Tickets

mitm · February 8, 2015, 4:19pm

Yes its better to reference intrigeri.

Change to “arrange for hosting a hidden Debian mirror for access by Whonix and any other anonymous OS that is interested”

If you don’t like it just take out any references to who will want to use it.

mitm · February 8, 2015, 4:22pm

You might be interested to know that The Update Framework is know what putting out code for their securr update platform.

Patrick · February 9, 2015, 6:22am

[quote=“mitm, post:42, topic:855”]You might be interested to know that The Update Framework is know what putting out code for their securr update platform.

https://github.com/theupdateframework[/quote]
I am aware of TUF and in contact with them. See,

mitm · February 11, 2015, 5:49pm

A fantastic new development has happened in Tor 0.2.6. Alpha

I will go into what it means for different parts of Whonix and where to go from here. I’m putting it out there and you do what you like.

“Tor’s consensus lists Torbrowser updates”

Applicable to whonixcheck and tbb-updater.
The tbb version in the consensus can be checked by a similar variant of the Consensus based clock sanity check. Except this time you will be parsing the version number and hash of the most current tbb package.

Other great options stemming from this upstream ticket is to propose in the future the broadcast of version information for Tor IM Bundle when it debuts in the same way so tbb-updater and other managers can take advantage of this more reliable and secure way of learning about Tor based software.

If you go one step further and direct tbb-launcher to only download from Thomas’s hidden mirror, that solves the lack of SSL pinning of the Tor Projects’s site for this component. You won’t have to worry about serious breakage of tbb-updater ever again even when the Tor site’s self signrd certificate changes after pinning is implemented.

mitm · February 11, 2015, 5:57pm

After looking through all the extra work you would need to mask Micah’s tbb-launcher to use its certificate, I conclude it’s much easier if you manually embed it into your code and maintain it that way.

If the above is implemented, the only part of whonix that will depend on the cert is the the request to check.torproject.org.

Worst case, that will be the only part breaking because of upstream lapses in cert maintaince but its not as bad as tbb-updater breaking down.

mitm · February 11, 2015, 6:33pm

An unlikely solution without the Tor Project’s support is for them to deploy TUF repositories as an update method.

Even if it never happens, the comment above lays ground for a rock solid secure way to know about updates and downloading them.

mitm · February 13, 2015, 11:48pm

What will you do about the pure evil that is 32bit gpg key ids?
https://evil32.com

Patrick · February 14, 2015, 12:53am

[quote=“mitm, post:47, topic:855”]What will you do about the pure evil that is 32bit gpg key ids?
https://evil32.com[/quote]
I think there is no more action required. They’re used nowhere in Whonix’s code. All the signing keys that come with Whonix (Whonix ™ Source Code Introduction) are obtained using full fingerprints and verified using the web of trust. And if I know some software to use gpg, I check if they use gpg short key ids and do a short audit of their gpg usage. Also if those are not part of Whonix. I report it if necessary. (Example: apt-key adv command in dockerfile might be unsafe · Issue #4 · trezor/trezor-mcu · GitHub)

mitm · February 14, 2015, 1:54am

Awesome.

Any comments on my latest couple of posts? Are they rejected or still under consideration?

Patrick · February 14, 2015, 2:34am

[quote=“mitm, post:44, topic:855”]A fantastic new development has happened in Tor 0.2.6. Alpha

“Tor’s consensus lists Torbrowser updates”

Applicable to whonixcheck and tbb-updater.
The tbb version in the consensus can be checked by a similar variant of the Consensus based clock sanity check. Except this time you will be parsing the version number and hash of the most current tbb package.[/quote]
Created ⚓ T161 use 'getinfo consensus/packages' rather than RecommendedTBBVersions for it.

Other great options stemming from this upstream ticket is to propose in the future the broadcast of version information for Tor IM Bundle when it debuts in the same way so tbb-updater and other managers can take advantage of this more reliable and secure way of learning about Tor based software.

Suggested here: https://trac.torproject.org/projects/tor/ticket/14388#comment:2

If you go one step further and direct tbb-launcher to only download from Thomas's hidden mirror, that solves the lack of SSL pinning of the Tor Projects's site for this component. You won't have to worry about serious breakage of tbb-updater ever again even when the Tor site's self signrd certificate changes after pinning is implemented.

Sadly, the internet [no one claims so] has no mechanism to securely feed mirrors. Mirrors themselves are updated using unauthenticated rsync. So downloading from a super secure mirror, while the mirror downloaded unauthenticated, makes no improvement. (Uploads the the master mirror are mostly rsync over ssh, I hope.) Yet another piece of missing security infrastructure on the internet that adds up to the huge backlog.

Patrick · February 14, 2015, 3:00am

[quote=“mitm, post:45, topic:855”]After looking through all the extra work you would need to mask Micah’s tbb-launcher to use its certificate, I conclude it’s much easier if you manually embed it into your code and maintain it that way.

If the above is implemented, the only part of whonix that will depend on the cert is the the request to check.torproject.org.

Worst case, that will be the only part breaking because of upstream lapses in cert maintaince but its not as bad as tbb-updater breaking down.[/quote]
The torbrowser-launcher is also not necessarily fast updated.

mitm · February 14, 2015, 3:49am

Mirror security depends on the definition of security the threat model. Package authenticity is not mirror dependent of course because package signatures and the consensus update information take care of that. Even if the packages on the mirror have been rigged it will be discovered.

My suggestion for using a hidden mirror is for that extra bit of protection against traffic analysis and traffic tampering. Unless Thomas’s server is popped connecting to it is better than using something with no strong end to end authencation aka regular SSL.

mitm · February 18, 2015, 10:07pm

You might be interested in following this feature coming to Tor. I don’t know how safe to have in Whonix’s model. It might fit projects like Ricochet IM to make it work better with Whonix.

Ephemeral Hidden Services via the Control Port
https://lists.torproject.org/pipermail/tor-dev/2015-February/008279.html

Adding hidden services through control socket

Patrick · February 19, 2015, 7:33pm

I don’t foresee security issues with it. Users could add a cpfpy snippet to add it to the whitelist.

The following is problematic with the cpfpy implementation.

* meejah suggested that ephemeral hidden services should have their lifetime tied to the originating control port connection. I think this is a good idea, but this would be the only control port command that does this sort of thing.

Because for now cpfpy throws commands at Tor and relays back Tor’s answer. It does not keep that control connection open. We discussed this in the cpfpy thread somewhere (Whonix Forum). (We discussed it in a different context: the current inability to register to ControlPort events/callbacks, but this is very similar.)

Will be some time until this lands in Tor stable and applications starting to use it. If we manage to add this feature to cpfpy, this feature could improve usability of hidden services, because then much fewer settings would be required to manually apply on the gateway.

mitm · February 23, 2015, 2:11pm

T192

Sounds like a good workaround. There is a project Micah is working on to help Tor dependent packages to work in the VM model.

github.com/onionshare/onionshare

hidservd: Solution to the TBB vs. system Tor problem

opened 10:17PM - 28 Sep 14 UTC

closed 01:59AM - 16 Nov 15 UTC

micahflee

enhancement help wanted

OnionShare is a simple app, but it turns out there are some gnarly issues relate…d to picking what tor to use, how to package it for Windows and OSX, what permissions need to be required, etc. Right now OnionShare requires Tor Browser Bundle to be running in the background, so it can use the tor process that's included there. This is great for Windows and OSX because there isn't currently an officially supported way to install a system Tor on those platforms where you get auto-updates, etc. And OSX and Windows don't have sane dependency systems, so you can't just mark "tor" as a dependency of "onionshare" like you can in Linux. This is annoying though because you need to install a second piece of software and open it separately. And in Linux, where system Tors are easy and officially supported, this isn't necessary. Requiring TBB might also [prevent OnionShare from being included in Debian's main repo](https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=762890) (will be included in contrib instead). And requiring TBB isn't practical in Tails, where the user must use the system Tor, or in Whonix or Qubes AnonVMs, where the Tor process is running in a different VM than the OnionShare process. (Related issues: #130, #27) I describe the problem with just relying on a system Tor in Linux in this [debian bug](https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=762890#10): > Unfortunately OnionShare doesn't work with the system tor without changing a bunch of stuff around, due to limitations in tor. Instead it's recommended that you install Tor Browser Bundle (perhaps using the torbrowser-launcher Debian package) and run it before running OnionShare. > > When you connect to the control port, you start a hidden service by setting the values HiddenServiceDir and HiddenServicePort. The control port doesn't respond with the .onion address, which is an important thing to know. The only way to learn that is to look in HiddenServiceDir for a file called "hostname" and read its contents. If you're using a system tor, that file is only readable by the debian-tor user, which means an unprivileged user can't learn the .onion address. > > Also (at least I believe) in the default Debian torrc file the control port isn't enabled. So users would have to edit their torrc before being able to use OnionShare. > > If the user has Tor Browser open, it will be running its own separate Tor process as the current user. So when it writes a hostname file to HiddenServiceDir, that file is readable by the current user. One way of solving this problem would be to make OnionShare launch its own, separate tor process and use that (this has the added benefit of bypassing #87 too). I don't want to do this for Windows and OSX though, because I don't want to bundle a copy of Tor with OnionShare, for a variety of reasons. But it could totally work for Linux -- except not for the Tails, Whonix and Qubes AnonVM use-cases listed above. Also, if I did this I'd have to create a UX for configuring Tor with bridges, etc., where if you depend on TBB then the user has already configured it to their needs. Another way of solving this, that would solve the problem for all Linux use-cases including normal desktop distros like Debian, Ubuntu, etc., as well as the high security edge cases like Tails, Whonix, and Qubes AnonVMs, would be to make an extra daemon that runs in the background (hidservd) that's responsible for starting and stopping hidden services (and would have the added benefit of bypassing #87). It could work like this. There can be a hidservd-server package that listens on either a unix socket or a TCP socket. Commands it accept would include: - `start_hs(port)`: starts a hidden service on that port and returns the .onion address (and changes iptables rules to let tor connect to that port, if necessary, like in Tails) - `stop_hs(port)`: stop the hidden service (and change iptables rules back, if necessary) There can be a python package hidservd-client, that can connect to a hidservd-server either through a unix socket (in the case where tor and onionshare are run in the same VM, like in Debian, Ubuntu, Fedora, etc.) or a TCP socket (in the case of Whonix or Qubes). In this way, OnionShare in OSX and Windows would require TBB, like it currently does. OnionShare in desktop Linux distros would depend on a system Tor and hidservd-server running in the background, but from a UX perspective it would all just work, without requiring TBB open or having to elevate privileges to root. This would also be the case for Tails. And Whonix and Qubes AnonVM users would just need to have their OnionShare desktop shortcuts open something like `onionshare-gui --hidservd=[IP]:[port]` and then it, too, would just work. This also would have the added benefit of solving this problem for similar projects that will inevitably run into it, such as Ricochet https://github.com/ricochet-im/ricochet, because they could depend on hidservd-server too.

If it makes sense for what this ticket, you can collaborate on a single solution to avoid duplication of effort.

Patrick · February 23, 2015, 4:10pm

Sounds good.

mitm · February 27, 2015, 1:32am

The proposed repository naming scheme is confusing with stable-testing vs testing. Why not emulate Debian’s naming conventions and stability levels?

They would be easy to recognize for any regular Linux user as for what to expect when choosing.

Patrick · February 27, 2015, 10:03am

Thanks for your feedback.

The two distributions don’t compare. Debian is a much bigger distribution. Much more maintainers with strong social ties. Dedicated release team and whatnot.

testing vs testers: Debian testing is used by a lot as rolling distribution replacement. “Real” Debian testers use Debian “unstable”. Few regular users do, but most Debian package maintainers run such a machine or VM somewhere, since they need it for development.

To be on par with Debian, the repository would need to be named “stable-proposed-updates”. Is that name any more clear?

proposed-updates:
https://www.debian.org/releases/proposed-updates.html
https://wiki.debian.org/StableProposedUpdates

Ever heard about that? Not very popular, no?

To make confusion perfect, there is also a separate Debian “StableUpdates” repository:
https://wiki.debian.org/StableUpdates

mitm · February 27, 2015, 5:32pm

I had not heard about stable-proposed-updates before but the name makes things more clear.

Patrick · June 26, 2015, 5:18pm

‘IsolateDestAddr and IsolateDestPort’ discussion split: