> [email protected]: >> I think since tails now supports bridges and obsproxy, then someone >> one day may implement a hardened firewall cd that runs in front of >> tails, and allows only traffic to the bridges the user has >> specified >> >> This would stop an attacker from learning the tails machine real IP >> even if they gained root on the machine, unless they could use a >> *rare* exploit against iptables or pf on the firewall machine (or >> some other attack) A multi machine setup may be less coding work >> for developers than setting up virtualization, and be more secure > > What you describe, was sometimes called a bridge firewall. I > considered creating something like this and put it in front of > Whonix-Gateway. (To make a two machine system perhaps an optional > three machine system.) > > Unfortunately, it turned out, that once the Tor process has been > compromised, external IP is also compromised because Tor knows it. > > I documented this and a few other aspects of such a bridge firewall: > https://trac.torproject.org/projects/tor/wiki/doc/TorifyHOWTO/BridgeFirewall > _______________________________________________ > tails-dev mailing list > [email protected] > https://mailman.boum.org/listinfo/tails-dev >
Thanks for that important information. Looks like the tor bridge software will reply back to the tor client with the IP used to connect to it(the bridge) if asked nicely I assume tor must need this for something otherwise they wouldn't have put it in _______________________________________________ tails-dev mailing list [email protected] https://mailman.boum.org/listinfo/tails-dev
