Changes between Version 34 and Version 35 of doc/LiveCDBestPractices


Ignore:
Timestamp:
Sep 20, 2011, 4:19:11 PM (8 years ago)
Author:
nella
Comment:

--

Legend:

Unmodified
Added
Removed
Modified
  • doc/LiveCDBestPractices

    v34 v35  
    1111 * Until we know what you *intended* to do, there's no way to say that there's a bug or problem in the configuration. So step one is to decide what you *meant* to do with your configuration. Then anybody who wants to can check to see if that's what you actually did.
    1212 * People who want to do a security analysis of the configuration choices don't have to rederive them, and don't have to figure out whether to try to convince you to make a different choice vs convince you you've made a mistake. Rather, they can just look at the best practices webpage and decide from there if it looks good.
    13  * People working on future livecds don't need to start from scratch. Once a consensus exists, we raise the baseline for all the projects out there.
     13 * People working on future LiveCDs don't need to start from scratch. Once a consensus exists, we raise the baseline for all the projects out there.
    1414
    1515= Problems to Solve =
    1616
    17  * Different versions of programs have different config options. Do we need to come up with a standard for each version that people want to use? What if one version is considered 'better' but is not available for some livecd platforms? I guess we tackle these as they come up.
    18  * We don't have any non-linux livecds represented here. I bet the application choices and recommended config options for a Windows-based livecd would be quite different. If such creatures even exist.
     17 * Different versions of programs have different config options. Do we need to come up with a standard for each version that people want to use? What if one version is considered 'better' but is not available for some LiveCD platforms? I guess we tackle these as they come up.
     18 * We don't have any non-linux LiveCDs represented here. I bet the application choices and recommended config options for a Windows-based LiveCD would be quite different. If such creatures even exist.
    1919 * How do we want to specific configs, in this document inline? Linked to other documents? There are existing documents that cover such things.
    2020
     
    5151 * SOCKS proxy
    5252
    53 Many users find it helpful to verify they are using Tor with an exit check service.  The [[TheOnionRouter| Onion Router Page]] lists a number of such services in the "Random stuff" section which can be configured as a bookmark or homepage of privacy enabled browsers.
     53Many users find it helpful to verify they are using Tor with an exit check service. The [[TheOnionRouter| Onion Router Page]] lists a number of such services in the "Random stuff" section which can be configured as a bookmark or homepage of privacy enabled browsers.
    5454
    5555=== Mozilla Firefox ===
     
    7676 * Include noscript extension to disable script that can compromise anonymity.
    7777
    78 OPTIONAL? To prevent the browser from keeping HTTP sessions open over existing circuits the following network settings should be applied.  This will ensure that new circuits, such as requested via NEWNYM, will service subsequent HTTP requests.
     78OPTIONAL? To prevent the browser from keeping HTTP sessions open over existing circuits the following network settings should be applied. This will ensure that new circuits, such as requested via NEWNYM, will service subsequent HTTP requests.
    7979
    8080'''/path/to/firefox/defaults/pref/firefox.js'''
     
    141141== DNS proxies ==
    142142
    143 If an application does not support SOCKS4a or SOCKS5 named requests a DNS proxy can be used to resolve names via Tor and prevent leakage of identifying information through DNS lookups.  This must also be implemented when using a transparent proxy approach for any host applications.
    144 
    145 Tor version 0.2.0.2-alpha includes support for transparent DNS proxy when a "DNSPort 9999" option is set.  The port specified should be used as the destination for UDP DNS (port 53) DNAT routing. If a caching DNS server is present on the local subnet of the host, the nameserver should be changed to a non-local address to ensure DNS queries are routed out and translated into the Tor DNS proxy port.
     143If an application does not support SOCKS4a or SOCKS5 named requests a DNS proxy can be used to resolve names via Tor and prevent leakage of identifying information through DNS lookups. This must also be implemented when using a transparent proxy approach for any host applications.
     144
     145Tor version 0.2.0.2-alpha includes support for transparent DNS proxy when a "DNSPort 9999" option is set. The port specified should be used as the destination for UDP DNS (port 53) DNAT routing. If a caching DNS server is present on the local subnet of the host, the nameserver should be changed to a non-local address to ensure DNS queries are routed out and translated into the Tor DNS proxy port.
    146146
    147147TODO: list dns-proxy-tor location and usage; other DNS solutions like MAPADDRESS.
     
    156156
    157157Privoxy forward to Tor:
    158  * "forward-socks4a         /       127.0.0.1:9050 . " in config where 9050 is the Tor SOCKS port set in torrc.
     158 * "forward-socks4a / 127.0.0.1:9050 . " in config where 9050 is the Tor SOCKS port set in torrc.
    159159 * "listen-address 127.0.0.1:8118" to bind to localhost, particularly if enable-remote-toggle and/or enable-edit-actions are set.
    160160
    161161Some useful default actions include:
    162162 * "+hide-forwarded-for-headers" to omit proxy headers.
    163  * "+hide-user-agent{_user_agent_string_here_}" if a spoofed user agent string is desired.  NOTE: a randomized agent or a popular agent should be used. "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)" is a common agent.
     163 * "+hide-user-agent{_user_agent_string_here_}" if a spoofed user agent string is desired. NOTE: a randomized agent or a popular agent should be used. "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)" is a common agent.
    164164
    165165TODO: config and filter defaults that are current and useful.
     
    172172
    173173Squid 2.x config settings:
    174  * httpd_accel_ options for transparent proxy.  see squid documentation.
     174 * httpd_accel_ options for transparent proxy. see squid documentation.
    175175 * "header_access Via deny all" to prevent HTTP_VIA header transmission.
    176176 * "cache_peer localhost parent 8118 ..." to proxy through Privoxy or other HTTP proxy.
     
    180180== TCP proxies ==
    181181
    182 Tor can be used as a transparent TCP proxy when DNS resolution is also performed via the Tor network.  The "TransListenAddress" and "TransPort" config options provide a destination for TCP DNAT routing into Tor in the same fashion as transparent DNS proxy.
     182Tor can be used as a transparent TCP proxy when DNS resolution is also performed via the Tor network. The "TransListenAddress" and "TransPort" config options provide a destination for TCP DNAT routing into Tor in the same fashion as transparent DNS proxy.
    183183
    184184In some cases it is useful to transparently proxy HTTP requests on port 80 through Squid and Privoxy, while the remaining non HTTP TCP connections are transparently proxied directly through Tor itself.