This is a draft, it is not complete and will be updated
This page lists a set of "Best Practices" for producing anonymity centered Live CDs based on Tor.
Rationale
An anonymity LiveCD is useful when not using a machine under the user's control. This could be a public lab, friend's house, or in a business. Software may be prevented from being installed. Another consideration is not only network sniffing but software installed on the machine that stores all activities, keystrokes, etc. A LiveCD would prevent these attacks, unless of course they are hardware based.
Goals
- Until we know what you intended to do, there's no way to say that there's a bug or problem in the configuration. So step one is to decide what you meant to do with your configuration. Then anybody who wants to can check to see if that's what you actually did.
- People who want to do a security analysis of the configuration choices don't have to rederive them, and don't have to figure out whether to try to convince you to make a different choice vs convince you you've made a mistake. Rather, they can just look at the best practices webpage and decide from there if it looks good.
- People working on future LiveCDs don't need to start from scratch. Once a consensus exists, we raise the baseline for all the projects out there.
Problems to Solve
- Different versions of programs have different config options. Do we need to come up with a standard for each version that people want to use? What if one version is considered 'better' but is not available for some LiveCD platforms? I guess we tackle these as they come up.
- We don't have any non-linux LiveCDs represented here. I bet the application choices and recommended config options for a Windows-based LiveCD would be quite different. If such creatures even exist.
- How do we want to specific configs, in this document inline? Linked to other documents? There are existing documents that cover such things.
Applications
The applications have been broken into categories. Each category should have a set of expectations and then each application would have how that should be accomplished.
It seems best that more popular applications should be favored for the fact that vulnerabilities are more likely to be found in the applications that are used more. There may be good reasons to make other choices, this document should not imply to prohibit or discourage use of less popular applications.
Tor
TODO: recommended Tor config.
Tor Controllers
- Tor controllers should be configured to work "out of the box".
- Tor should be started as a service and not by the controller. (May be some discussion here)
Vidalia
Qt based controller.
TorK
KDE based controller.
Web
The web browser is possibly the most important, and most problematic of the network applications.
- Removal of anonymity compromising headers. (TODO: list of headers here and why they are trouble, or perhaps a link to such a document)
- Connections running through Tor using socks4a or socks5 so that DNS resolutions are done at the exit node.
- HTTP/HTTPS proxy
- SOCKS proxy
Many users find it helpful to verify they are using Tor with an exit check service. The TheOnionRouter lists a number of such services in the "Random stuff" section which can be configured as a bookmark or homepage of privacy enabled browsers.
Mozilla Firefox
To preconfigure Firefox for Tor usage, install the Torbutton Add-On by extracting it to /path/to/firefox/extensions/{e0204bd5-9d31-402b-a99d-a6aa8ffebdca}. This way, it's installed globally for all users on the system. Then add these lines to /path/to/firefox/defaults/pref/firefox.js:
pref("network.proxy.http", "localhost");
pref("network.proxy.http_port", 8118);
pref("network.proxy.socks", "localhost");
pref("network.proxy.socks_port", 9050);
pref("network.proxy.socks_remote_dns", true);
pref("network.proxy.ssl", "localhost");
pref("network.proxy.ssl_port", 8118);
pref("network.proxy.type", 1);
pref("extensions.torbutton.http_port", 8118);
pref("extensions.torbutton.http_proxy", "localhost");
pref("extensions.torbutton.https_port", 8118);
pref("extensions.torbutton.https_proxy", "localhost");
pref("extensions.torbutton.socks_host", "localhost");
pref("extensions.torbutton.socks_port", 9050);The default Firefox bookmarks should be changed, too, since they contain a RSS feed which will be fetched automatically. To change the default bookmarks, edit the file /path/to/firefox/defaults/profile/bookmarks.html.
- Include noscript extension to disable script that can compromise anonymity.
OPTIONAL? To prevent the browser from keeping HTTP sessions open over existing circuits the following network settings should be applied. This will ensure that new circuits, such as requested via NEWNYM, will service subsequent HTTP requests.
/path/to/firefox/defaults/pref/firefox.js
pref("network.http.keep-alive", false);
pref("network.http.max-persistent-connections-per-proxy", 0);
pref("network.http.max-persistent-connections-per-server", 0);about:config:
network.http.keep-alive = FALSE
network.http.max-persistent-connections-per-proxy = 0
network.http.max-persistent-connections-per-server = 0KDE Konqueror
TODO: How to pre-configure here.
IRC
irssi
To configure irssi for Tor usage, it's enough to call it as
$ torify irssiNote that this still leaks DNS queries, which must be handled separately. Alternatively, irssi can be configured to use a HTTP Proxy server. For Privoxy, you need to add the following configuration directive:
+limit-connect{1-}to its configuration. Note that this will cause raw HTML to be printed to irssi's status window in case of a connection error.
TODO: define apps
Instant Messaging
OTR
OTR (Off The Record) is an authentication and encryption mechanism that is also supposed to have plausible deniability after the conversation. This should be considered. Each IM application must have OTR integration, OTR itself is a library.
Kopete
Gaim
Mixminion
Anonymous emailing. At this time (Jun 2007) the software is alpha and the network is not large enough for strong anonymity.
Mozilla Thunderbird
KMail
TODO: include config for mixminion.
Other
TODO: define
Supporting Software
DNS proxies
If an application does not support SOCKS4a or SOCKS5 named requests a DNS proxy can be used to resolve names via Tor and prevent leakage of identifying information through DNS lookups. This must also be implemented when using a transparent proxy approach for any host applications.
Tor version 0.2.0.2-alpha includes support for transparent DNS proxy when a "DNSPort 9999" option is set. The port specified should be used as the destination for UDP DNS (port 53) DNAT routing. If a caching DNS server is present on the local subnet of the host, the nameserver should be changed to a non-local address to ensure DNS queries are routed out and translated into the Tor DNS proxy port.
TODO: list dns-proxy-tor location and usage; other DNS solutions like MAPADDRESS.
HTTP proxies
HTTP proxies may be used to modify the request and/or cache the content. Caching is good for performance improvements, especially for a LiveCD since the session time is generally short.
Privoxy
Privoxy removes various content from the documents including headers, ads, etc.
Privoxy forward to Tor:
- "forward-socks4a / 127.0.0.1:9050 . " in config where 9050 is the Tor SOCKS port set in torrc.
- "listen-address 127.0.0.1:8118" to bind to localhost, particularly if enable-remote-toggle and/or enable-edit-actions are set.
Some useful default actions include:
- "+hide-forwarded-for-headers" to omit proxy headers.
- "+hide-user-agent{user_agent_string_here}" if a spoofed user agent string is desired. NOTE: a randomized agent or a popular agent should be used. "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)" is a common agent.
TODO: config and filter defaults that are current and useful.
Squid
Squid is useful for:
- Caching
- Transparent proxy
Squid 2.x config settings:
- httpd_accel_ options for transparent proxy. see squid documentation.
- "header_access Via deny all" to prevent HTTP_VIA header transmission.
- "cache_peer localhost parent 8118 ..." to proxy through Privoxy or other HTTP proxy.
TODO: identify config for common versions, especially those options that remove identifying information such as forwarder
TCP proxies
Tor can be used as a transparent TCP proxy when DNS resolution is also performed via the Tor network. The "TransListenAddress" and "TransPort" config options provide a destination for TCP DNAT routing into Tor in the same fashion as transparent DNS proxy.
In some cases it is useful to transparently proxy HTTP requests on port 80 through Squid and Privoxy, while the remaining non HTTP TCP connections are transparently proxied directly through Tor itself.
Network Safety / Firewall
- To ensure protection a host firewall can be used to redirect all non-Tor TCP traffic into Tor making use of the TransPort. HTTP (port 80) traffic could be routed into a proxy such as squid. This requires OS specifics.
Linux
TODO: include iptables rules
TODO: define other OS firewall configs
Other Features
- Run off of or copy to USB drive.
- Install it to a harddisk.
Security Concerns
- No writing to swap space, may include sensitive information.
Requirements
- Obviously should fit on a standard CD
- A CD less than 50 MB is good to fit on a "business card" CD.
- Should be as small as possible if the ability to be copied to a USB drive is supported.
Documentation
The LiveCD should be documented such that others can understand the choices made, why they were made, and how they are implemented. One of the goals of this document is to help with the "what" and "why" and some of the "how". Ultimately though the "how" must be clear in the LiveCD implementation documentation.
A public source repository is recommended, such as SVN.
Reproducibility
- Implementations should be able to be built by others and the required information available. This would include the source to the software, configurations, etc. The process should yield consistent results.