/tor/ticket/6359) Also, the main reason for that ticket is not circuit swapping but stream isolation. At present (Whonix bonus), each different email server you connect to is given a different circuit. With #6359, multiple accounts at the same email provider can also be isolated by circuit. Currently, you can generate new circuits for all future Tor requests by using the "New Identity" feature via one of the following equivalent options: 1. From anon-whonix, use "New Identity" in Tor Browser. (applies to all Tor connections, not just the browser.) 2. From sys-whonix, use arm/nyx (monitoring tool) to send New Identity request 3. From sys-whonix, send SIGNAL NEWNYM via telnet to 127.0.0.1:9051 > More specially towards the question at hand, I think it's tricky to do > something like that in Thunderbird, but I'm not a programmer, so I wouldn't > know for sure. However, if you think about how it works in Qubes/Whonix/Tor, > then the Tor browser appears to be tunneling Tor-Browser within > Tor(Sys-whonix), basically doubling the onion layers compared to a regular > Tor browser. I'm not entirely sure if this is the case, it's just something I > figured must be the case. This is not correct. Tor-over-Tor is discouraged[1] and unlikely to work in the future[2]. Whonix prevents Tor-over-Tor.[3][4] [1] https://trac.torproject.org/projects/tor/wiki/doc/TorifyHOWTO#ToroverTor [2] https://trac.torproject.org/projects/tor/ticket/2667 [3] https://www.whonix.org/wiki/DoNot#Prevent_Tor_over_Tor_Scenarios [4] https://www.whonix.org/wiki/Dev/anon-ws-disable-stacked-tor -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/0c44e747-e282-14fd-e2cb-9dc7ea8f7bf9%40gmail.com. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Re: sys-whonix / tor / thunderbird
On Friday, November 24, 2017 at 9:01:24 AM UTC, Bernhard wrote: > Hello, > > one of the most useful features of tor-browser is Ctl-Shift-L to change > the tor-path (and so, with high proba, the exit node IP) : this way, > websites that block a specific exit node for a certain time can be still > loaded (of course some fascist websites block all tor-exits and so that > this measure does not help) . > > I feel that the same feature would be useful in other applications (in > particular in thunderbird). How can this be done? Maybe a "forced > reconnect" of IMAP connections suffices, but apart totally restarting > thunderbird I don't see how this can be done. Any hints? Or is there > good reason not to torify mail-fetching? Or never via IMAP? > > thank you, Bernhard This might seem slightly off-topic at first, but bare with me, it gets increasingly on-topic. What kind of e-mail are you trying to download over Tor though? Like in general, Tor hides who you are, but not necessarily what is send/received at exit/enter nodes. If any encryption, like SSL/https is poorly handled, i.e. by the server/website you visit, then it's not enough security through Tor exit/enter nodes. So for example, if your e-mail has at any point, whatsoever, in any way, been leaked with information linking it to you, or giving any clues that a detective can use to identify you, then it's game-over for that e-mail address, and you need to make a new address. Though it depends on your needs of course, for example if you don't care about governments, large corporations, or resourceful hacker groups, but only want to hide from the regular typical everyday hacker and businesses, mass surveillance, etc. then the e-mail is not compromised and can still be used on Tor. Aight, so the point, what exactly do you want to hide your e-mail from? In my experience, there are different approaches to different scenarios, which includes e-mails too. More specially towards the question at hand, I think it's tricky to do something like that in Thunderbird, but I'm not a programmer, so I wouldn't know for sure. However, if you think about how it works in Qubes/Whonix/Tor, then the Tor browser appears to be tunneling Tor-Browser within Tor(Sys-whonix), basically doubling the onion layers compared to a regular Tor browser. I'm not entirely sure if this is the case, it's just something I figured must be the case. In other words, when you do this exit node change in your Tor browser, this does change your exit from your Browser, but not the exit node from your sys-whonix Tor network. Basically, the middle link between the two onion Tor layers, remains the same until it changes on its own automatically like usual. In other words, the Tor Browser can do this, because it itself is tied directly tor the Tor network. But for applications, like Thunderbird, it has no means to communicate with the Tor network, and it seems unlikely something the whonix developers, or the Tor developers, would want to implement given the extra overhead or potential issues introduced through further complexity (but I wouldn't know, I'm guessing towards that). Also this is probably a better question asked on either the Whonix or Tor forums, probably most fitting for the whonix forums. The people over there know waay more, unless if lucky and one of them happens to drop by here. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/ffbe5b42-0554-48a4-913f-ec34d80eca2d%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.