Hi, Some number of years ago, a paper was written about how to cause leakage outside of VPNs and it included Tails as an example target:
https://www.usenix.org/system/files/conference/foci12/foci12-final8.pdf I've waited a while for folks to read it and I think at this point, we're at year two or so of waiting. It seems like the easy thing is to simply give up and advocate for a fix with a simple patch. I have a local branch called 'vpwns' and it contains a single fix: diff --git a/config/chroot_local-includes/etc/ferm/ferm.conf b/config/chroot_local-includes/etc/ferm/ferm.conf index 54ab253..56bb20a 100644 --- a/config/chroot_local-includes/etc/ferm/ferm.conf +++ b/config/chroot_local-includes/etc/ferm/ferm.conf @@ -103,15 +103,6 @@ domain ip { proto udp dport domain ACCEPT; } - # Local network connections should not go through Tor but DNS shall be - # rejected. - # (Note that we exclude the VirtualAddrNetwork used for .onion:s here.) - daddr (10.0.0.0/8 172.16.0.0/12 192.168.0.0/16) @subchain "lan" { - proto tcp dport domain REJECT; - proto udp dport domain REJECT; - ACCEPT; - } - # Tor is allowed to do anything it wants to. mod owner uid-owner debian-tor ACCEPT; The code running as uid-owner {clearnet, debian-tor, i2psvc} will still contain the issues outlined in the paper. This change may require some UI changes for enabling access to the local network. I suggest that such access is disabled by default. I think this is a critical security bug in the firewall configuration. We may have users who wish to enable this leak but generally, I suspect most users don't realize that they're vulnerable by default. Nor do I think that most users realize that they're vulnerable even if they want to talk to the local network for some reason. All the best, Jacob _______________________________________________ Tails-dev mailing list [email protected] https://mailman.boum.org/listinfo/tails-dev To unsubscribe from this list, send an empty email to [email protected].
