Mon, Feb 18
God for the time being, if anyone wants to add more there is an outline of what procedures can be done, to add to.
Feb 3 2019
I am slow to review this. Finally got to it. More feedback here:
Feb 2 2019
I created a user documentation page explaining this feature and when to use it for users to understand.
Not only relevant for retroshare.
@Patrick Was this only relevant for Retroshare?
The concept was documented for operational use. Auto Guard de-duplication considered too complex to deploy and manual checking is enough.
Ready to close if happy.
Jan 23 2019
Jan 16 2019
Jan 13 2019
Jan 6 2019
Jan 4 2019
Done. You can close this ticket once you agree with edits.
Jan 2 2019
Dec 28 2018
From this size comparison on Debian wiki, I think the best and most secure option is the smallest and most minimal one: micro-httpd
Dec 22 2018
We still have the warning on https://www.whonix.org/wiki/Onion_Services.
Dec 7 2018
Nov 26 2018
Oct 13 2018
Proposed implementations for multi-Tor suggested here:
The short story is that things get worse very quickly, but there is hope.
The analysis below assumes only the adversary that runs guards and not the local adversary like the host OS or the Whonix processes themselves.
In my analysis I assume a hypothetical adversarial guard bandwidth of 10% of the entire network. This is an arbitrary number since we don't know the real number, but it serves to show the trends as we increase the guards per client and number of clients per user. I do the kind of analysis we do in the Conflux paper which is very relevant here, especially Table 3 and its discussion in section 5.2. I update the numbers and extend that analysis for the scenarios you have described.
- 1 guard/client, 1 client/user. The adversary (i,e, the compromised guard) will have the ability to observe 10% of the clients and hence 10% users. This is the situation today.
- 2 guards/client, 1 client/user. This is worse than 1 above. There is now a 18% probability that only one of the guards is compromised per client and a 1% chance that two guards are compromised per client. The probability of at least one bad guard is hence 19%. There really is not a real distinction between one or two bad guards from the user perspective since in both situations the client will go through a malicious guard in a short period of time, since the guard is picked uniformly at random from the guard set.
- 1 guard/client, 2 clients/user. The observable clients again increase to 19% from the base 10% in 1 above. This means that if the user split her app (or group of apps) across the clients then there is a 19% chance that at least one of the app (groups) is compromised. However, for each client there is still only a 10% chance that a malicious guard is present. Is this configuration better than scenario 2 above? Perhaps, but let's look at the following scenario first.
- 2 guards/client, 2 clients/user. The observable clients increases to 54%. This means that there is a 54% chance that at least one bad guard is present. This is worse than all the other scenarios above. However, if we fix apps (or groups of apps) to particular clients then we can compare to scenario 2 where the app group/client is analogous and the same analysis holds. Then, for each client there is again a 19% chance that there is a malicious guard present. If we compare to 3 above we can see that if we only use 1 guard/client then we can drop the exposure back down to 10% for that client and hence app group.
Taking the above into account we can get good results by keeping the guard set size to 1 and users spin up one client for each app. Then we can achieve at most 10% of apps compromised at *any given time* but not simultaneously. We can call this scenario (which is an extension of scenario 3) the 1 guard/app scenario (1G/A). See the appendix for more tweaks to decrease guard exposure.
If we want to consider 1G/A, then the next question for your user base is that is it better to either 1) have some portion of your apps compromised at *all* times (scenario 1G/A) or 2) have *all* your apps compromised some portion of the time (scenario 1). Tor tends to bend towards option 2, but then they have not considered the option of multi-client usage since it doesn't improve the situation in a non-compartmentalized setting, unlike the Whonix situation. I believe that option 2 is flawed because you never know if you are in fact currently compromised or not. It might be better to go ahead with assuming that you are compromised and mitigating that compromise to some portion of your network activity than all or nothing, which is what option 1 provides.
I hope that answers your questions. Please do not hesitate to get in touch again if you would like to discuss further. I think this is a very interesting problem area and would be happy to contribute to improving the situation.
Best regards, Tariq Elahi
Appendix We can do better if we allow a user's clients to look at each other's lists to exclude guards that are already picked. The benefit would be that once the bad bandwith has been assigned it can no longer affect subsequent guard selections. However, clients looking at each other's memory space will compromise your vision of process containment. A zero knowledge/oblivious method for comparing guard lists might work to avoid this problem, and indeed the adversarial response will be weak since the best they can do is spread their bad bandwidth over many relays and at best return to the original exposure rate (e.g. 10%) but now with added costs of running many more relays.
Aug 17 2018
Template created: https://www.whonix.org/wiki/Template:Systemd-socket-proxyd
Aug 16 2018
Non-Debian dependencies and non materialization of TUF PyPi makes a secure way to obtain this package impossible.
Aug 15 2018
Jul 24 2018
Jul 16 2018
Jul 15 2018
May 16 2018
HulaHoop added a comment.
seems self explanatory.
All socat mentions here with 7 results, less if we want the relevant pages only: https://www.whonix.org/w/index.php?title=Special%3ASearch&profile=default&fulltext=Search&search=socat
@Patrick seems self explanatory. How are we doing on RAM use? Is it any more or less efficient than socat after you cut down the number of spawned instances?
I went ahead and reverted clflush restrictions to open the way for I2P by default without extra fiddling needed.
May 9 2018
Can you make head or tail of https://github.com/Whonix/anon-ws-disable-stacked-tor/blob/master/etc/anon-ws-disable-stacked-tor.d/30_anon-dist.conf ?
Done. Updated package not uploaded yet.
May 8 2018
We'll no longer use socat. Whonix 14 will use systemd-socket-proxyd.
Mar 7 2018
Could you please ping Tariq about the status of this? @HulaHoop
Feb 17 2018
I have no idea what's best here.
Feb 12 2018
Also not really a Whonix specific issue.