wiki:doc/TorifyHOWTO

Introduction

This document explains how to configure a particular application for use with Tor and thus the Tor network. As Tor constantly evolves, the knowledge and understanding about anonymity online also evolves. Implementations and other aspects of online anonymity become more and more complex. In the past, an end user would just go ahead and "torify" applications like Mozilla Firefox - this is no longer recommend. As we learned more on the subject and implementation of online anonymity, we discovered it was increasingly easy for a user to leak sensitive information to those interested in obtaining it. We will be describing more details on such matters further into this article.

In short, do not torify any applications yourself unless you know exactly what you are doing. If, however, you wish to study the complexities surrounding the subject, then please feel free to indulge your self and even go as far as providing new instructions or implementations. In the mean time, see this article more as a reference for developers and advanced users. If you don't fall into one of these two categories then for your own security, stick with the Tor Browser Bundle from https://www.torproject.org.

This article was originally written for a Linux/UNIX based environment. It should include some instructions for Windows and OS X users too. That being said, you should read the documentation at https://www.torproject.org before attempting to "torify" any applications your self.

For wiki editors

Use only link identifiers which start with a letter or the underscore character (_) and don't use identifiers with spaces inside them. Things like that make the page invalid (X)HTML and nobody wants that. Feel free to edit this page - it's a wiki, after all, driven by your contribution!

WARNING

Proxy and SOCKS settings

Proxy and SOCKS settings are mostly implemented by programmers to improve connectivity, not anonymity. Many people think developers implemented the application's proxy settings with anonymity in mind. That is a big mistake. They did not. See BitTorrent for example.

Protocol leaks

Tor provides only anonymity for DNS and the transmission of the TCP stream. Everything inside the stream, the application protocol, needs to be scrubbed. For example, if the application uses advanced techniques to determine your real external IP and sends it over the anonymized TCP stream, then what you wanted to hide, your real external IP, isn't hidden. This is exactly what happens with BitTorrent. Some applications may also choose to ignore and therefore not honor the proxy configuration you provide. This is something else you need to consider. Firefox was prone to this issue, as noted here: Firefox Proxy Bypass Bugs.

Many applications have been written to work around firewalls and blocking internet service providers, such as BitTorrent clients and Skype. Regardless of your use of "correct" proxy settings (SOCKS4a) and/or external applications for torification, some applications will use advanced techniques to determine your external non-Tor IP address. As said previously, those applications were never made with anonymity in mind, but were designed to evade firewalls to allow them to function as expected.

All-in-all, you do not have to believe the statements of any random wiki contributor. However do take note and understand the official warnings from torproject.org.

Quote: "Tor does not protect all of your computer's Internet traffic when you run it. Tor only protects your applications that are properly configured to send their Internet traffic through Tor. To avoid problems with Tor configuration, we strongly recommend you use the Tor Browser Bundle. It is pre-configured to protect your privacy and anonymity on the web as long as you're browsing with the Tor Browser itself. Almost any other web browser configuration is likely to be unsafe to use with Tor."

Many applications can also leak other problematic and/or sensitive data, such as:

  • Your real external non-Tor IP address, as described above
  • Your time zone (for example: IRC clients through CTCP)
  • Your user name (for example: ssh through login)
  • The name and version of the client or server you are using (for example: Apache web server leaks software name and version number; IRC clients leak client name and client version number through CTCP)
  • Metadata can be a risk. Click MAT and read 'What is a metadata?' and 'Why metadata can be a risk for your privacy?'
  • Depending on your Mode Of Anonymity you obviously shouldn't mix your use of protected (anonymous) applications with applications not passing through the Tor network or some other form of anonymity. For example, if a login name or password of yours can be traced back to your personal identity, then you are defeating the purpose entirely. Tor can not protect you from this kind of activity
  • Even sending the contents of your RAM can be dangerous. For example: error reporting, leading to Transparent Proxy Leaks)
  • A lot of information which the application sends on request from a server (for example: most web browsers beside the Tor Browser)
  • Hardware serial numbers might be used for fingerprinting and in the worst case scenario, lead back to you.
  • License keys of non-free software is often transmitted and might lead back to you.

You should take care not to leak such information. Information along these lines can be potentially used for de-anonymizing, fingerprinting or to exploit your application. This is what this article is all about: it provides instructions on how applications must be configured to prevent protocol leaks.

Deceiving Authorship Detection

When you post material online on a forum or chatroom using Tor, then repeat this process again without using Tor, you put your identity at risk.

Public available research and circumvention of this threat is rare:

Exit Nodes Eavesdropping

In the Tor FAQ you must read the section "Can't the third server see my traffic?". In short, every exit node can spy on your unencrypted exit traffic and even worse, inject malicious code into the stream - be aware of this.

Do not connect to any server anonymously and non-anonymously at the same time!

It's highly recommended that you do not connect to any remote server in this manner. That is, do not create a Tor link and a non-Tor link to the same remote server at the same time. In the event your internet connection breaks down (and it will eventually), all your connections will break at the same time and it won't be hard for an adversary to put the pieces together and determine what public IP belongs to what Tor IP, potentially identifying you directly.

Do not mix Modes of Anonymity!

Let us begin with an overview of the different Modes of Anonymity:

mode(1): user anonymous; any recipient

  • Scenario: post anonymously a message in a message board/mailing list/comment field
  • Scenario: whistleblower and such
  • You are anonymous.
  • Your real IP stays hidden.
  • Location privacy: your location remains secret.

mode(2): user knows recipient; both use Tor

  • Scenario: both sender and recipient know each other and both use Tor.
  • They can communicate with each other without any third party being wise to their activity or even the the knowledge that they are communicating with each other.
  • You are NOT anonymous.
  • Your real IP stays hidden.
  • Location privacy: your location remains secret.

mode(3): user with no anonymity using Tor; any recipient

  • Scenario: login with your real name into any services, such as webmail, Twitter, Facebook, etc...
  • You are obviously NOT anonymous. As soon as you log into an account where you entered your real name the website knows your identity. Tor can not make you anonymous in these situations.
  • Your real IP stays hidden.
  • Location privacy. Your location remains secret.

mode(4): user with no anonymity; any recipient

  • Scenario: normal browsing without Tor.
  • You are NOT anonymous.
  • Your real IP gets revealed.
  • Your location gets revealed.

Conclusion

It's not wise to combine mode(1) and mode(2). For example, if you have an IM or email account and use that via mode(1), you are advised not to use the same account for mode(2). We have explained previously why this is an issue.

It's also not wise to mix two or more modes inside the same Tor session, as they could share the same exit node (identity correlation).

It's also possible that other combinations of modes are dangerous and could lead to the leakage of personal information or your physical location.

Tor over Tor

When using a transparent proxy, it is possible to start a Tor session from the client as well as from the transparent proxy, creating a "Tor over Tor" scenario. Doing so produces undefined and potentially unsafe behavior. In theory, however, you can get six hops instead of three, but it is not guaranteed that you'll get three different hops - you could end up with the same hops, maybe in reverse or mixed order. It is not clear if this is safe. It has never been discussed.

You can choose an entry/exit point, but you get the best security that Tor can provide when you leave the route selection to Tor; overriding the entry / exit nodes can mess up your anonymity in ways we don't understand. Therefore Tor over Tor usage is highly discouraged.

https://trac.torproject.org/projects/tor/ticket/5611#comment:2

Software updaters

Do not use automatic software updates over Tor that do not verify downloads. That being said, operating system updates are generally secure. If you use Linux and only your package management software suite, then you can consider your self safe. On the other hand, third party applications on Windows are likely problematic, for example if the updates aren't signed/authenticated, malevolent exit nodes can change what code is downloaded and installed and thereby gain remote code execution rights. This could potentially lead to your public IP address and your physical location being revealed. If you don't use a generic system (such as Tails or Whonix's Whonix-Workstation), then the software update can leak identifying fingerprints (what software and versions are installed) to exit nodes and repository mirrors.

Ubuntu software updates are vulnerable against "stale-proxy" attacks. The exit node or exit node's ISP could prevent you from seeing new updates. To circumvent this, switch your identity after trying to update and check for updates again.

License keys

Be very careful when using commercial software. If you bought a license file or serial number it will be often transmitted when you use the software. If you bought or paid over non-anonymous channels, it might lead back to you.

Getting from key/fingerprint form many different Tor exits

Sometimes it is required to get a GPG fingerprint or an SSL fingerprint. You can not get it through a pre-secure channel and it's possible a malicious Tor exit node could tamper with it during transit. In that case it is often recommended to ask several times for the information while using different exit nodes. While this may reduce the chances that you use a compromised exit node to retrieve the key/fingerprint, it's not a perfect solution. See the graph below.

User -> ISP -> Lots of servers (just look at some trace routes) -> Tor guard/bridge -> ISP -> Tor middle node -> ISP -> Tor exit node -> ISP -> Lots of servers -> ISP of destination server -> Destination server.

With the method described above you can only lower the chance that multiple exit nodes or multiple exit node's ISPs are compromised. You can never eradicate the possiblity that the ISP of the destination server is compromised. No amount of fetches through different Tor exit nodes can help here.

Bridge Firewall

Don't waste your energy on additional firewall rules to only connect to (some [hand] selected) Tor bridges or to only connect to the Tor network. It won't work out. The concept and why it fails is described in the Bridge Firewall article.

Terminology

  • Torify; Torification: The generic term. Either by proxification, socksification or transsocksification. Take measures to ensure that an application, which has not been designed for use with Tor (such as TorChat), will use only Tor for internet connectivity. Also ensure that there are no leaks from DNS, UDP or the application protocol.
  • Proxify; Proxification: This is not exclusively a Tor term and has two meanings
    • Use the proxy settings of the application and add a HTTP or SOCKS proxy
    • Use an external wrapper to force the application to use an HTTP or SOCKS proxy
  • Socksify; Socksification: Also not exclusively a Tor term and also has two meanings:
    • Use the proxy settings of the application and add a SOCKS proxy
    • Use an external wrapper to force the application to use a SOCKS proxy
  • Transsocksify; Transsocksification: Not exclusively a Tor term. Redirect an application or operating system transparently through a SOCKS proxy using a gateway and/or packet filter. For example: Tor's transparent proxy or Squid
  • Unauthenticated: You can not be sure with whom you are exchanging data. A MITM attack (such as a Tor exit node or ISP) can redirect you to a malicious server. They can also inject malicious things into the traffic.
  • Unencrypted: A MITM attack (such as a Tor exit node or ISP) can see all the traffic in clear text.

Overview about different methods for Torification

There are three different methods to torify applications:

Security overall:

Classical / common way: use the application's proxy settings

Advantages:

  • Does not need third party software (wrapper)
  • Only a few proxy settings needed, sometimes a few more settings like 'use remote DNS' are required

Disadvantages:

  • Each application has to be checked and configured against DNS leaks
  • The application is not forced to honor the proxy settings. Some applications such as Skype and BitTorrent do not care what the proxy settings are and use direct connections anyway. Also once the application is infected, it's not forced to honor the application settings

Not so common: use a wrapper: force the application to use a proxy (torsocks/usewithtor/uwt)

wrapper

Advantages:

  • No proxy settings inside the application are needed
  • The use of 'Use Remote DNS' is not required, nor can it be forgotten

Disadvantages:

  • It's a redirector, not a jail. Applications may still decide to use fancy techniques to archive direct connections. Also once the application or machine is infected with malware, it can break out of the redirector
  • There are/were serious leaks which leak your IP because of bugs. For example, IPv6 can still leak your IP when using torsocks.
  • It also does not magically prevent protocol leaks, see torsocks homepage for details.

Update:
To prevent identity correlation through circuit sharing use uwt, see torsocks.

Even less common: use a Transparent Proxy

Transparent Proxy (Insecure.)
All applications will be forced through the same TransPort, thus mixing them all into the same circuit which leads to identity correlation through circuit sharing.

Security:

Advantages:

  • No proxy settings inside the application needed
  • The use of 'Use Remote DNS' is not required, nor can it be forgotten

Disadvantages:

  • More complex and complicated, requires additional software
  • Too many non-IP related leaks, which are nonetheless serious issues. Rather use an Isolating Proxy

Even less common: use an Isolating Proxy

Isolating Proxy (Secure.)
All applications can only access internet over Tor. Direct connections are impossible due to either a virtual internal network and/or physical isolation.

Each application gets their own SocksPort. This can still be combined with Trans- and DnsPort.

Depending on the implementation, this can provide some protocol leak and fingerprinting protection. For example see Whonix's Protocol-Leak-Protection and Fingerprinting-Protection.

Example implementation: Whonix.

How to review an application

Some hints how to do it, tor-talk wget - secure?.

Ticket: #5553 "prevent protocol leaks; Tor client connection API or protocol review howto"

How to torify specific programs

The following pages have good explanations of how you can configure programs to use Tor. Please follow the below mentioned links.

SupportPrograms (general overview about support programs)

  • polipo - can translate HTTP traffic to SOCKS traffic

Client applications

  • Web Browsers
  • E-mail
  • Instant Messaging
  • IRC
  • SILC
  • FTP
  • Mumble
  • GnuPG (GPG)
  • ssh
  • Under Misc you will find the following...
    • Filesharing / BitTorrent
    • TLS / SSL / https
    • Unix and Linux Configuration (basic stuff)
    • Mac OS X Configuration (basic stuff)
    • APT
    • wget
    • SSH
    • Putty
    • vpnd
    • Subversion (SVN)
    • YUM
    • KsCD and KDE applications in general
    • XMMS - The X Multimedia System
    • nc (netcat)
    • Any TCP-based protocol

Server software

Difficult to torify

  • ping - ICMP is not supported by Tor 1, 2
  • ping6 - IPv6 is not supported by Tor 1, 2
  • miredo - IPv4 to IPv6 tunnel client - UDP is not supported by Tor 1, 2
  • gogo6client - IPv4 to IPv6 tunnel client - UDP is not supported by Tor 1, 2
  • RetroShare 1, 3

1 Needs a Transparent Proxy (see above) or Whonix (see above).
2 Impossible directly over Tor. First establish an anonymous tunnel to a server, which supports the required feature (ICMP, UDP or IPv6) and use the tunnel to run the application. There is very few documentation available and it's very hackish, see Whonix and Tunnel UDP over Tor.
3 Whonix's Documentation states, there is experimental support for RetroShare over Tor.

Remailing

Credits and Legal Notes

Credits and Legal Notes

Also see

Last modified 5 months ago Last modified on Nov 6, 2013 8:15:54 AM