Tor integration in Whonix

Patrick · August 2, 2021, 12:03pm

Likely going for tor (0.4.5.9-1) from Debian -- Details of package tor in bullseye in Whonix 16 (Debian bullseye based).
(Pros and cons above in this forum thread.)

Patrick · September 8, 2021, 2:25pm

Yes.

torjunkie · September 26, 2021, 9:23pm

One obvious downside of sticking to Debian’s (snail pace) Tor version: missing security/privacy advantages of later Tor releases.

Do we really want to wait two years to benefit from these kinds of advantages i.e. when a new Debian version is released? This negative will only become larger as the Debian stable version ages.

(my bold)

https://blog.torproject.org/tor-0.4.7.1-alpha-released

This version is the first alpha release of the 0.4.7.x series. One major feature is Vanguards Lite, from proposal 333, to help mitigate guard discovery attacks against onion services. It also includes numerous bugfixes.

&

Major features (Proposal 332, onion services, guard selection algorithm):

Clients and onion services now choose four long-lived “layer 2” guard relays for use as the middle hop in all onion circuits. These relays are kept in place for a randomized duration averaging 1 week. This mitigates guard discovery attacks against clients and short-lived onion services such as OnionShare. Long-lived onion services that need high security should still use the Vanguards addon (GitHub - mikeperry-tor/vanguards: Vanguards help guard you from getting vanned...). Closes ticket 40363; implements proposal 333.

HulaHoop · September 26, 2021, 10:58pm

Technically isn’t the vanguard plugin applying the longer turnover to onions for all of them?

Patrick · September 27, 2021, 1:01pm

The specific feature:
We’re using “vanguards full” (not lite):

Should be better?

Patrick · November 9, 2021, 7:58pm

rustybird · November 9, 2021, 8:34pm

I wonder if it would make sense to install anon-shared-build-apt-sources-tpo by default, and to have Whonix Gateway depend on the exact tor version that’s currently bundled in the latest stable Tor Browser release?

Whenever the Whonix Gateway tor version is out of sync with the mainline Tor Browser tor version, it’s a potential fingerprinting hazard.

Patrick · November 9, 2021, 8:54pm

That would come with some disadvantages documented under Tor integration in Whonix ™ Development Notes starting from:

2. Use latest stable in TPO repository […]

I am not saying it shouldn’t be done. Only linking to previous thoughts to consider before making such a big change.

What versions are provided by deb.torproject.org is not being kept fully synchronous. It’s contributed, maintained by Peter Palfrader (also a Debian developer) last time I checked. Great year long service btw! However, The Tor Project does not orchestrate TBB and deb.torproject.org releases being always having the same/compatible versions.

By hard coding a version dependency it would break the build process as soon as deb.torproject.org changes. When deb.torproject.org is changed is unpredictable form my point of view.

Indeed. A price to pay for Tor / Tor Browser isolation. But I don’t think it can be resolved without having Tor Browser + Debian tor package being properly maintained in packages.debian.org (which is unfortunately highly unlikely for Tor Browser, not happening for a decade or so) while deb.torproject.org can have different versions (mostly Tor Browser using a newer version than available in deb.torproject.org but it could also happen vice versa) because it’s all different development teams and release cycles, deb.torproject.org, Tor core, TBB.

Patrick · November 9, 2021, 9:15pm

https://github.com/Whonix/Whonix/commit/a9034f6238997de4ecdfab4def96cb1a219aeab4

https://github.com/Whonix/Whonix/commit/5542f3491045ac2ef9db42f8ffcc112baef4cd7b

Patrick · November 13, 2021, 10:14pm

Patrick · February 15, 2022, 4:58pm

by @torjunkie

Patrick · February 15, 2022, 5:55pm

handy for reference:

Above link still lists:

Version: 0.4.6.9-1~d11.bullseye+1

In other words, not yet available from deb.torproject.org.

torjunkie · April 9, 2022, 11:48pm

Noted.

Version 0.4.7 will be be stable soon enough.

Patrick · May 25, 2022, 2:12pm

tor_0.4.7.7-1~d11.bullseye+1_amd64.deb

Is now in the testers repository.

Patrick · June 5, 2022, 11:27am

Now in stable repository.

Patrick · June 18, 2022, 8:53am

Patrick · June 18, 2022, 8:56am

Today, we release 0.4.7.8 fixing several issues including a High severity security issue only affecting the 0.4.7.x series. You can track this issue with TROVE-2022-001 and CVE-2021-38385.

Please note that at the moment, the full details of the security issue are not yet public as we are waiting on the OS distribution packages to be updated and the network to be on its upgrade path.

This security issue is not affecting the safety of the tor host system itself and is categorized as a Denial of Service thus affecting performance and possibly anonymity.

We STRONGLY recommend anyone on an earlier version to upgrade as soon as possible to tor 0.4.7.8 (this release). OS packages are on the way!

Patrick · June 18, 2022, 8:58am

tor 0.4.7.8 not yet available from deb.torproject.org - refer to Tor integration in Whonix - #19 by Patrick on how to check that has changed. Once available, I upload to deb.whonix.org.

Patrick · June 20, 2022, 11:41am

tor 0.4.7.8 is now in all repositories.

Patrick · August 16, 2022, 11:23am