Whonix-Gateway Tor 0.2.9.9 (unrecommended) -- No Update...Unsafe?

qtech123 · August 21, 2017, 8:45pm

Running Qubes 3.2 with newest Whonix-Gateway RPM 3.0.6-2016-12182342 [1]

The arm monitor reports the current Tor package at version: 0.2.9.9 (unrecommended)

The (unrecommended) tag is in red, as if to possibly warn the user of an insecure version of Tor.

The Tor Blog reports the newest Tor version in the 3 series as 0.3.0.10 on August 02, 2017 [2]

Running sudo apt-get dist-upgrade has not offered any Tor upgrades in a while.

Why isn’t a newer recommended version of Tor offered in the Whonix-Gateway?

Is running this old 0.2.9.9 version possibly unsafe?

How does one upgrade to a newer recommended version of Tor?

[1] https://yum.qubes-os.org/r3.2/templates-community/rpm/
[2] Tor 0.3.0.10 is released | The Tor Project

0brand · August 21, 2017, 10:48pm

For future reference you should use the forum search engine at the top right of your screen before you create a new post. If you had entered “tor unrecommended” or "unrecommended " you would have found this duplicate post which still applies to your questions.

updatesneeded · October 20, 2017, 12:21pm

boring, now is the whonix update with 0.2.9.10 and the new one with many security fixes is 0.2.9.12.
Why goes Whonix the unsafe way and dont update directly to the newest stable? and then asks for a donation ^^ for his permernent out-of-date product pfff

entr0py · October 20, 2017, 4:19pm

I agree that we should update to 0.2.9.12 as a best practice.

There is one security fix in 0.2.9.11 and one in 0.2.9.12. Both only affect users running onion / hidden services.

0.2.9.11 fixes TROVE-2017-005: “a bug that would allow an attacker to remotely crash a hidden service with an assertion failure.”[1]

0.2.9.12 fixes TROVE-2017-008: “a security bug that affects onion services running with the SafeLogging option disabled.”[2] (SafeLogging is enabled by default.)

[1] Tor 0.3.0.8 is released, with a fix for hidden services! (Also As are 0.2.4.29, 0.2.5.14, 0.2.6.12, 0.2.7.8, 0.2.8.14, and 0.2.9.11) | The Tor Project
[2] New Tor stable releases (0.2.8.15, 0.2.9.12, 0.3.0.11) with fix for onion service security issue | The Tor Project

Advanced users have several options:

Update to 0.2.9.12 by building from source here. Instructions.
Update to latest stable version (currently 0.3.0.11 0.3.1.7) by installing anon-shared-build-apt-sources-tpo [3] or by manually adding torproject repos. Compatibility with Whonix not guaranteed.

[3] Testers Wanted! Tor - Stable Upgrades - #5 by Patrick

It’s not “his” product. It’s ours. And you’re welcome to support its continued existence by making suggestions like you did at any time. You may also submit pull requests, suggest new tickets, or donate so others can work on development. How to contribute.

entr0py · October 20, 2017, 5:47pm

Tor 0.3.0.x introduced an updated directory authentication mechanism as well as new guard selection algorithms. Tor 0.3.1.x introduced compact directory formats and network padding (which requires both clients and relays to be updated to be functional).

Since these are major new features, these clients should be tested before being uploaded to Whonix stable. My guess is that Whonix will stay on 0.2.9.x until Whonix 14. (FYI, 0.2.9.x is an LTS release and will remain officially supported until Jan 2020). If you’d like to help test, simply clone your whonix-gw template and follow the instructions above to upgrade to 0.3.1.x.

Patrick · October 20, 2017, 9:38pm

Security Guide - Whonix

It’s time consuming maintaining Whonix stable as well as developing the new version based on a newer version of Debian.

There are no automated tests to make sure upgrades don’t break connectivity for everyone and no code contributions for that sort either.

However… The less time I spend on forum support and wiki, the better the quality by the community. Amazing! (Unfortunately, the same isn’t happening with the code.)

We could also stay on tor 0.2.5.[…] as long as Whonix is jessie based and then tor 0.2.9.[…] as long as Whonix is stretch based, i.e. using the stable versions maintained by Debian, see:

Install Additional Software Safely

This was the case in earlier versions of Whonix but then things happened creating a strong urge to use the version from deb.torproject.org. I was wondering if it was best to move Whonix back to that method if possible.

entr0py · October 20, 2017, 10:03pm

The best option would be if we could pin major version (0.2.9.*) in apt/preferences but torproject’s repo only contains the latest stable version so we would lose updates as soon as 0.3.0.* came out.

Will see if I can find out why they don’t keep all supported versions in their repo (or maybe I’m doing it wrong.)

Patrick · October 20, 2017, 11:20pm

True.

You probably know but in case anyone is wondering: an automatic 0.2.9 -> 0.3 upgrade of Tor could break connectivity for Whonix users. (Happened in past. AppArmor, configs and whatnot.) That’s why it’s not as easy as enabling torproject’s repository by default for everyone.

Because then we could stay with the version from Debian.

torjunkie · October 21, 2017, 11:23am

Well mr-updates-needed, given 3.1.7 was just uploaded to Jessie proposed updates, you have nothing to complain about.

BTW - working nicely.

@Patrick

Given this version of Tor supports padding, I think we should recommended users set the following in their torrc file for better security against network analysis:

ConnectionPadding 1

Rationale:

Tor 0.3.1.7 is now released! | The Tor Project

Major features (traffic analysis resistance):

Connections between clients and relays now send a padding cell in each direction every 1.5 to 9.5 seconds (tunable via consensus parameters). This padding will not resist specialized eavesdroppers, but it should be enough to make many ISPs’ routine network flow logging less useful in traffic analysis against Tor users.

Padding is negotiated using Tor’s link protocol, so both relays and clients must upgrade for this to take effect. Clients may still send padding despite the relay’s version by setting ConnectionPadding 1 in torrc, and may disable padding by setting ConnectionPadding 0 in torrc.

If you agree, I’ll edit the wiki here (they can add an additional line under the Sandbox 1 entry):

Security Guide - Whonix

Patrick · October 21, 2017, 11:59am

torjunkie:

ConnectionPadding 1

Adding to the wiki: yes, why not.

Changing the default in Whonix: We should mirror what Tor is doing

by default, i.e.:
/usr/share/tor/tor-service-defaults-torrc
( /etc/tor/torrc )
( /etc/tor.d )

Is this a default by Tor yet? Do they have a ticket making it the
default so we can monitor progress?

torjunkie · October 21, 2017, 2:14pm

-> Added to Security guide (plus I moved a few things around so it is more logical).

I searched but couldn’t find a relevant Trac ticket re: default paths & torrc.

Anyhow, for testing purposes I can report that this Qubes-Whonix system successfully runs in combination:

Tor version 0.3.1.7 (with torrc settings Sandbox 1, ConnectionPadding 1)
Apparmor profiles in Whonix-WS and Whonix-GW enforced (from latest github commits)
Firejailed Tor Browser (both v7.07 and 7.5a6)

Although the Whonix onion has been a bit spotty the last day or so? Could be my shit connection. Seems to run better with latest Tor upgrade.

0brand · December 1, 2017, 11:48pm

Hi Patrick

I searched Tor track and could not find anything either.

Would you like me to open a ticket for this? Might be worth a try.
If so, just wanted to clarify, you mean:

Moving towards making 1 of the paths the torrc default.

Reasons:

Simplicity ( less confusion )
Projects/Devs mirror Tor default for good reason. This would mean better continuity.

Related: Not sure if you were aware of open ticket to set ConnectionPadding 1 by default.

https://trac.torproject.org/projects/tor/ticket/23955

0brand · December 2, 2017, 11:00am

Done!

https://trac.torproject.org/projects/tor/ticket/24492#ticket