Page MenuHomePhabricator

Managing programs without Tor Socks / DNS Support
Open, NormalPublic

Description

Hoevenstein's AORTA tool can be used to force applications that don't honor Tor DNS which breaks stream isolation.

https://forums.whonix.org/t/managing-programs-without-tor-dns-support/4840/10

Details

Impact
Normal

Event Timeline

HulaHoop created this task.Feb 28 2018, 4:22 PM
HulaHoop triaged this task as Normal priority.
HulaHoop edited projects, added Whonix 15; removed Whonix.Feb 28 2018, 4:23 PM

Does aorta support stream isolation? Doesn't look like? It uses hardcoded TransPort / DnsPort.

aorta source code:

#define TOR_TCP_PORT              "9040"
#define TOR_DNS_PORT              "9041"

Without stream isolation it's as good as not using aorta.

Please request a feature to do configure this by command line or environment variable.

Does it modify Whonix-Workstation firewall rules or is this contained through cgroup usage? Please test as per https://www.whonix.org/wiki/Dev/Firewall_Refactoring#How_to_refactor_the_firewall_script_while_being_sure_there_are_no_iptables_changes.

Another issue: compiled code and not available in packages.debian.org. We could use a similar solution to bindp.

Does it even work with electrum?

Is it better (less likely to leak) than torsocks electrum (if torsocks would work, we'd already have an uwt wrapper?)?

https://hoevenstein.nl/aorta-a-transparent-tor-proxy-for-linux-programs

What can go wrong?

AORTA can only do its magic if the program it starts is under its control. In technical terms: the program must be a child process of the aorta program.

Some programs escape aorta's control if the program is already running. These programs detect at start if there is a running instance of the program. If so, they do not start a new program but instead clone the running program. This clone is a child of th

Can you ask the author please if he considered running under different linux user account name (temporarily and dynamically created) or linux network namespaces? Perhaps that would be more leak proof?

Rewrite in scripting language since C is not really required?

Could you please ask upstream about above? @HulaHoop

Patrick renamed this task from Managing programs without Tor DNS Support to Managing programs without Tor Socks / DNS Support.Jun 24 2018, 6:41 AM
Patrick assigned this task to HulaHoop.
Patrick updated the task description. (Show Details)
Patrick added a project: research.
iry added a subscriber: iry.Jun 24 2018, 6:41 PM
HulaHoop removed HulaHoop as the assignee of this task.Aug 16 2018, 5:15 PM