Hi, another concern I have with the current state of feature/unsafe-browser is that the clearnet user is allowed to connect to Tor, Polipo, pdnsd and ttdnsd, which may make possible some classes of new deanonymization attacks against Tails users.
I guess it would be relatively easy to implement stricter permissions, similar to Liberté's policy on the loopback network interface (see src/usr/local/sbin/fw-reload in their source tree). IIRC it was also suggested to simply shutdown Tor altogether while the unsafe-browser is running, which might be simpler than a iptables-based solution to this problem (independently from that, I think a stricter iptables policy would be a welcome hardening improvement anyway). What do you think? (I can't find any summary of our previous thinking on this topic, so if we already dismissed it for good reasons, at least it should be made explicit in the design notes.) Cheers, -- intrigeri | GnuPG key @ https://gaffer.ptitcanardnoir.org/intrigeri/intrigeri.asc | OTR fingerprint @ https://gaffer.ptitcanardnoir.org/intrigeri/otr.asc _______________________________________________ tails-dev mailing list [email protected] https://mailman.boum.org/listinfo/tails-dev
