Re: [tor-dev] Tor Relays on Whonix Gateway

2016-10-19 Thread David Fifield
On Wed, Oct 19, 2016 at 10:35:16PM +0200, ban...@openmailbox.org wrote:
> On 2016-10-17 10:24, isis agora lovecruft wrote:
> > 
> > You're planning to enable "ServerTransportPlugin snowflake" on Whonix
> > Gateways
> > by default?  And then "ClientTransportPluging snowflake" on workstations
> > behind the gateway?
> 
> I was planning to enable the server by default (I thought WebRTC was P2P
> though) but after looking at it some more I don't think it's a good idea.

It doesn't make sense to run the Snowflake server on a lot of bridges
anyway. It's not like the obfs* model where you need lots of bridges in
order to get IP diversity. Snowflake gets IP diversity by routing
through web browsers. The bridge itself may even be blocked by the
censor; it doesn't matter.

The server component of Snowflake isn't even WebRTC. Snowflake is WebRTC
between the client and the browser proxy, then WebSocket (which is
easier to program) between the browser proxy and the bridge. The server
component is actually just a WebSocket server, borrowed from flash
proxy.
___
tor-dev mailing list
tor-dev@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev


Re: [tor-dev] Tor Relays on Whonix Gateway

2016-10-19 Thread bancfc

On 2016-10-17 10:24, isis agora lovecruft wrote:

ban...@openmailbox.org transcribed 1.7K bytes:

On 2016-10-17 03:04, teor wrote:
>>On 7 Oct 2016, at 08:11, ban...@openmailbox.org wrote:
>>
>>Should Whonix document/encourage end users to turn clients into relays
>>on their machines?
>
>Probably not:
>* it increases the attack surface,
>* it makes their IP address public,
>* the relays would be of variable quality.
>
>Why not encourage them to run bridge relays instead, if their connection
>is
>fast enough?

Good idea. We are waiting for snowflake bridge transport to be ready 
and we
plan to enable it by default on Whonix Gateway. Its optimal because no 
port
forwarding is needed or changes to firewall settings (because VMs 
connect

from behind virtual NATs).


You're planning to enable "ServerTransportPlugin snowflake" on Whonix 
Gateways
by default?  And then "ClientTransportPluging snowflake" on 
workstations

behind the gateway?




I was planning to enable the server by default (I thought WebRTC was P2P 
though) but after looking at it some more I don't think it's a good 
idea.


Not everyone is in a position to run a bridge because they may be living 
in a censored area themselves. It might also make Whonix users stand out 
if it was a default. Also Snowflake servers may actully be exposing 
themselves to privacy risks which is not something we are prepared to 
do:


"A popular privacy measure advocated to certain classes of users (eg: 
those that use VPN systems) has been to disable WebRTC due to the 
potential privacy impact. While this is not a concern for Tor Browser 
users using snowflake as a transport, there is a segment of people that 
view WebRTC as harmful to anonymity, and the volunteers that are 
contributing bandwidth are exposed to such risks. "


https://trac.torproject.org/projects/tor/wiki/doc/PluggableTransports/SnowFlakeEvaluation

***

Offtopic: I think a pluggable transport thats implemented with 
bittorrent would be awesome because of how widespread the protocol is 
and because of the existing infrastructure out there that users can 
potentially bootstrap off of if seed servers volunteer to run a bridge 
sever/facilitator.

___
tor-dev mailing list
tor-dev@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev


Re: [tor-dev] Tor Relays on Whonix Gateway

2016-10-17 Thread teor

> On 17 Oct 2016, at 19:48, juanjo  wrote:
> 
> Interesting... I thought that a Tor client running a relay would actually 
> help its privacy because you can't tell if its a client connection or relay 
> connection…

It depends what sort of privacy you're after.
It provides a certain level of traffic hiding, but it makes the IP address and
uptime/downtime/latency/weird pauses public. We don't recommend it.

T

> 
> El 17/10/2016 a las 3:04, teor escribió:
>>> On 7 Oct 2016, at 08:11, ban...@openmailbox.org
>>>  wrote:
>>> 
>>> Should Whonix document/encourage end users to turn clients into relays on 
>>> their machines?
>>> 
>> Probably not:
>> * it increases the attack surface,
>> * it makes their IP address public,
>> * the relays would be of variable quality.
>> 
>> Why not encourage them to run bridge relays instead, if their connection is
>> fast enough?
>> 
>> T
>> 
>> --
>> Tim Wilson-Brown (teor)
>> 
>> teor2345 at gmail dot com
>> PGP C855 6CED 5D90 A0C5 29F6 4D43 450C BA7F 968F 094B
>> ricochet:ekmygaiu4rzgsk6n
>> xmpp: teor at torproject dot org
>> --
>> 
>> 
>> 
>> 
>> 
>> 
>> 
>> 
>> 
>> 
>> ___
>> tor-dev mailing list
>> 
>> tor-dev@lists.torproject.org
>> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev
> 
> 
> ___
> tor-dev mailing list
> tor-dev@lists.torproject.org
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev

T

--
Tim Wilson-Brown (teor)

teor2345 at gmail dot com
PGP C855 6CED 5D90 A0C5 29F6 4D43 450C BA7F 968F 094B
ricochet:ekmygaiu4rzgsk6n
xmpp: teor at torproject dot org
--









signature.asc
Description: Message signed with OpenPGP using GPGMail
___
tor-dev mailing list
tor-dev@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev


Re: [tor-dev] Tor Relays on Whonix Gateway

2016-10-17 Thread juanjo
Interesting... I thought that a Tor client running a relay would 
actually help its privacy because you can't tell if its a client 
connection or relay connection...



El 17/10/2016 a las 3:04, teor escribió:

On 7 Oct 2016, at 08:11, ban...@openmailbox.org wrote:

Should Whonix document/encourage end users to turn clients into relays on their 
machines?

Probably not:
* it increases the attack surface,
* it makes their IP address public,
* the relays would be of variable quality.

Why not encourage them to run bridge relays instead, if their connection is
fast enough?

T

--
Tim Wilson-Brown (teor)

teor2345 at gmail dot com
PGP C855 6CED 5D90 A0C5 29F6 4D43 450C BA7F 968F 094B
ricochet:ekmygaiu4rzgsk6n
xmpp: teor at torproject dot org
--









___
tor-dev mailing list
tor-dev@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev



___
tor-dev mailing list
tor-dev@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev


Re: [tor-dev] Tor Relays on Whonix Gateway

2016-10-17 Thread isis agora lovecruft
ban...@openmailbox.org transcribed 1.7K bytes:
> On 2016-10-17 03:04, teor wrote:
> >>On 7 Oct 2016, at 08:11, ban...@openmailbox.org wrote:
> >>
> >>Should Whonix document/encourage end users to turn clients into relays
> >>on their machines?
> >
> >Probably not:
> >* it increases the attack surface,
> >* it makes their IP address public,
> >* the relays would be of variable quality.
> >
> >Why not encourage them to run bridge relays instead, if their connection
> >is
> >fast enough?
> 
> Good idea. We are waiting for snowflake bridge transport to be ready and we
> plan to enable it by default on Whonix Gateway. Its optimal because no port
> forwarding is needed or changes to firewall settings (because VMs connect
> from behind virtual NATs).

You're planning to enable "ServerTransportPlugin snowflake" on Whonix Gateways
by default?  And then "ClientTransportPluging snowflake" on workstations
behind the gateway?

-- 
 ♥Ⓐ isis agora lovecruft
_
OpenPGP: 4096R/0A6A58A14B5946ABDE18E207A3ADB67A2CDB8B35
Current Keys: https://fyb.patternsinthevoid.net/isis.txt


signature.asc
Description: Digital signature
___
tor-dev mailing list
tor-dev@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev


Re: [tor-dev] Tor Relays on Whonix Gateway

2016-10-16 Thread bancfc

On 2016-10-17 03:04, teor wrote:

On 7 Oct 2016, at 08:11, ban...@openmailbox.org wrote:

Should Whonix document/encourage end users to turn clients into relays 
on their machines?


Probably not:
* it increases the attack surface,
* it makes their IP address public,
* the relays would be of variable quality.

Why not encourage them to run bridge relays instead, if their 
connection is

fast enough?


Good idea. We are waiting for snowflake bridge transport to be ready and 
we plan to enable it by default on Whonix Gateway. Its optimal because 
no port forwarding is needed or changes to firewall settings (because 
VMs connect from behind virtual NATs).




T

--
Tim Wilson-Brown (teor)

teor2345 at gmail dot com
PGP C855 6CED 5D90 A0C5 29F6 4D43 450C BA7F 968F 094B
ricochet:ekmygaiu4rzgsk6n
xmpp: teor at torproject dot org
--








___
tor-dev mailing list
tor-dev@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev


___
tor-dev mailing list
tor-dev@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev


Re: [tor-dev] Tor Relays on Whonix Gateway

2016-10-16 Thread teor

> On 7 Oct 2016, at 08:11, ban...@openmailbox.org wrote:
> 
> Should Whonix document/encourage end users to turn clients into relays on 
> their machines?

Probably not:
* it increases the attack surface,
* it makes their IP address public,
* the relays would be of variable quality.

Why not encourage them to run bridge relays instead, if their connection is
fast enough?

T

--
Tim Wilson-Brown (teor)

teor2345 at gmail dot com
PGP C855 6CED 5D90 A0C5 29F6 4D43 450C BA7F 968F 094B
ricochet:ekmygaiu4rzgsk6n
xmpp: teor at torproject dot org
--









signature.asc
Description: Message signed with OpenPGP using GPGMail
___
tor-dev mailing list
tor-dev@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev