Page MenuHomePhabricator
Create Task
Maniphest T772

Managing programs without Tor Socks / DNS Support
Open, NormalPublic
Actions

Description

Hoevenstein's AORTA tool can be used to force applications that don't honor Tor DNS which breaks stream isolation.

https://forums.whonix.org/t/managing-programs-without-tor-dns-support/4840/10

Details

Impact
Normal

Related Objects

Event Timeline

HulaHoop triaged this task as Normal priority.Feb 28 2018, 3:22 PM
HulaHoop created this task.
Herald added a project: Whonix. · View Herald TranscriptFeb 28 2018, 3:22 PM
Herald added subscribers: entr0py, WhonixQubes, Patrick. · View Herald Transcript
HulaHoop edited projects, added Whonix 15; removed Whonix.Feb 28 2018, 3:23 PM
HulaHoop mentioned this in T773: Shipping Mumble VoIP.Feb 28 2018, 3:29 PM
Patrick added a comment.Feb 28 2018, 5:10 PM

Does aorta support stream isolation? Doesn't look like? It uses hardcoded TransPort / DnsPort.

aorta source code:

#define TOR_TCP_PORT              "9040"
#define TOR_DNS_PORT              "9041"

Without stream isolation it's as good as not using aorta.

Please request a feature to do configure this by command line or environment variable.

Does it modify Whonix-Workstation firewall rules or is this contained through cgroup usage? Please test as per https://www.whonix.org/wiki/Dev/Firewall_Refactoring#How_to_refactor_the_firewall_script_while_being_sure_there_are_no_iptables_changes.

Another issue: compiled code and not available in packages.debian.org. We could use a similar solution to bindp.

Does it even work with electrum?

Is it better (less likely to leak) than torsocks electrum (if torsocks would work, we'd already have an uwt wrapper?)?

https://hoevenstein.nl/aorta-a-transparent-tor-proxy-for-linux-programs

What can go wrong?

AORTA can only do its magic if the program it starts is under its control. In technical terms: the program must be a child process of the aorta program.

Some programs escape aorta's control if the program is already running. These programs detect at start if there is a running instance of the program. If so, they do not start a new program but instead clone the running program. This clone is a child of th

Can you ask the author please if he considered running under different linux user account name (temporarily and dynamically created) or linux network namespaces? Perhaps that would be more leak proof?

Rewrite in scripting language since C is not really required?

Patrick mentioned this in T736: Disable VLC metadata collection by default.Apr 9 2018, 12:30 PM
Patrick added a comment.Jun 23 2018, 6:41 AM

Could you please ask upstream about above? @HulaHoop

Patrick renamed this task from Managing programs without Tor DNS Support to Managing programs without Tor Socks / DNS Support.Jun 24 2018, 4:41 AM
Patrick assigned this task to HulaHoop.
Patrick updated the task description. (Show Details)
Patrick added a project: research.
iry added a subscriber: iry.Jun 24 2018, 4:41 PM
HulaHoop removed HulaHoop as the assignee of this task.Aug 16 2018, 3:15 PM
Patrick removed a project: Whonix 15.Dec 7 2018, 11:00 AM
Whonix OLD Issue Tracker · PLEASE DO NOT POST NEW TICKETS HERE · OLD Issue Tracker - Unread Notifications · OLD Issue Tracker - Feed · OLD Issue Tracker - Open Issues · NEW Issue Tracker · Homepage · Blog · Forum · Legal · Imprint · Privacy Policy · Terms of Use · Disclaimer