Page MenuHomePhabricator

Managing programs without Tor Socks / DNS Support
Open, NormalPublic


Hoevenstein's AORTA tool can be used to force applications that don't honor Tor DNS which breaks stream isolation.



Event Timeline

HulaHoop triaged this task as Normal priority.Feb 28 2018, 3:22 PM
HulaHoop created this task.

Does aorta support stream isolation? Doesn't look like? It uses hardcoded TransPort / DnsPort.

aorta source code:

#define TOR_TCP_PORT              "9040"
#define TOR_DNS_PORT              "9041"

Without stream isolation it's as good as not using aorta.

Please request a feature to do configure this by command line or environment variable.

Does it modify Whonix-Workstation firewall rules or is this contained through cgroup usage? Please test as per

Another issue: compiled code and not available in We could use a similar solution to bindp.

Does it even work with electrum?

Is it better (less likely to leak) than torsocks electrum (if torsocks would work, we'd already have an uwt wrapper?)?

What can go wrong?

AORTA can only do its magic if the program it starts is under its control. In technical terms: the program must be a child process of the aorta program.

Some programs escape aorta's control if the program is already running. These programs detect at start if there is a running instance of the program. If so, they do not start a new program but instead clone the running program. This clone is a child of th

Can you ask the author please if he considered running under different linux user account name (temporarily and dynamically created) or linux network namespaces? Perhaps that would be more leak proof?

Rewrite in scripting language since C is not really required?

Could you please ask upstream about above? @HulaHoop

Patrick renamed this task from Managing programs without Tor DNS Support to Managing programs without Tor Socks / DNS Support.Jun 24 2018, 4:41 AM
Patrick assigned this task to HulaHoop.
Patrick updated the task description. (Show Details)
Patrick added a project: research.