-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 I think the topic Bridge Firewall is also related here: https://trac.torproject.org/projects/tor/wiki/doc/TorifyHOWTO/BridgeFirewall
(The topic didn't move there yet, but it's all very similar ideas we're discussing here.) >> What's the threat model here? As I understand, it's ensuring >> stream isolation for one workstation while another workstation >> is compromised. > > The goal is to make each workstation (or even each user on a > shared workstation) responsible for building their own circuits and > for using whatever policy they like when it comes to stream > isolation. Consequently, streams from different workstations can > never share a circuit. >> The problem is, anyone, including adversaries can run Tor >> relays. > > Interesting consideration. I'd prefer limiting the tor_routers > ipset to relays with a Guard flag, which would make an attack more > difficult to pull off. Getting the guard flag isn't really difficult. It's an documented and automated process. > But a freshly installed Tor client will not necessarily fetch its > first consensus through a Guard, right? When using the public Tor network: If TunnelDirConns is set to 1 (which is the default), quote Tor manual: "...when a directory server we contact supports it, we will build a one-hop circuit and make an encrypted connection via its ORPort..." Some guards and directory mirrors are hardcoded in Tor. See also: - - https://tor.stackexchange.com/questions/287/how-can-tor-use-a-one-hop-circuit-to-a-directory-server-during-initial-bootstrap - - https://tor.stackexchange.com/questions/286/why-does-tor-use-only-one-hop-instead-of-three-hops-to-connect-to-a-directory-se When using bridges: You'll get consensus from the bridge. (Please someone correct me here, if it is wrong.) >> I am wondering if the advantages of corridor and Whonix can be >> combined. Without running Tor over Tor, which is recommended >> against. > > Maybe we misunderstand each other? > > You put a physical corridor box between your > TBB/Tails/Whonix/Qubes workstation(s) and your router: That's not > Tor over Tor, because corridor is not a proxy, it's a filter. > > A corridor gateway should never increase the chance of clearnet > leaks, because you can always just treat it as untrusted, like you > should probably treat your DSL router and definitely your ISP's > network. But if the corridor box is in fact in a trustworthy state, > it acts as the leak stopper of last resort. Yes, a misunderstanding. Corridor's advantages: - - streams from different workstations can never share a circuit Whonix's advantage: - - malicious software on the workstation can not find out it's real external IP address I am wondering, can we get both advantages using just one gateway? Whonix-Gateway could be modified to only allow connections to Tor relays [guard flag, bridges, etc.]. But all the Tor clients running on various workstations would itself be tunneled through Tor by Whonix-Gateway. That would be a combination for corridor's and Whonix's advantages. But it would also be Tor over Tor, thus recommended against [reference in my last mail]. Another idea would be to leverage Tor's IsolateClientAddr option. Quote Tor manual: "Don’t share circuits with streams from a different client address. (On by default and strongly recommended;..." Whonix-Gateway profits from this. The problem is, any Whonix-Workstation behind Whonix-Gateway - once compromised - can claim to be another Whonix-Workstation, thus not being stream isolated anymore. This could be solved, when there was a defense, that prevented impersonating other workstations. VPN and/or Static ARP entries and/or OpenSSH could be used for that purpose. I wrote quite a lot about this topic already: - - https://www.whonix.org/wiki/Connections_between_Whonix-Gateway_and_Whonix-Workstation - - https://www.whonix.org/wiki/Multiple_Whonix-Workstations Documented some workarounds (multiple Whonix-Gateways or using additional (isolated) network interfaces). These are inconvenient and probably only used by a very few people. Considering Whonix-Gateway would authenticate Whonix-Workstation's and thus better enforce stream isolation, would this be a substitute for corridor? -----BEGIN PGP SIGNATURE----- iQJ8BAEBCgBmBQJS/x++XxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ2RTk3OUIyOEE2RjM3QzQzQkUzMEFGQTFD QjhENTBCQjc3QkIzQzQ4AAoJEMuNULt3uzxIfLoP/in2cCV9IOrq6hZOg8CMIRJf IlveWbJeXEtMejqEhr0vKTvtEgD6z/wBCsYThbcLLpIj6x4ghzp8beQhQrukY9v5 zo1U8rO4YC6dP3dFsR0P16AnpnXdora/O7vUHL3L2AKR6M34SbtArKKghJUIdzRJ OUbWQ/n580GgurY7eGR3ZMrcfHy6wQEB+s28Dh7Ck8QvP9Y9YLyIsoHqe9B8nONd 6fHqjvNMiP+utQYqB5UHgxvqZcIb73r1WeJcJgCLA/r3WruM+UiX6VxE4NzDMwrJ 5esIfFeZkw8MoHjvw1G7t0vMHdkounSIT3CiFMnf3Lk7IebVAkh1eMJ88e63mGB6 Vbbo6lqg98FNU7FVqzflLHkpWVg5zUPpsx1c+MAMPr9NVz4TIszxiJNU+SyJW/eO MpcxlnLd4Ro8DHQWcFY22PA13xFA4axkvOgmpp7eBtMHKQkKo2wCpSRasuZYIeB3 2xqBMPV+mzp0CMPU4YZjEaff6Cnx6E0zvdCQHgvTNRIBHoens8ebpIWv5Z7NoTOC qsSHh61Cmfld12KaojC4l8gblCXp9DGLtwiH3h8airV6gzE2naIT5ukMfBQ3EXnz d3BWVjwbduKLIRzTI9HqYW/1zPaisK+9Adp5fY2BVl5Lvk2kYSOpsUQchuv62rnA V5I53IPDJQ1F1C7AfFpi =C+c4 -----END PGP SIGNATURE----- -- tor-talk mailing list - [email protected] To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
