[tor-talk] [Tails-dev] Please review Tails stream isolation plans
Nick Mathewson
nickm at alum.mit.edu
Thu Aug 30 15:10:52 UTC 2012
On Wed, Aug 29, 2012 at 10:04 AM, intrigeri <intrigeri at boum.org> wrote:
> Hi,
>
> Nick Mathewson wrote (29 Aug 2012 13:22:36 GMT) :
>> I'd need an actual list of applications to think about
>> IsolateDestAddr. Which ones did you have in mind?
>
> Thank you for having a look.
You're welcome!
Now here's the email where I show how little I actually know about
protocols not called "Tor". ;)
> The main network applications shipped in Tails, that would get
> IsolateDestAddr according to our plan, are:
>
> * Claws Mails (replaced with icedove / Thunderbird, some day)
Not too scary. A typical mail program will make connections to,
like, one SMTP server and a small handful of POP/IMAP servers, right?
So this isn't a lot of circuits; seems like a fine idea. You could
probably get a little better by allowing the SMTP and POP stuff for
each email account to share a circuit, if you can figure out a way to
make that work.
> * Pidgin
Not too scary, I think. You'd typically wind up with one destination
per chat, or one per chat protocol?
> * Liferea RSS feed reader
This one is a little scary. Do I understand correctly that an RSS
reader will make a separate connection for every RSS feed that you
subscribe to? If so that might make some pretty serious load.
> * Gobby
This has one destination per open session? Seems fine.
> Then you have a few command-line ones such as wget. Also, some
> software that is not SOCKS aware, such as APT, goes through Polipo (to
> be replaced with Privoxy, some day).
Oh wow. Instead of shunting these applications' traffic through
Polipo or privoxy, have you considered relinking against torsocks to
*make* applications understand SOCKS, or using some kind of iptables
trickery? When we stopped using those proxies, we weren't really
thrilled with their security or their performance. It makes me
uncomfortable to see "and here goes an HTTP proxy" in any Tor design
these days.
> Basically, that's it.
Cool.
> Note, however, that Tails users may choose to install whatever they
> want from the Debian archive, or hand-compile whatever they feel like,
> but I doubt the ones who will do so, and unfortunately pick
> applications that don't play well with IsolateDestAddr, will be that
> many to make a measurable difference.
> _______________________________________________
> tor-talk mailing list
> tor-talk at lists.torproject.org
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
More information about the tor-talk
mailing list