> anonym: >>> * Allows stronger enforcement of tor-only connections, an attacker must >>> > break out of a virtual machine, in addition to previous steps taken. >>> A VM >>> > can be configured to only be able to send traffic through the tor >>> process >>> > running on the host machine. >> Sure, but to configure the applications in the guest to use the host's >> Tor is non-trivial for most users (and would require us to make Tor's >> ports listen on more than localhost). I'd like a way so a whole VM is >> Torified without additional configuration inside the VM. Here's some an >> article one can find inspiration from: >> >> <http://www.howtoforge.com/how-to-set-up-a-tor-middlebox-routing-all-virtualbox-virtual-machine-traffic-over-the-tor-network> >> >> (Added to the todo item) >> > > What about identity corelation since all VM traffic would go through a > single Tor socks port? > (Added to the todo item) > _______________________________________________ > tails-dev mailing list > [email protected] > https://mailman.boum.org/listinfo/tails-dev >
My thoughts on this are that I am in favor of apps not being network aware unless being specifically configured to be so Eg using host-only networking for the virtual machines network card, and then configuring specific apps in the virtual machine to connect to a socks port on the tails-livecd-host host-only network adapter The livecd tor would need to listen on various socks ports (for stream isolation) on the virtualbox host-only host network adapter A well thought out firewall policy would be needed. Yes this would be more work than simply saying "torify the whole VM" but it does have its advantages: * Existing strategy of stream isolation is preserved, as virtual apps can still have isolated streams by connecting to a dedicated socks port * Sometimes apps misbehave, or you install an app and it goes to auto-update itself before you can tell it not too, but it has an insecure update mechanism, if the whole VM is torified it would insecurely update over tor. If apps only work with Tor because the software came preconfigured, we get greater control over which apps can communicate with the network or not * Its not really that hard to tell the host tor to listen on socks ports on an additional host-only network adapter, and telling the virtual apps to use a socks-ports on the virtual hostonly adapter is much the same as how existing apps are configured Thoughts? _______________________________________________ tails-dev mailing list [email protected] https://mailman.boum.org/listinfo/tails-dev
