[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Recommendations for browsing via Tor pre tor-browser?

From: Christopher Lemmer Webber
Subject: Re: Recommendations for browsing via Tor pre tor-browser?
Date: Fri, 20 Jul 2018 12:11:49 -0400
User-agent: mu4e 1.0; emacs 26.1

Chris Marusich writes:

> I think you're right: the fact that a malicious actor can induce
> requests to your localhost endpoint is cause for concern, even if the
> exact methods of exploitation are not obvious.
> I looked into this.  I learned that Firefox (and our IceCat) supports a
> SOCKS proxy using UNIX domain sockets [1].  If you've started TOR with a
> socks socket at /var/run/tor/socks-sock, you can tell IceCat (or
> Firefox) to use it by entering the socket path as your SOCKS proxy.
> Specifically, in the IceCat built by Guix, you would do this:
> * Click on the "hamburger menu" in the upper right (the icon looks like
>   three fat lines stacked on top of one another).
> * Go to Preferences > Advanced > Connection > Settings.
> * Select "Manual proxy configuration".
> * Select SOCKS v5 (because v5, unlike v4, supports sending DNS queries
>   through the SOCKS proxy).
> * Enter "file:///var/run/tor/socks-sock" in the SOCKS Host field (no
>   quotes required).  The UI still makes it seem like you need to enter a
>   port, but you can put any value in here, and it won't matter, since
>   UNIX domain sockets don't use ports.
> * Scroll to the bottom and make sure "Proxy DNS when using SOCKS v5" is
>   checked.
> * Click OK.
> Assuming that TOR is running and the permissions on its SOCKS socket
> allow you access, you can browse to and it
> should tell you that you're connected over TOR.  You can also check the
> TOR messages sent to /var/log/messages to confirm that stuff is
> happening.

Heck yeah!  This is awesome!

> Since using a UNIX domain socket for TOR is probably better than using a
> localhost endpoint, we should make it easy to run a configuration like
> this via the tor-service.  Currently, it's a little awkward to do, since
> to set it up, you need to arrange for the directory that contains the
> socket to have certain permissions, or else TOR refuses to start.  If
> nobody beats me to it, I could try my hand at this in a few days' time.

Please do.

While you're taking a crack at it, it might be cool if the
tor-hidden-services stuff could also accept unix domain sockets?  What
do you think?

reply via email to

[Prev in Thread] Current Thread [Next in Thread]