SOCKSPort Isolation

captain11 · August 1, 2016, 12:27pm

if this isn’t the proper place for this question, please forgive.

i’ve seen on tor.stackexchange.com users generally consider using isolatedestaddr and isolatedestport bad practice. however in whonix gateway, by default, there are many socksports configured for isolation. so this feels like some mixed information.

does isolating applications make my traffic more identifiable or vulnerable to correlation and/or attacks?
is isolation okay to use with something like liferea rss, twitter, or any other desktop clients that pull traffic from many domains simultaneously?

Patrick · August 1, 2016, 3:51pm

No. On the contrary.

Isolation is good generally, however isolatedestaddr and isolatedestport bad practice in many situations.

Isolation per different client application is great, however isolatedestaddr and isolatedestport need to be used with care and make sense in specific situations only.

There is a bunch of documentation on that topic:

captain11 · August 1, 2016, 5:44pm

awesome, thanks for response! what do you think of this persons Answer?

"“make my traffic more identifiable”

You’ll certainly have non-standard traffic patterns.

An adversary could also try to intentionally cause denial-of-service
conditions by, for example making you attempt to build a circuit to
every port on a whole range of IPs, making you try to build tens of
thousands of circuits and potentially causing denial of service."

“An adversary could try to force you, on one circuit, to reuse another circuit.”

captain11 · August 1, 2016, 5:55pm

thanks again for your reply. can you give example of a “bad situation”?

is a dedicated socksport with isolations okay for twitter or many rss feeds?

Patrick · August 1, 2016, 6:57pm

It’s good. Multiple Whonix-Workstations and more compartmentalization is better.

Web browsers.

isolatedestaddr and isolatedestport seems useful for e-mail, but then again the above is still better.

That depends very much on the software. If twitter is a bit like a web browser, then it is a bad idea. The rss feed would depend on how many connection it would spawn. Just connect to a single IP per feed, then it would be okay, but if it loads also from external resources, then it’s a bad idea.

I recommend to also ask on the tor-talk mailing list since this question is unspecific to Whonix as per: Free Support for Whonix ™