Tor Browser 6.5a4 connectivity broken, blocked by apparmor profile (since TBB changed to SocksSocket)

Hi Patrick,

I’m glad to hear you got it working in Whonix 14!

https://phabricator.whonix.org/T192

The variable names ended up being:

TOR_SOCKS_IPC_PATHTOR_CONTROL_IPC_PATH

Happy to report that Whonix 14 with Tor Browser 6.5a4-hardened unix domain socket files redirection works for me.

Regarding the release of Whonix 14, I for one would vote for sooner, based upon:

  • Dec 1 deadline for FBI passing new rules which they will interpret as wholesale permission to attack anybody disguising their locale via Tor i.e. all Tor users

  • Most Whonix users I suspect are already defaulting to the hardened Tor Browser series to get additional memory (and other) protections not present in the default version. This is likely since they already invest a lot of time to get Whonix or Qubes-Whonix up and running

  • Whonix 14 looks like it comes with a host of new features already, including nice things like .onion lookups for updates

Does the apparmor profile need an additional permission also for writing to that specific (Tor data?) directory for socks port purposes?

Also, can we follow your directions from the phabricator entry to get it working?

Regards

@Patrick I think you need to make an official Whonix statement about Tor Browser versioning. Whonix does not endorse using experimental software in any other capacity (including system tor-alpha). Are we making an exception for Tor Browser? I have not seen any official guidance from Tor Project. These snippets are from the comments section of 5.5a5-hardened release notes:

At present there is no stable release of Hardened Tor Browser. Alpha releases have new features that can be buggier than stable. In a sense, it may have more security features but those features are more likely to fail.


gk reply to “hardened stable release coming?”:

Probably not as the hardened series is considerably slower and uses considerably more memory than the stable one due to the Address Sanitizer and other additional hardening features.


Different versions have different fingerprints. Give some other uses a chance to check out Panopticlick and your rating will get better.

With that said, this is a alpha version of Tor Browser. It’s likely to not have as many users as stable, and is a platform to experiment with new features that may have unintended side effects.


Unless you make an exception, torbrowser-experimental should correspond with whonix-experimental/testing; and there should be no reason to rush whonix-stable unless it were to be incompatible with torbrowser-stable. It would be good to get rid of this ambiguity.

1 Like

Hi entr0py,

That is a valid viewpoint. In making any decision, let’s review the differences as it stands right now.

Tor Browser

The main differences between the hardened Tor browser and the standard Tor browser are:

https://lists.torproject.org/pipermail/tbb-dev/2016-June/000382.html

David Fifield:

I wanted to know what exactly is different in the hardened series.

The master…hardened-builds diff has many spurious changes and is not
that clear:
builders/tor-browser-bundle - Old (2013-2017) build scripts for the Tor Browser Bundle based on gitian-builder

The best I can tell, the differences are:

  • ASan
  • –enable-expensive-hardening for tor (enables -fsanitize=address,
    -fsanitize=undefined, and -fno-omit-frame-pointer)
  • selfrando

This is correct. Additionally, we compile the browser part with -fwrapv. Note, selfrando is not in the alpha series available yet only in nightly builds. This will change with the next release, though.

Georg

And what is -fwrapv?

-fwrapv
This option instructs the compiler to assume that signed arithmetic overflow of addition, subtraction and multiplication wraps around using twos-complement representation. This flag enables some optimizations and disables others. The options -ftrapv and -fwrapv override each other, so using -ftrapv -fwrapv on the command-line results in -fwrapv being effective. Note that only active options override, so using -ftrapv -fwrapv -fno-wrapv on the command-line results in -ftrapv being effective.

So, with respect to the hardened browser, you get the benefits of (an experimental build) providing:

I. Selfrando - providing significant protection against de-anonymization exploits (see paper below)

II. ASAN - address sanitizer to help detect use-after-free and out-of-bounds memory errors in C/C++ programs

https://developer.mozilla.org/en-US/docs/Mozilla/Testing/Firefox_and_Address_Sanitizer

Downsides:

  • Potentially more fingerprintable
  • Greater memory use
  • Potentially less stable experience

Tor Process

With respect to the tor process, it is true the hardened-series is currently defaulting to an alpha version - 0.2.9.5-alpha, instead of the stable version 0.2.8.9

That comes with the usual Tor Project rider:

Please note: This is an alpha release. You should only try this one if you are interested in tracking Tor development, testing new features, making sure that Tor still builds on unusual platforms, or generally trying to hunt down bugs. If you want a stable experience, please stick to the stable releases.

Personally, I would err on the side of less caution i.e. sacrificing potential stability to have huge gains in security. Also, the Tor devs themselves state they think they have squashed almost all the main bugs in the 0.2.9 series.

The call can only be made by the core Whonix developers who are over-worked, underpaid and generally unappreciated. But, I do note the Whonix website already states something like:

Whonix is experimental software. Do not rely on it for strong anonymity.

1 Like

torjunkie:

Does the apparmor profile need an additional permission also for
writing to that specific (Tor data?) directory for socks port
purposes?

No. The apparmor warning was just a follow up issue of not using unix
domain sockets, i.e. trying to use Tor that comes with TBB rather than
not using Tor that comes with TBB.

Also, can we follow your directions from the phabricator entry to
get it working?

Try installing anon-ws-stacked-tor from git. And reboot (easy) or
reload TBB specific environment variables (harder).

entr0py:

@Patrick I think you need to make an official Whonix statement about Tor Browser versioning.

My recommendation is what tb-updater is stating.

Only versions still considered secure should be listed here. Higher
version numbers does not necessarily mean more secure here. Could be
alpha or beta versions. In most cases you are best off choosing the
lowest version number among them.

  • It has more users, therefore hopefully better anonymity.
  • Default download by The Tor Project and I am not trying to outsmart
    them on that.
  • Less troublesome Whonix maintenance wise (support requests).
  • Most likely be functional at installation time. (Like now, the
    anon-ws-disable-stacked-tor package needs an update to make that TBB
    alpha work while TBB stable is still functional.)

Are we making an exception for Tor Browser?

No.

I have not seen any official guidance from Tor Project.

I go with their default download on torproject.org. We could ask for
clarification about this on the Tor mailing list, but I doubt it is
required.

Unless you make an exception, torbrowser-experimental should
correspond with whonix-experimental/testing; and there should be no
reason to rush whonix-stable unless it were to be incompatible with
torbrowser-stable. It would be good to get rid of this ambiguity.

It’s been appreciated that some users use hardened alpha - contributing
as a tester - so we get notified about any issues here. So these can be
fixed before most users using stable bump into them.

When the current TBB alpha gets blessed TBB stable and users
automatically update using TBB internal update, it really ought to not
break connectivity. So I am prioritizing getting this fixed. Either by
an updated anon-ws-disable-stacked Tor package or releasing Whonix 14
sooner.

1 Like

It’s also worth noting that the alpha Tor Browser series is due to have application level sandboxing by the end of this year.

So, if all goes to plan, Tor Browser based on Firefox 45.6 ESR (due for release on 13 December) will have this available and, fingers crossed, will be compatible with Whonix.

See here:

https://blog.torproject.org/category/tags/sandbox

The amount of information Tor Browser will learn about your computer, and thereby you, will be limited. For example, the sandbox will hide things like your files, and real IP and MAC addresses from Tor Browser.

When will the sandbox be available to users?

This is experimental. Right now I have something that works on my laptop. It is not user friendly at all. It’s a functional prototype. By the end of the year it will be available in alpha form for early adopters to experiment with.

I think overall there is a strong rationale for Whonix users to default to something offering ASAN, Selfrando & a compatible sandbox, in contrast to the standard ‘stable’ version.

As a reminder, Rule 41 scheduled for December 1 will authorize mass hacking on a global scale, given judges are notoriously retarded when it comes to considering the implications of warrants they issue for technical matters:

The changes to Rule 41 would allow judges to grant warrants to search and seize electronic media located outside of their home districts when the location of the information is “concealed through technological means."

For instance, when a person is using Tor.

The broad search warrants allowable under these new rules will apply to people using Tor in any country—even if they are journalists, members of a legislature, or human rights activists. The FBI will be permitted to hack into a person’s computer or phone remotely and to search through and remove their data. The FBI will be able to introduce malware into computers. It will create vulnerabilities that will leave users exposed.

It’s not just the FBI, but every other state engaging in the same behaviour. All of these draconian laws passed in the last few years are just authorizing what has been going on for probably more than a decade.

1 Like

Progress has been made. anon-ws-disable-stacked-tor package is “mostly” ready, but I am running into a strange Qubes bug.

Tested wanted!

I managed to create a Whonix stable upgrade. anon-ws-disable-stacked-tor version 3:2.3-1 is now available from Whonix jessie-proposed-updates and testers apt repository.

( Whonix ™ APT Repository )

Once you updated that package and rebooted, Tor Browser version 6.5a4 will have fixed connectivity. Please test!

(Whether you run sudo apt-get autoremove after upgrade to get rid of rinetd [previously used to implement anon-ws-disable-stacked-tor doesn’t matter since it will be doing nothing but waste a very little memory if it stays.)

2 Likes

Tested in a plain Debian VM and it works! :slight_smile:

1 Like

Hi Patrick,

Also working here on Qubes-Whonix! Great job. :slight_smile:

However, note there is the occasional network error on these forums - not present in general browsing - stating:

Sorry, we couldn’t load that topic, possibly due to a connection problem. Please try again. If the problem persists, let us know.

The problem is resolved by manually selecting a new Tor circuit. There might be some gremlins in that code, as I’ve never seen that error before using Tor Browser in Qubes.

Since the whonx.org forums connectivity issues are unrelated to the issue in this very thread, please create a new thread for that.

OK, will do if the problem re-emerges.

1 Like

https://forums.whonix.org/t/why-is-tor-browser-allowed-to-connect-to-var-run-anon-ws-disable-stacked-tor-127-0-0-1-9150-sock-by-the-current-apparmor-profile

There is a problem with the current jessie-proposed-updates / testers anon-ws-distable-stacked-tor version 2.3-1. [Current Whonix stable anon-ws-disable-stacked-tor version 2.0-1 does not have that issue.]

In socat TCP-LISTEN:9050,fork TCP:$GATEWAY_IP:9050 etc. the TCP-LISTEN part listens on all interfaces as opposed to on localhost only.

socat supports range, which is better, since it ignores IPs outside of the specified range, but still is not great. The great solution would be to listen on localhost only.

Whonix 13:

  • Qubes-Whonix: not great but no huge issue since Whonix-Workstation is firewalled by default.
  • Non-Qubes-Whonix: issue when using multiple Whonix-Workstations at the same time since another workstation could connect to another workstations socat which is a security issue.

Whonix 14:

  • not great but no huge issue since Whonix-Workstation is firewalled by default.

I haven’t found a solution yet.

1 Like

Solution found. You can emulate these changes for now.

Package upgrade coming soonish.

Another unrelated change. A less important (at this time) enhancement. Just for to make it more future proof.

Manual edits work. Whonixcheck works okay on both the GW and WS.

For impatient linux newbies, it should be pointed out they are manually editing the file:

/usr/etc/anon-ws-disable-stacked-tor.d/30_anon-dist.conf

on the Whonix-WS template with those changes in the hyperlink.

2 Likes

torjunkie:

/usr/etc/anon-ws-disable-stacked-tor.d/30_anon-dist.conf

Drop the /usr. Correct is:

/etc/anon-ws-disable-stacked-tor.d/30_anon-dist.conf

Yes, sorry that’s right.

1 Like

anon-ws-disable-stacked-tor 2.4-1 with above changes now in jessie-proposed-updates and testers repository.