Re: [Tails-dev] network.proxy.socks_remote_dns and localhost

[adrelanos]

Ague Mill:
> Hi!
> 
> Since we now include Torbrowser patches, we gained the
> `network.proxy.socks_remote_dns` preference.
> 
> Its implemented in:
> 
> 
> When this option is true, Firefox will fail every name resolving request
> that is not going through a proxy (except when asked the noop that is
> resolving an IP address).
> 
> socks_remote_dns is set to true by Torbutton. This is currently seen as
> mandatory: when set to false, Torbutton assumes we are out of "Tor mode"
> and display a broken onion.
> 
> This state of affairs currently breaks (at least) two things in Tails
> 0.14:
> 
>  * Access to the I2P router console through `http://localhost:7657/`.
>  * The Monkeysphere extension is not able to connect the validation
>agent. (This one also requires a new whitelist rule in FoxyProxy
>to fully work again.)
> 
> Both can be fixed by using `127.0.0.1` instead of `localhost`. That's
> good enough if there's not an army of similar issues behind.
> 
> But given that Tails system resolver is using Tor, this already takes care
> of the leaks that `socks_remote_dns` prevents. So we could also modify
> Torbutton think good things about our torrified system resolver.

"socks_remote_dns true" uses Tor Browser's socks port (SocksPort) for
DNS resolution while "socks_remote_dns false" uses the torified system
DNS resolver (DnsPort). SocksPort and DnsPort are stream isolated.

I recommend against using "socks_remote_dns false". It would lead to
having a different Tor circuit resolving DNS, thus worsening Tails's web
fingerprint. (http://check2ip.com/ demonstrates showing your dns server)

Cheers,
adrelanos
___
tails-dev mailing list
tails-dev@boum.org
https://mailman.boum.org/listinfo/tails-dev

Re: [Tails-dev] network.proxy.socks_remote_dns and localhost

[intrigeri]

Hi,

Ague Mill wrote (14 Nov 2012 15:50:17 GMT) :
> Please review

(WAN speaking: merge -> experimental.)

> bugfix/i2p_console_bookmark and

It took me some time to understand why the commit that updates the
bookmark, as documented, also removes a FoxyProxy config entry; (there
used to be two entries, one for localhost and another one 127.0.0.1,
so it makes sense removing the former). Please update the commit
message so that this is made clear.

Otherwise, looks good (untested, though, no time to build an ISO and
test it right now)!

> bugfix/monkeysphere_post_torbrowser branches.

"So we add a patch to make MVSA bind the IPv4 instead of 'localhost'."
in the commit message is confusing, given MSVA already binds to
127.0.0.1 IPv4 without this patch.

I'm a bit surprised about "The Monkeysphere extension also needs a new
passthrough in FoxyProxy rules to properly get a direct connection to
the agent". I'm curious what we changed since 0.13 that makes this now
needed, while it supposedly was working in there. Anyway, the proposed
change generally makes sense, so this looks good.

Otherwise, all right for this branch -- no time to build and test an
ISO right now, sorry.

Cheers,
-- 
  intrigeri
  | GnuPG key @ https://gaffer.ptitcanardnoir.org/intrigeri/intrigeri.asc
  | OTR fingerprint @ https://gaffer.ptitcanardnoir.org/intrigeri/otr.asc
___
tails-dev mailing list
tails-dev@boum.org
https://mailman.boum.org/listinfo/tails-dev

Re: [Tails-dev] network.proxy.socks_remote_dns and localhost

[Ague Mill]

intrigeri:
> Ague Mill wrote (14 Nov 2012 09:34:46 GMT) :
> > Both can be fixed by using `127.0.0.1` instead of `localhost`.
> > That's good enough if there's not an army of similar issues behind.
> 
> > But given that Tails system resolver is using Tor, this already takes care
> > of the leaks that `socks_remote_dns` prevents. So we could also modify
> > Torbutton think good things about our torrified system resolver.
> 
> > What do you think?
> 
> I propose we fix the Monkeysphere and I2P -related issues by using
> 127.0.0.1 instead of localhost -- and if many similar issues arise
> later, then we can still consider patching Torbutton.

Agreed. Please review bugfix/i2p_console_bookmark and
bugfix/monkeysphere_post_torbrowser branches.

-- 
Ague


pgpQT7Q3dKrC9.pgp
Description: PGP signature
___
tails-dev mailing list
tails-dev@boum.org
https://mailman.boum.org/listinfo/tails-dev

Re: [Tails-dev] network.proxy.socks_remote_dns and localhost

[intrigeri]

Ague Mill wrote (14 Nov 2012 09:34:46 GMT) :
> Both can be fixed by using `127.0.0.1` instead of `localhost`.
> That's good enough if there's not an army of similar issues behind.

> But given that Tails system resolver is using Tor, this already takes care
> of the leaks that `socks_remote_dns` prevents. So we could also modify
> Torbutton think good things about our torrified system resolver.

> What do you think?

I propose we fix the Monkeysphere and I2P -related issues by using
127.0.0.1 instead of localhost -- and if many similar issues arise
later, then we can still consider patching Torbutton.

Cheers,
-- 
  intrigeri
  | GnuPG key @ https://gaffer.ptitcanardnoir.org/intrigeri/intrigeri.asc
  | OTR fingerprint @ https://gaffer.ptitcanardnoir.org/intrigeri/otr.asc
___
tails-dev mailing list
tails-dev@boum.org
https://mailman.boum.org/listinfo/tails-dev

[Tails-dev] network.proxy.socks_remote_dns and localhost

[Ague Mill]

Hi!

Since we now include Torbrowser patches, we gained the
`network.proxy.socks_remote_dns` preference.

Its implemented in:


When this option is true, Firefox will fail every name resolving request
that is not going through a proxy (except when asked the noop that is
resolving an IP address).

socks_remote_dns is set to true by Torbutton. This is currently seen as
mandatory: when set to false, Torbutton assumes we are out of "Tor mode"
and display a broken onion.

This state of affairs currently breaks (at least) two things in Tails
0.14:

 * Access to the I2P router console through `http://localhost:7657/`.
 * The Monkeysphere extension is not able to connect the validation
   agent. (This one also requires a new whitelist rule in FoxyProxy
   to fully work again.)

Both can be fixed by using `127.0.0.1` instead of `localhost`. That's
good enough if there's not an army of similar issues behind.

But given that Tails system resolver is using Tor, this already takes care
of the leaks that `socks_remote_dns` prevents. So we could also modify
Torbutton think good things about our torrified system resolver.

What do you think?

-- 
Ague


pgpwOeuIADCq5.pgp
Description: PGP signature
___
tails-dev mailing list
tails-dev@boum.org
https://mailman.boum.org/listinfo/tails-dev