Commit 5d768ef0 authored by Tails developers's avatar Tails developers

Update about Tails and design document.

The updates are almost exclusively about the move from transparent
proxying to blocking.
parent a8d9f4bc
......@@ -24,7 +24,8 @@ Anonymity online through Tor
============================
Tails relies on the Tor anonymity network to protect your privacy online: all
outgoing connections to the Internet are forced to go through Tor.
software are configured to connect through Tor, and direct (non-anonymous)
connections are blocked.
Tor is free software and an open network that helps you defend against a form of
network surveillance that threatens personal freedom and privacy, confidential
......
......@@ -382,7 +382,9 @@ heavily restricted by a firewall:
- All non-TCP transport layer protocols SHOULD be dropped as they are
not supported by the Tor network.
- All TCP traffic not explicitly targeting Tor SHOULD be redirected to
the transparent proxy (i.e. to the `TransPort` as set in `torrc`).
the transparent proxy (i.e. to the `TransPort` as set in `torrc`);
alternatively this traffic SHOULD be dropped (then only applications
explicitly configured to use Tor will reach the Internet).
- All DNS lookups SHOULD be made through the Tor network (i.e.
redirected to `DNSPort` as set in `torrc`).
- All IPv6 traffic SHOULD be forbidden as it is not supported by the Tor
......@@ -501,13 +503,22 @@ practices: digests, ciphers and key sizes.
#### 2.6.3.5 Tor
Tor SHOULD be setup to enable its DNS server (`DNSPort`) and
transparent proxy (`TransPort`, `TransListen`) so the functionality
specified in the network section is covered. Only stable releases
SHOULD be considered since Tor really is at the core of the PELD. Also,
while there are many other interesting configuration possibilities in
the Tor manual, care MUST be taken to avoid those that may impair
anonymity or security.
Only stable releases SHOULD be considered since Tor really is at the
core of the PELD.
Tor SHOULD be setup to enable its DNS server (`DNSPort`) to allow DNS
lookups through the Tor network; alternatively a local DNS server can
be configured to use Tor.
If transparent proxying (as opposed to dropping non-Tor traffic) was
chosen in the network section, then Tor MUST be setup to enable its
transparent proxy (`TransPort`, `TransListen`); alternatively any
transparent proxy configured to use Tor as the parent proxy can be
used.
While there are many other interesting configuration possibilities
decrobed in the Tor manual, care MUST be taken to avoid those that may
impair anonymity or security.
A GUI Tor controller application such as Vidalia or TorK is highly
RECOMMENDED. However, this requires opening the control port in Tor,
......@@ -831,14 +842,15 @@ those are mainly for usability issues and similar.
The Tor software is currently configured as a client only (onion
proxy). The client listens on SOCKS port 9050 with a control port 9051
(using cookie authentication), as a transparent proxy on port 9040 and
as a DNS server on port 8853. Only connections from localhost are
accepted. It can be argued that running a Tor server (onion router)
would increase one's anonymity for a number for reasons but we still
feel that most users probably would not want this due to the added
consumption of bandwidth. The user can nevertheless easily choose to
turn his or her Tor client into a relay, thanks to the Vidalia
graphical user interface.
(using cookie authentication), as a transparent proxy on port 9040
(only used for remapped hidden services) and as a DNS server on port
8853. Only connections from localhost are accepted. It can be argued
that running a Tor server (onion router) would increase one's
anonymity for a number for reasons but we still feel that most users
probably would not want this due to the added consumption of
bandwidth. The user can nevertheless easily choose to turn his or her
Tor client into a relay, thanks to the Vidalia graphical user
interface.
- [[!tails_gitweb chroot_local-includes/etc/tor/torrc]]
......@@ -946,15 +958,14 @@ will be possible afterwards.
Firefox, that is shipped by Debian and thus by Tails.)
Iceweasel uses the Torbutton extension in order to prevent attacks
using JavaScript,
plugins and other non-HTTP features like web bugs. It is configured to
always be enabled on Iceweasel start and uses polipo as HTTP(s) proxy
and Tor as SOCKS proxy. SOCKS is configured to perform name resolution
through this proxy. Iceweasel is also configured to not cache to disk
(mainly to reduce memory usage for CD users as disk writes will be
stored there), history is disabled (just in case) and many other
things. It is also setup not to automatically check for updates of its
installed extensions. Java support is disabled.
using JavaScript, plugins and other non-HTTP features like web
bugs. It is configured to always be enabled on Iceweasel start and
uses Tor as SOCKS5 proxy. SOCKS is configured to perform name
resolution through this proxy. Iceweasel is also configured to not
cache to disk (mainly to reduce memory usage for CD users as disk
writes will be stored there), history is disabled (just in case) and
many other things. It is also setup not to automatically check for
updates of its installed extensions. Java support is disabled.
Iceweasel is shipped with some extensions to help users manage their
browsing experience. The Torbutton settings treat all cookies as
......
......@@ -106,10 +106,10 @@ bottom, until the first match is found:
4. The rest: all remaining urls will be SOCKS5-proxied through Tor.
Also, do note that Tails' [[netfilter-based transparent
proxying|Tor_enforcement/Network_filter]] ensures that no Internet traffic can
escape Tor even if something is wrong in the above filters (or a
future revision).
Also, do note that Tails' [[netfilter-based
blocking|Tor_enforcement/Network_filter]] ensures that no Internet
traffic can be escape both Tor or I2P (and thus be non-anonymous) even
if something is wrong in the above filters (or a future revision).
Things to meditate upon
=======================
......@@ -118,11 +118,9 @@ Things to meditate upon
SOCKS5. This effectively breaks FTP completely, so there's room for
adding a pattern above number 4 which matches ftp connections
(i.e. `^ftp://.*`) and proxies them through some ftp proxy using Tor
as its parent proxy (or let the [[netfilter-based transparent
proxying|Tor_enforcement/Network_filter]] handle it?). See
[[todo/FTP_in_Iceweasel]]. As an addition, at the
moment (versions <=0.8) ftp does not work in I2P for technical
reasons, so no pattern for that is needed.
as its parent proxy. See [[todo/FTP_in_Iceweasel]]. As an addition,
at the moment (versions <=0.8) ftp does not work in I2P for
technical reasons, so no pattern for that is needed.
* Do we want to enable the "Hidden mode" which completely disables
participating traffic?
......
Tails short description states that all outgoing connections to the
Internet are forced to go through the [Tor network](https://www.torproject.org/).
Internet must to go through the [Tor network](https://www.torproject.org/).
This is almost true. Let's clarify this a bit.
......
One serious security issue is that we don't know what software will
attempt to contact the network and whether their proxy settings are
setup to use the Tor SOCKS proxy or polipo HTTP(s) proxy correctly.
This is solved by forwarding all direct TCP connections through Tor's
transparent proxy using the Linux kernel level network filter.
This is solved by blocking all outbound Internet traffic except Tor
and I2P, and explicitly configure all applications to use either of
these.
- [[!tails_gitweb config/chroot_local-includes/etc/firewall.conf]] for IPv4
- [[!tails_gitweb config/chroot_local-includes/etc/firewall6.conf]] for IPv6
- [[!tails_gitweb config/chroot_local-includes/etc/NetworkManager/dispatcher.d/00-firewall.sh]]
The default case is to redirect traffic to the Tor transparent proxy;
let us now document the few exceptions to this rule.
The default case is to block all outbound network traffic; let us now
document all exceptions and some clarifications to this rule.
#### Tor user
......@@ -17,25 +18,6 @@ Tor itself obviously has to connect to the Internet without going
through the Tor network. This is achieved by special-casing
connections originating from the `debian-tor` Unix user.
#### HTP
Tails HTTP Time Protocol (HTP) setup is described on a [[dedicated
design page|design/HTP]].
Every HTP-related communication is established by the `htp` user, who
is allowed to connect *directly* to services listening on the `https`
TCP port or on the `domain` UDP/TCP ports.
The rationale for this exception is that we have kind of a
chicken'n'egg problem here. We want the clock to be pretty accurate in
order for Tor to work properly so HTP time synchronization has to be
done before Tor starts... hence *directly*. This means DNS queries to
resolve the HTP hosts IPs, and HTTPS traffic to fetch the pages and
associated resources.
An alternative implementation that would not need HTP to bypass Tor is
[[being thought of|todo/remove_the_htp_user_firewall_exception]].
#### I2P
[I2P](http://www.i2pproject.net/) (*Invisible Internet Project*) is
......@@ -45,12 +27,9 @@ access to eepsites (.i2p tld); eepsites are a bit like Tor hidden
services. Some users would like to be able to access eepsites from
Tails.
Next major Tails release will ship the I2P software. I2P usage will
be opt-in, i.e. no I2P software will start by default.
The `i2p` user will be allowed to connect *directly* to the Internet.
See
[[the design document dedicated to Tails use of I2P|I2P]] for details.
Like the `debian-tor` user, the `i2p` user is allowed to connect
*directly* to the Internet. See [[the design document dedicated to
Tails use of I2P|I2P]] for details.
#### Local Area Network (LAN)
......@@ -71,4 +50,5 @@ the loopback interface.
#### UDP, ICMP and other non-TCP protocols
Tor only supports TCP. Non-TCP traffic to the Internet, such as UDP
datagrams and ICMP packets, is dropped.
datagrams and ICMP packets, is dropped unless it's going through I2P,
which supports UDP.
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment