Ague Mill: >> In our (I'm cc'ing Marsh here, please keep him in the cc list unless he >> objects) recent FOCI12 paper, we discuss some novel attacks on VPNs and >> we focus on anonymity related issues. Largely, I think that this paper >> is not news to Tails developers, I even sent in a per-release copy >> months in advance to a few Tails hackers. >> >> Here are the urls for the paper: >> https://www.usenix.org/conference/foci12/vpwns-virtual-pwned-networks >> https://www.usenix.org/system/files/conference/foci12/foci12-final8.pdf > > We have already put on our plate to do a proper review of it: > <https://tails.boum.org/todo/analyze_Jake_FOCI12_paper/>
Ah, cool! Great! > >> So my main concern was that we found the lack of transparent routing to >> be an actual hole in Tails. There is not a compelling reason for >> allowing all RFC1918 space given our findings. > > This might need to be discussed some more, but probably what needs to be > done is filtering RFC1918 by default. But Tails is also meant to be able > to produce documents. Some users might need to get sources on a NAS or > use a printer in their local network. I agree. At least, make the gap smaller, right? Why the entire RFC 1918 space? Why not the local network only? > > So implementation is not only about about changing three lines in the > firewall, but also about having a way for users to allow access to the > local network is also needed. This is not hard, but makes it less > trivial. > Sure, I think that's fine - so parse the dhcp lease, allow traffic to the local /24 (or whatever) and deny the router - now at least you can't by default send any data to the internet. All the best, Jake _______________________________________________ tails-dev mailing list [email protected] https://mailman.boum.org/listinfo/tails-dev
