A user perspective (there wasn’t a “cypherpunks” account already??):
I just found myself unpleasantly surprised to find out that anything running in the workstation had any access whatsoever to the Tor control port, even filtered access, and reading up on it led me to this thread.
If there’s a need to placate the Tor browser, I for one would prefer that you build a fake control port that lies about ALL commands and that never forwards ANYTHING to Tor, and I think that should run entirely on the workstation. Of course, that doesn’t mean that you should let the user believe that something like a “new circuit” button is actually working if it’s not, and I’m not sure how to ask you to go about preventing that false impression. Will it do something sane if you send back a failure code?
Any port on the gateway that the workstation can connect to is an exposure. There is no way that having a “new circuit” button inside the workstation is worth the risk of another listening port, and it’s SURE not worth the risk of sending “filtered” commands through to the actual Tor process. If I want a new circuit, I’ll do it in the gateway (I will admit that a nicer control program inside the gateway would be nice). That applies to ALL Tor control and status functions.
I use Whonix because I don’t trust the TBB, and I don’t trust the TBB exactly because of the willingness to open up infinite attack surface in the name of “usability”, and do crazy things like opening up sockets from the browser to the Tor control port. I do not want Mike Perry’s “usability” feature of the week.
The only reason the Tor browser should exist at all is fingerprinting resistance, because you HAVE to do that in the browser. But, because browsers are so ridiculously complex, it’s not trustworthy, and it shouldn’t be allowed to interfere with core isolation properties. If there’s no way to accommodate the Tor browser without giving it ever-increasing attack surface against the main anonymity system, then I suggest you just drop the Tor browser entirely.
Thanks for listening.