Page MenuHomePhabricator

remove mapaddress entries in torrc for 1.1.1.1 and 2.2.2.2 since these allow fingerprinting Whonix users
Open, NormalPublic

Description

You make use of MapAddress in the default torrc on whonix-gw
https://www.torproject.org/docs/tor-manual.html.en#MapAddress

https://github.com/Whonix/anon-gw-anonymizer-config/blob/master/usr/share/tor/tor-service-defaults-torrc.anondist#L107
contains:

mapaddress 1.1.1.1 k54ids7luh523dbi.onion
mapaddress 2.2.2.2 gbhpq7eihle4btsn.onion

Why are you redirecting traffic aiming to 1.1.1.1 (Cloudflare DNS resolver IP address) and 2.2.2.2 (Orange France) to some onion addresses?

This breaks connectivity to these destinations for all Whonix users by default and discloses the traffic to the operators of the onion addresses.

What are you trying to do with these torrc configuration lines?

Details

Impact
Normal

Event Timeline

nusenu created this task.Nov 26 2018, 9:41 PM
nusenu triaged this task as High priority.
Patrick added a subscriber: HulaHoop.

The rationale is making mixmaster work by default.

https://github.com/Whonix/anon-mixmaster/blob/master/etc/skel/.Mix/mix.cfg

Any suggestions for invalid IP addresses that we can use instead?

first rule: don't use public IP addresses that are not assigned to you

The rationale is making mixmaster work by default.

does that require a MapAddress entry?

Patrick renamed this task from mapaddress entries in torrc for 1.1.1.1 and 2.2.2.2 are likely not what you want to remove mapaddress entries in torrc for 1.1.1.1 and 2.2.2.2 since these allow fingerprinting Whonix users.Nov 28 2018, 6:26 AM
Patrick changed the task status from Open to testing-in-next-build-required.Nov 28 2018, 6:28 AM

Removed for now.

https://github.com/Whonix/anon-gw-anonymizer-config/commit/377bbef9585ea067990ee54c1e40a6bb5eabd6da

Package upgrade available in Whonix testers repository soon.

My advice is to use a private address range reserved for this purpose by IANA. These will never be used in the future by anyone. Sine we use 10.x.x.x and moved away from 192.x.x.x, this leaves 172.x.x.x

172.16.0.0 – 172.31.255.255

https://en.wikipedia.org/wiki/Private_network

Patrick lowered the priority of this task from High to Normal.Dec 9 2018, 6:52 AM
Patrick changed the task status from testing-in-next-build-required to Open.Thu, Jan 31, 12:06 PM

My advice is to use a private address range reserved for this purpose by IANA. These will never be used in the future by anyone. Sine we use 10.x.x.x and moved away from 192.x.x.x, this leaves 172.x.x.x

172.16.0.0 – 172.31.255.255

https://en.wikipedia.org/wiki/Private_network

Ok.

Please pick some range in the middle. Not the very first ones. This is to prevent issues for someone changing internal IP addresses (not likely using the same) or perhaps also to avoid issues with VPNs.

172.24.0.0
&
172.24.0.1

Middle of the range solution. How does this sound? Confirmed it falls within the private address CIDR:

https://ipduh.com/ip/cidr/?172.24.0.0/24

172.24.0.0 is in the 172.16.0.0/12 block which is set aside for use in private networks. Addresses within this block do not legitimately appear on the public Internet. Addresses within 172.16.0.0/12 can be used without any coordination with IANA or an Internet registry.

Sounds good!

Other imporvements in this thread such as functioning SMTP gateways are also part of this ticket:

https://forums.whonix.org/t/mixmaster-no-longer-working-in-whonix-14/6761

@Patrick Are pull requests needed?