Hi, as discussed elsewhere, yes, it would be great if we could share code bases!
Does it support simultaneous connections? (Such as two applications using ephemeral Tor hidden services plus Tor Browser at once.) Does Tails control port filter proxy support events? I mean, can a client application ask for something and Tor will maybe answer a long time later? Whonix control-port-filter-python TODO, also stuff we need before we can use it: >> - https://phabricator.whonix.org/T561 Is something we must use in Whonix. Not a cpfpy missing feature but a general issue. In essence, for example the onionshare localhost server listener will not be reachable. We somehow must force it listen on all interfaces so Tor running on the gateway can access it. >> - https://phabricator.whonix.org/T562 This is about parsing add_onion and whitelisting sane commands rather than letting through everything. add_onion is not a whitelist/not whitelist. Buggy applications or by user mistake, they could choose the add_onion flag nonanonymous, which would be a disaster. We also don't know what Tor control protocol upgrades are coming in the years to come. So I strongly suggest a only letting through whitelisted syntaxes. Malicious applications could make the Tor HS listener bind on the wrong interface. In Whonix-Gateway, maliciously listen on Whonix-Gateway. Which could be fatal if we had also a real Tor ControlPort open there. Does that make sense? I am not sure it applies to Tails, that depends on your design and threat model, but it is however an interesting thought that can inspire to finding more security issues with it. Also it may be worth making sure it can only bind to specified (and configureable) local ports? For connectivity, we need to remove 127.0.0.1 and replace it with Whonix-Workstation IP. That is currently done with the following code block that I was going to merge with T562. https://github.com/Whonix/control-port-filter-python/blob/6a131266a8dc8f98ff22a3b83fae9d43e38b3127/usr/sbin/cpfpd#L345-L375 >> - https://phabricator.whonix.org/T564 Protecting cpfpy from DDOS from client applications. Not sure that matters for Tails? >> - https://phabricator.whonix.org/T565 Similar to above. >> - https://phabricator.whonix.org/T566 The unit test for T562. Other required features: - Configurable by dropping .d-style[7] configuration snippets. (ex: /etc/cpfpy.d) - Debian packaging. Lesser important features: - Supports logging. - Honors signals sigterm, sigint, keyboard interrupt. - systemd support - When request is 'getinfo net/listeners/socks' answer with a lie '250-net/listeners/socks="127.0.0.1:9150"'. Cheers, Patrick _______________________________________________ Tails-dev mailing list [email protected] https://mailman.boum.org/listinfo/tails-dev To unsubscribe from this list, send an empty email to [email protected].
