[tor-talk] Review request: TorVM implementation in Qubes OS
adrelanos
adrelanos at riseup.net
Fri Oct 19 11:30:27 UTC 2012
Abel Luck:
> adrelanos:
>> Abel Luck:
>>> adrelanos:
>>>> Hi,
>>>>
>>>> Is it Amnesic or can it be made Amnesic?
>>>>
>>>> Or in other words.... Can you be sure, that after deleting (or wiping)
>>>> the torified AppVM no activity can not be reconstructed with local disk
>>>> forensics? Could the torified AppVM be securely wiped without any
>>>> leftovers? (Leftovers such as swap, or what else?)
>>>
>>> Regarding deletion of the VM: I was under the impression secure deletion
>>> was not possible on modern SSDs.
>>>
>>> On the other hand, it should be possible to create an AppVM whose
>>> writeable diskspace lies in enitrely in RAM. I'll investigate this.
>>>
>>>>
>>>> Is Tor's data directory persistent, i.e. does it use Entry Guards?
>>>>
>>> I've not configured this explicitly, do you have any suggestions?
>>
>> Tor Browser Bundle users are using persistent Entry Guards.
>>
>> Final goal should be to share the same fingerprint with them (web
>> fingerprint, traffic fingerprint for local observer). If you manage to
>> use Tor Browser in the AppVM and Entry Guards in the TorVM, the
>> fingerprint should be the same. Except, that you added strong security
>> by isolation for the case of a browser exploit.
>>
>> Whonix uses persistent Entry Guards and Tor Browser.
>>
>> Persistent Entry Guards are planed for Tails.
>> https://tails.boum.org/todo/persistence_preset_-_tor/
>> https://tails.boum.org/todo/persistence_preset_-_bridges/
>>
>> Tor Browser is planed for Tails.
>> https://tails.boum.org/todo/replace_iceweasel_with_Torbrowser/
>>
>> Persistent Entry Guards are considered for Liberte Linux:
>> Please see recent thread "[tor-talk] Location-aware persistent guards".
>>
>> So the answer is yes, I in most cases I recommend persistence for Entry
>> Guards and Tor's data dir. The same goes for Vidalia, since it can be
>> used to configure Tor and bridges.
>>
>> Some further thoughts on persistent Entry Guards:
>> On the other hand, non-persistent Entry Guards are more amnesic. So if
>> you decide to add a amnesic feature, that should be also possible to do
>> with the TorVM.
>>
>> There is also in the thread "[tor-talk] Location-aware persistent
>> guards" or in the linked ticket
>> https://trac.torproject.org/projects/tor/ticket/2653 are though, that
>> non-persistent Entry Guards are better suited for people who travel a
>> lot / Live CDs.
>>
>
> Hm, interesting. I definitely need to implement persistent entry guards
> then, but providing an amnesiac option will be difficult. When would the
> user choose such an option, and where?
Difficult question, I don't know. For a quick research on any topic up
would be useful to securely erase all local traces. For other tasks, IM
and such, maybe once in a while and never for long term stuff such as
hidden services.
More information about the tor-talk
mailing list