Re: Recommendations for browsing via Tor pre tor-browser?

[Chris Marusich]

Christopher Lemmer Webber <address@hidden> writes:

> Chris Marusich writes:
>
>> I know what you mean, but I think having TOR listen on localhost is
>> safer than having a Guile REPL listen on localhost.  In the case of
>> Guile, the risk is arbitrary code execution.  In the case of TOR, I
>> suppose the risks might be that an attacker would be able to make
>> requests over TOR from your machine.  Perhaps by making such requests,
>> they might also be able to infer that you are using TOR (although it's
>> already possible to determine that a person is using TOR simply by
>> watching their IP traffic).  In any case, since TOR is functioning as a
>> proxy, not a Turing-complete programming language, the things an
>> attacker could do or learn by making requests from your machine to the
>> localhost TOR seem limited.  Compared to the risk of arbitrary code
>> execution, it seems much safer to me.
>
> What about sending messages to a specific .onion address to unmask you?
> If you send a unique request to http://foobarbaz.onion/?id=50108560 (or
> ip=...) you might be able to associate a specific address.
>
> It may be that this is not as easily possible since I suspect Tor is not
> as susceptable to a line-oriented attack, so maybe it's not a concern...
> I dunno.

I think you're right: the fact that a malicious actor can induce
requests to your localhost endpoint is cause for concern, even if the
exact methods of exploitation are not obvious.

I looked into this.  I learned that Firefox (and our IceCat) supports a
SOCKS proxy using UNIX domain sockets [1].  If you've started TOR with a
socks socket at /var/run/tor/socks-sock, you can tell IceCat (or
Firefox) to use it by entering the socket path as your SOCKS proxy.
Specifically, in the IceCat built by Guix, you would do this:

* Click on the "hamburger menu" in the upper right (the icon looks like
  three fat lines stacked on top of one another).
* Go to Preferences > Advanced > Connection > Settings.
* Select "Manual proxy configuration".
* Select SOCKS v5 (because v5, unlike v4, supports sending DNS queries
  through the SOCKS proxy).
* Enter "file:///var/run/tor/socks-sock" in the SOCKS Host field (no
  quotes required).  The UI still makes it seem like you need to enter a
  port, but you can put any value in here, and it won't matter, since
  UNIX domain sockets don't use ports.
* Scroll to the bottom and make sure "Proxy DNS when using SOCKS v5" is
  checked.
* Click OK.

Assuming that TOR is running and the permissions on its SOCKS socket
allow you access, you can browse to https://check.torproject.org/ and it
should tell you that you're connected over TOR.  You can also check the
TOR messages sent to /var/log/messages to confirm that stuff is
happening.

Since using a UNIX domain socket for TOR is probably better than using a
localhost endpoint, we should make it easy to run a configuration like
this via the tor-service.  Currently, it's a little awkward to do, since
to set it up, you need to arrange for the directory that contains the
socket to have certain permissions, or else TOR refuses to start.  If
nobody beats me to it, I could try my hand at this in a few days' time.

Devan Carpenter <address@hidden> writes:

> Please keep in mind that none of the interim solutions are safe compared
> to tor-browser.
>
> [...]
>
> There are some other anonymizing features that I forget now, but that's
> the main one which stands out, and the point is that you should be very
> cautious using another browser via Tor.

For sure - I agree.  However, since we don't have TOR browser yet in
GuixSD, I think manually configuring IceCat to use the tor-service as a
SOCKSv5 proxy is better than nothing.  If we can do it over a UNIX
domain socket instead of via a localhost endpoint, so much the better.

Footnotes: 
[1]  https://trac.torproject.org/projects/tor/ticket/20111

-- 
Chris

signature.asc
Description: PGP signature