Page MenuHomePhabricator
Create Task
Maniphest T878

remove mapaddress entries in torrc for 1.1.1.1 and 2.2.2.2 since these allow fingerprinting Whonix users
Testing in next build required, NormalPublic
Actions

Description

You make use of MapAddress in the default torrc on whonix-gw
https://www.torproject.org/docs/tor-manual.html.en#MapAddress

https://github.com/Whonix/anon-gw-anonymizer-config/blob/master/usr/share/tor/tor-service-defaults-torrc.anondist#L107
contains:

mapaddress 1.1.1.1 k54ids7luh523dbi.onion
mapaddress 2.2.2.2 gbhpq7eihle4btsn.onion

Why are you redirecting traffic aiming to 1.1.1.1 (Cloudflare DNS resolver IP address) and 2.2.2.2 (Orange France) to some onion addresses?

This breaks connectivity to these destinations for all Whonix users by default and discloses the traffic to the operators of the onion addresses.

What are you trying to do with these torrc configuration lines?

Details

Impact
Normal

Event Timeline

nusenu created this task.Mon, Nov 26, 9:41 PM
nusenu triaged this task as High priority.
Patrick added projects: anon-mixmaster, Whonix 15.Tue, Nov 27, 7:27 AM
Patrick added a subscriber: HulaHoop.

The rationale is making mixmaster work by default.

https://github.com/Whonix/anon-mixmaster/blob/master/etc/skel/.Mix/mix.cfg

Any suggestions for invalid IP addresses that we can use instead?

nusenu added a comment.Tue, Nov 27, 12:41 PM

first rule: don't use public IP addresses that are not assigned to you

The rationale is making mixmaster work by default.

does that require a MapAddress entry?

Patrick renamed this task from mapaddress entries in torrc for 1.1.1.1 and 2.2.2.2 are likely not what you want to remove mapaddress entries in torrc for 1.1.1.1 and 2.2.2.2 since these allow fingerprinting Whonix users.Wed, Nov 28, 6:26 AM
Patrick added a project: anon-gw-anonymizer-config.
Patrick changed the task status from Open to testing-in-next-build-required.Wed, Nov 28, 6:28 AM

Removed for now.

https://github.com/Whonix/anon-gw-anonymizer-config/commit/377bbef9585ea067990ee54c1e40a6bb5eabd6da

Package upgrade available in Whonix testers repository soon.

HulaHoop added a comment.Wed, Dec 5, 12:13 AM

My advice is to use a private address range reserved for this purpose by IANA. These will never be used in the future by anyone. Sine we use 10.x.x.x and moved away from 192.x.x.x, this leaves 172.x.x.x

172.16.0.0 – 172.31.255.255

https://en.wikipedia.org/wiki/Private_network

Patrick lowered the priority of this task from High to Normal.Sun, Dec 9, 6:52 AM
Whonix Community Issue Tracker · Unread Notifications · Open Issues · Homepage · Blog · Forum · Github · Legal · Impressum · Datenschutz · Haftungsausschluss