Changes between Version 557 and Version 558 of doc/TorifyHOWTO


Ignore:
Timestamp:
Jun 14, 2018, 4:24:54 PM (2 years ago)
Author:
Jaruga
Comment:

Overhaul.

Legend:

Unmodified
Added
Removed
Modified
  • doc/TorifyHOWTO

    v557 v558  
    1 [[TOC(noheading, depth=1)]]
    2 
    3 = Introduction =
    4 This document explains how to configure a particular application for use with Tor and thus the Tor network. As Tor constantly evolves, the knowledge and understanding about anonymity online also evolves. Implementations and other aspects of online anonymity become more and more complex. In the past, an end user would just go ahead and "torify" applications like Mozilla Firefox - this is no longer recommended. As we learned more on the subject and implementation of online anonymity, we discovered it was increasingly easy for a user to leak sensitive information to those interested in obtaining it. We will be describing more details on such matters further into this article.
    5 
    6 In short, do not torify any applications yourself unless you know exactly what you are doing. If, however, you wish to study the complexities surrounding the subject, then please feel free to indulge yourself and even go as far as providing new instructions or implementations. In the meantime, see this article more as a reference for developers and advanced users. If you don't fall into one of these two categories then for your own security, stick with the Tor Browser Bundle from https://www.torproject.org.
     1[[TOC(depth=5)]]
     2= TorifyHOWTO - An Overview =
     3The documents contained within this section provide information and instructions on configuring various software to securely connect to the Internet via Tor. As the network is constantly evolving, the knowledge and understanding about anonymity online also evolves. Implementations and other aspects of online anonymity become more and more complex. For example: In past times, an end user would simply change the internal settings of a particular piece of software to "torify" it, like Mozilla Firefox - this is no longer recommended. As we learned more on the subject and implementation of online anonymity, we discovered it was increasingly easy for a user to leak sensitive information to those interested in obtaining it. More details on this are provided in the below sections.
     4
     5In short, '''do not torify any applications yourself unless you know exactly what you are doing'''. If, however, you wish to study the complexities surrounding the subject, then please feel free to indulge yourself and even go as far as providing new instructions or implementations. In the meantime, see this article more as a reference for developers and advanced users. If you don not fall into one of these two categories then for your own security, stick with the Tor Browser from https://www.torproject.org.
    76
    87This article was originally written for a Linux/UNIX based environment. It should include some instructions for Windows and Mac users too. That being said, you should read the documentation at https://www.torproject.org before attempting to "torify" any applications yourself.
    98
    10 == For wiki editors ==
     9=== For wiki editors ===
    1110Use only link identifiers which start with a letter or the underscore character (_) and don't use identifiers with spaces inside them. Things like that make the page invalid (X)HTML and nobody wants that. Feel free to edit this page - it's a wiki, after all, driven by your contribution!
    1211
    13 = WARNING =
    14 == Proxy and SOCKS settings ==
    15 Proxy and SOCKS settings are mostly implemented by programmers to improve connectivity, not anonymity. Many people think developers implemented the application's proxy settings with anonymity in mind. That is a big mistake. They did not. See [https://trac.torproject.org/projects/tor/wiki/doc/TorifyHOWTO/Misc BitTorrent] for example.
    16 
    17 == Protocol leaks ==
    18 Tor provides only anonymity for DNS and the transmission of the TCP stream. Everything inside the stream, the application protocol, needs to be scrubbed. For example, if the application uses advanced techniques to determine your real external IP and sends it over the anonymized TCP stream, then what you wanted to hide, your real external IP, isn't hidden. This is exactly what happens with [https://trac.torproject.org/projects/tor/wiki/doc/TorifyHOWTO BitTorrent]. Some applications may also choose to ignore and therefore not honor the proxy configuration you provide. This is something else you need to consider. Firefox was prone to this issue, as noted here: [https://blog.torproject.org/blog/firefox-security-bug-proxy-bypass-current-tbbs Firefox Proxy Bypass Bugs].
    19 
    20 Many applications have been written to work around firewalls and blocking internet service providers, such as [https://trac.torproject.org/projects/tor/wiki/doc/TorifyHOWTO/Misc BitTorrent clients] and [https://trac.torproject.org/projects/tor/wiki/doc/TorifyHOWTO/InstantMessaging Skype]. Regardless of your use of "correct" proxy settings (SOCKS4a) and/or external applications for torification, some applications will use advanced techniques to determine your external non-Tor IP address. As said previously, those applications were never made with anonymity in mind, but were designed to evade firewalls to allow them to function as expected.
     12=== Terminology ===
     13 * '''Torify'''; '''Torification''': The generic term. Either by proxification, socksification or transsocksification. Take measures to ensure that an application, which has not been designed for use with Tor (such as TorChat), will ```use only Tor``` for internet connectivity. Also ensure that there are no leaks from DNS, UDP or [https://trac.torproject.org/projects/tor/wiki/doc/TorifyHOWTO#examplesandreasoningfortheWARNING the application protocol].
     14 * '''Proxify'''; '''Proxification''': This is not exclusively a Tor term and has two meanings
     15   * Use the proxy settings of the application and add a HTTP or SOCKS proxy
     16   * Use an external wrapper to force the application to use an HTTP or SOCKS proxy
     17 * '''Socksify'''; '''Socksification''': Also not exclusively a Tor term and also has two meanings:
     18   * Use the proxy settings of the application and add a SOCKS proxy
     19   * Use an external wrapper to force the application to use a SOCKS proxy
     20 * '''Transsocksify'''; '''Transsocksification''': Not exclusively a Tor term. Redirect an application or operating system transparently through a SOCKS proxy using a gateway and/or packet filter. For example: [https://trac.torproject.org/projects/tor/wiki/doc/TransparentProxy Tor's transparent proxy] or [https://en.wikipedia.org/wiki/Squid_%28software%29 Squid]
     21 * '''Unauthenticated''': You can not be sure with whom you are exchanging data. A [https://en.wikipedia.org/wiki/Man-in-the-middle_attack MITM attack] (such as a Tor exit node or ISP) can redirect you to a malicious server. They can also inject malicious things into the traffic.
     22 * '''Unencrypted''': A [https://en.wikipedia.org/wiki/Man-in-the-middle_attack MITM attack] (such as a Tor exit node or ISP) can see all the traffic in clear text.
     23
     24== Warnings and Advisories ==
     25The following section contains several security and privacy focused topics that users should be aware of. Please be sure to read it carefully, and take the time to fully understand the potential and limitations of Tor. You will make yourself and the entire network safer in the process!
     26
     27=== Protocol leaks ===
     28Tor provides only anonymity for DNS and the transmission of the TCP stream. Everything inside the stream, the application protocol, needs to be scrubbed. For example, if the application uses advanced techniques to determine your real external IP and sends it over the anonymized TCP stream, then what you wanted to hide, your real external IP, isn't hidden. This is exactly what happens with BitTorrent. Some applications may also choose to ignore and therefore not honor the proxy configuration you provide. This is something else you need to consider. Firefox was prone to this issue, as noted here: [https://blog.torproject.org/blog/firefox-security-bug-proxy-bypass-current-tbbs Firefox Proxy Bypass Bugs].
     29
     30Many applications have been written to work around firewalls and blocking Internet service providers, such as [https://trac.torproject.org/projects/tor/wiki/doc/TorifyHOWTO/Misc BitTorrent clients] and [https://trac.torproject.org/projects/tor/wiki/doc/TorifyHOWTO/InstantMessaging Skype]. Regardless of your use of "correct" proxy settings (SOCKS4a) and/or external applications for torification, some applications will use advanced techniques to determine your external non-Tor IP address. As said previously, those applications were never made with anonymity in mind, but were designed to evade firewalls to allow them to function as expected.
    2131
    2232All-in-all, you do not have to believe the statements of any random wiki contributor. However do take note and understand [https://www.torproject.org/download/download-easy.html.en#warning the official warnings from torproject.org].
    2333
    24 Quote: "Tor does not protect all of your computer's Internet traffic when you run it. Tor only protects your applications that are properly configured to send their Internet traffic through Tor. To avoid problems with Tor configuration, we strongly recommend you use the Tor Browser Bundle. It is pre-configured to protect your privacy and anonymity on the web as long as you're browsing with the Tor Browser itself. Almost any other web browser configuration is likely to be unsafe to use with Tor."
     34Quote: "Tor does not protect all of your computer's Internet traffic when you run it. Tor only protects your applications that are properly configured to send their Internet traffic through Tor. To avoid problems with Tor configuration, we strongly recommend you use the Tor Browser. It is pre-configured to protect your privacy and anonymity on the web as long as you're browsing with the Tor Browser itself. Almost any other web browser configuration is likely to be unsafe to use with Tor."
    2535
    2636Many applications can also leak other problematic and/or sensitive data, such as:
     
    3848You should take care not to leak such information. Information along these lines can be potentially used for de-anonymizing, fingerprinting or to exploit your application. This is what this article is all about: it provides instructions on how applications must be configured to prevent protocol leaks.
    3949
    40 == Deceiving Authorship Detection ==
     50=== Deceiving Authorship Detection ===
    4151When you post material online on a forum or chatroom using Tor, then repeat this process again without using Tor, you put your identity at risk.
    4252
     
    4757 * [https://psal.cs.drexel.edu/index.php/JStylo-Anonymouth JStylo-Anonymouth]
    4858
    49 == Exit Nodes Eavesdropping ==
     59=== Proxy and SOCKS settings ===
     60Proxy and SOCKS settings are mostly implemented by programmers to improve connectivity, not anonymity. Many people think developers implemented the application's proxy settings with anonymity in mind. That is a big mistake. They did not. See [https://trac.torproject.org/projects/tor/wiki/doc/TorifyHOWTO/Misc BitTorrent] for example.
     61
     62=== Exit Nodes Eavesdropping ===
    5063In the [https://www.torproject.org/docs/faq.html.en Tor FAQ] you must read the section "Can't the third server see my traffic?". In short, every exit node can spy on your unencrypted exit traffic and even worse, inject malicious code into the stream - be aware of this.
    5164
    52 == Do not connect to any server anonymously and non-anonymously at the same time! ==
    53 It's highly recommended that you do not connect to any remote server in this manner. That is, do not create a Tor link and a non-Tor link to the same remote server at the same time. In the event your internet connection breaks down (and it will eventually), all your connections will break at the same time and it won't be hard for an adversary to put the pieces together and determine what public IP belongs to what Tor IP, potentially identifying you directly.
    54 
    55 == Do not mix Modes of Anonymity! ==
     65=== Avoid letting identities cross ===
     66It's highly recommended that you do not connect to any remote server in this manner. That is, do not create a Tor link and a non-Tor link to the same remote server at the same time. In the event your Internet connection breaks down (and it will eventually), all your connections will break at the same time and it won't be hard for an adversary to put the pieces together and determine what public IP belongs to what Tor IP, potentially identifying you directly.
     67
     68=== Remember: Modes of anonymity do not mix! ===
    5669Let us begin with an overview of the different Modes of Anonymity:
    5770
    58 === mode(1): user anonymous; any recipient ===
     71==== mode(1): user anonymous; any recipient ====
    5972 * Scenario: post anonymously a message in a message board/mailing list/comment field
    6073 * Scenario: whistleblower and such
     
    6376 * Location privacy: your location remains secret.
    6477
    65 === mode(2): user knows recipient; both use Tor ===
     78==== mode(2): user knows recipient; both use Tor ====
    6679 * Scenario: both sender and recipient know each other and both use Tor.
    6780 * They can communicate with each other without any third party being wise to their activity or even the the knowledge that they are communicating with each other.
     
    7083 * Location privacy: your location remains secret.
    7184
    72 === mode(3): user with no anonymity using Tor; any recipient ===
     85==== mode(3): user with no anonymity using Tor; any recipient ====
    7386 * Scenario: login with your real name into any services, such as webmail, Twitter, Facebook, etc...
    7487 * You are obviously NOT anonymous. As soon as you log into an account where you entered your real name the website knows your identity. Tor can not make you anonymous in these situations.
     
    7689 * Location privacy. Your location remains secret.
    7790
    78 === mode(4): user with no anonymity; any recipient ===
     91==== mode(4): user with no anonymity; any recipient ====
    7992 * Scenario: normal browsing without Tor.
    8093 * You are NOT anonymous.
    8194 * Your real IP gets revealed.
    8295 * Your location gets revealed.
    83 
    84 === Conclusion ===
     96 '''Conclusion'''
    8597It's not wise to combine mode(1) and mode(2). For example, if you have an IM or email account and use that via mode(1), you are advised not to use the same account for mode(2). We have explained previously why this is an issue.
    8698
     
    89101It's also possible that other combinations of modes are dangerous and could lead to the leakage of personal information or your physical location.
    90102
    91 == Tor over Tor ==
     103=== Tor over Tor ===
    92104When using a transparent proxy, it is possible to start a Tor session from the client as well as from the transparent proxy, creating a "Tor over Tor" scenario. Doing so produces undefined and potentially unsafe behavior. In theory, however, you can get six hops instead of three, but it is not guaranteed that you'll get three different hops - you could end up with the same hops, maybe in reverse or mixed order. It is not clear if this is safe. It has never been discussed.
    93105
     
    96108https://trac.torproject.org/projects/tor/ticket/5611#comment:2
    97109
    98 == Software updaters ==
    99 Do not use automatic software updates over Tor that do not verify downloads. That being said, operating system updates are generally secure. If you use Linux and only your package management software suite, then you can consider yourself safe. On the other hand, third party applications on Windows are likely problematic, for example if the updates aren't signed/authenticated, malevolent exit nodes can change what code is downloaded and installed and thereby gain remote code execution rights. This could potentially lead to your public IP address and your physical location being revealed. If you don't use a generic system (such as Tails or Whonix's Whonix-Workstation), then the software update can leak identifying fingerprints (what software and versions are installed) to exit nodes and repository mirrors.
     110=== Software updates ===
     111Do not use automatic software updates over Tor that do not verify downloads. That being said, operating system updates are generally secure. If you use GNU/Linux and only your package management software suite then you can consider yourself safe, as modern package managers contain mechanisms to verify the authenticity of packages. On the other hand, third party applications on Windows are likely problematic, For example, if the updates aren't signed/authenticated, malevolent exit nodes can change what code is downloaded and installed and thereby gain remote code execution rights. This could potentially lead to your public IP address and your physical location being revealed. If you don't use a generic system (such as Tails or Whonix's Whonix-Workstation), then the software update can leak identifying fingerprints (what software and versions are installed) to exit nodes and repository mirrors.
    100112
    101113Ubuntu software updates are vulnerable against [https://bugs.launchpad.net/launchpad/+bug/716535 "stale-proxy" attacks]. The exit node or exit node's ISP could prevent you from seeing new updates. To circumvent this, switch your identity after trying to update and check for updates again.
    102114
    103 == Software identifiers ==
     115=== Software identifiers ===
    104116Be very careful when using any software, especially proprietary (s.a freeware and commercial) one.
    105117* If you bought a license file or serial number it will be often transmitted when you use the software.
     
    111123* Some software discloses information about the system while checking for updates or sending error reports.
    112124
    113 == Getting from key/fingerprint form many different Tor exits ==
     125=== Getting from key/fingerprint form many different Tor exits ===
    114126Sometimes it is required to get a GPG fingerprint or an SSL fingerprint. You can not get it through a pre-secure channel and it's possible a malicious Tor exit node could tamper with it during transit. In that case it is often recommended to ask several times for the information while using different exit nodes. While this may reduce the chances that you use a compromised exit node to retrieve the key/fingerprint, it's not a perfect solution. See the graph below.
    115127
     
    118130With the method described above you can only lower the chance that multiple exit nodes or multiple exit node's ISPs are compromised. You can never eradicate the possiblity that the ISP of the destination server is compromised. No amount of fetches through different Tor exit nodes can help here.
    119131
    120 == Bridge Firewall ==
     132=== Bridge Firewall ===
    121133Don't waste your energy on additional firewall rules to only connect to (some [hand] selected) Tor bridges or to only connect to the Tor network. It won't work out. The concept and why it fails is described in the [https://trac.torproject.org/projects/tor/wiki/doc/TorifyHOWTO/BridgeFirewall Bridge Firewall] article.
    122134
    123 = Terminology =
    124  * '''Torify'''; '''Torification''': The generic term. Either by proxification, socksification or transsocksification. Take measures to ensure that an application, which has not been designed for use with Tor (such as TorChat), will ```use only Tor``` for internet connectivity. Also ensure that there are no leaks from DNS, UDP or [https://trac.torproject.org/projects/tor/wiki/doc/TorifyHOWTO#examplesandreasoningfortheWARNING the application protocol].
    125  * '''Proxify'''; '''Proxification''': This is not exclusively a Tor term and has two meanings
    126    * Use the proxy settings of the application and add a HTTP or SOCKS proxy
    127    * Use an external wrapper to force the application to use an HTTP or SOCKS proxy
    128  * '''Socksify'''; '''Socksification''': Also not exclusively a Tor term and also has two meanings:
    129    * Use the proxy settings of the application and add a SOCKS proxy
    130    * Use an external wrapper to force the application to use a SOCKS proxy
    131  * '''Transsocksify'''; '''Transsocksification''': Not exclusively a Tor term. Redirect an application or operating system transparently through a SOCKS proxy using a gateway and/or packet filter. For example: [https://trac.torproject.org/projects/tor/wiki/doc/TransparentProxy Tor's transparent proxy] or [https://en.wikipedia.org/wiki/Squid_%28software%29 Squid]
    132  * '''Unauthenticated''': You can not be sure with whom you are exchanging data. A [https://en.wikipedia.org/wiki/Man-in-the-middle_attack MITM attack] (such as a Tor exit node or ISP) can redirect you to a malicious server. They can also inject malicious things into the traffic.
    133  * '''Unencrypted''': A [https://en.wikipedia.org/wiki/Man-in-the-middle_attack MITM attack] (such as a Tor exit node or ISP) can see all the traffic in clear text.
    134 
    135 = Overview about different methods for Torification =
     135== General Torifying Information ==
     136
    136137There are three different methods to torify applications:
    137138
     
    140141 * About [https://trac.torproject.org/projects/tor/wiki/doc/TorifyHOWTO#ExamplesandreasoningfortheWARNING protocol leaks] (leak of your time zone through CTCP/IRC; browser fingerprinting; [https://trac.torproject.org/projects/tor/wiki/doc/TorifyHOWTO/Misc Bittorent leaks]; [https://trac.torproject.org/projects/tor/wiki/doc/TorifyHOWTO#ExamplesandreasoningfortheWARNING See warning above!])
    141142
    142 == Classical / common way: use the application's proxy settings ==
     143=== Classical / common way: use the application's proxy settings ===
    143144Advantages: [[BR]]
    144145 * Does not need third party software (wrapper)
     
    149150 * The application is not forced to honor the proxy settings. Some applications such as [https://trac.torproject.org/projects/tor/wiki/doc/TorifyHOWTO/InstantMessaging Skype] and [https://trac.torproject.org/projects/tor/wiki/doc/TorifyHOWTO/Misc BitTorrent] do not care what the proxy settings are and use direct connections anyway. Also once the application is infected, it's not forced to honor the application settings
    150151
    151 == Not so common: use a wrapper: force the application to use a proxy (torsocks/usewithtor/uwt) ==
    152 [https://trac.torproject.org/projects/tor/wiki/doc/SupportPrograms wrapper]
     152=== Uncommon: Use a wrapper: force the application to use a proxy (torsocks) ===
    153153
    154154Advantages: [[BR]]
     
    158158Disadvantages: [[BR]]
    159159 * It's a redirector, not a jail. Applications may still decide to use fancy techniques to achieve direct connections. Also once the application or machine is infected with malware, it can break out of the redirector
    160  * There are/were serious leaks which leak your IP because of bugs.
     160 * There is no guarantees of it remaining bug-free.
    161161 * It also does not magically prevent protocol leaks, see [https://gitweb.torproject.org/torsocks.git/ torsocks homepage] for details.
    162162
     
    164164To prevent identity correlation through circuit sharing use uwt, see [https://trac.torproject.org/projects/tor/wiki/doc/torsocks torsocks].
    165165
    166 == Even less common: use a Transparent Proxy ==
     166=== Even less common: use a Transparent Proxy ===
    167167[https://trac.torproject.org/projects/tor/wiki/doc/TransparentProxy Transparent Proxy] (Insecure.) [[BR]]
    168168All applications will be forced through the same TransPort, thus mixing them all into the same circuit which leads to identity correlation through circuit sharing.
     
    181181 * Too many non-IP related leaks, which are nonetheless serious issues. Rather use an [https://trac.torproject.org/projects/tor/wiki/doc/TorifyHOWTO/IsolatingProxy Isolating Proxy]
    182182
    183 == Even less common: use an Isolating Proxy ==
     183=== Even less common: use an Isolating Proxy ===
    184184[https://trac.torproject.org/projects/tor/wiki/doc/TorifyHOWTO/IsolatingProxy Isolating Proxy] (Secure.) [[BR]]
    185185All applications can only access internet over Tor. Direct connections are impossible due to either a virtual internal network and/or physical isolation.
     
    191191Example implementation: [https://www.whonix.org Whonix].
    192192
    193 = How to review an application =
    194 Some hints how to do it, [https://lists.torproject.org/pipermail/tor-talk/2012-April/024010.html tor-talk wget - secure?].
    195 
    196 Ticket: #5553 "prevent protocol leaks; Tor client connection API or protocol review howto"
    197 
    198 = How to torify specific programs =
    199 The following pages have good explanations of how you can configure programs to use Tor. Please follow the below mentioned links.
    200 
    201 [https://trac.torproject.org/projects/tor/wiki/doc/SupportPrograms SupportPrograms] (general overview about support programs)
    202  * [https://trac.torproject.org/projects/tor/wiki/doc/TorifyHOWTO/Polipo polipo] - can translate HTTP traffic to SOCKS traffic
    203 
    204193== Client applications ==
    205  * [wiki:doc/TorifyHOWTO/WebBrowsers Web Browsers]
    206194 * [wiki:doc/TorifyHOWTO/EMail  E-mail]
    207195 * [wiki:doc/TorifyHOWTO/InstantMessaging Instant Messaging]
    208196 * [wiki:doc/TorifyHOWTO/IRC IRC]
    209  * [wiki:doc/TorifyHOWTO/SILC SILC]
     197 * [wiki:doc/TorifyHOWTO/HexChat HexChat]
     198 * [wiki:doc/TorifyHOWTO/WeeChat WeeChat]
     199 * [wiki:doc/TorifyHOWTO/irssi Irssi]
     200 * [wiki:doc/TorifyHOWTO/EMail/Thunderbird Thunderbird]]
    210201 * [wiki:doc/TorifyHOWTO/FTP FTP]
    211202 * [wiki:doc/TorifyHOWTO/Mumble Mumble]
    212203 * [wiki:doc/TorifyHOWTO/apt APT]
     204 * [wiki:doc/TorifyHOWTO/dnf DNF]
    213205 * [wiki:doc/TorifyHOWTO/ssh SSH]
    214206 * [wiki:doc/TorifyHOWTO/GnuPG GnuPG] (GPG)
     
    220212   * cURL
    221213   * Video streams
    222    * KsCD and KDE applications in general
    223214   * XMMS - The X Multimedia System
    224215   * nc (netcat)
     
    242233^3^ [https://sourceforge.net/p/whonix/wiki/Home/ Whonix]'s [https://sourceforge.net/p/whonix/wiki/Documentation/ Documentation] states, there is experimental support for RetroShare over Tor. [[BR]]
    243234
    244 == Remailing ==
    245    * [wiki:doc/RemailingAndTor Remailing (probable outdated and obsolete)]
    246 
    247 = Credits and Legal Notes =
     235== Credits and Legal Notes ==
    248236[https://trac.torproject.org/projects/tor/wiki/doc/TorifyHOWTO/legal Credits and Legal Notes]
    249237
    250 = See also =
     238== See also ==
    251239 * [https://trac.torproject.org/projects/tor/wiki/doc/proxy proxy]