wiki:doc/TorifyHOWTO

Version 491 (modified by proper, 7 years ago) (diff)

new: Getting from key/fingerprint form many different Tor exits

TODO

  • This article needs general information about identity correlation through circuit sharing, which are not Whonix specific. An introduction what is is, about the risks and tips to circumvent. The whole TorifyHOWTO probable needs revision.

Introduction

This document explains, how to configure particular programs to use Tor. As Tor constantly evolves, also the knowledge about anonymity evolves. Things become more and more complex. In the past, you did just go ahead and torified applications like Mozilla Firefox yourself. This is no longer recommend, as we learned a lot about possible leaks, which will be described in a following chapter.

Do not torify any applications yourself, unless you exactly know what you are doing! Of course, you are free to understand the complexity, to research and to provide new instructions. See this article more as a reference for developers and advanced users. If you aren't one of them, for your own security, rather stick with the Tor Browser Bundle form torproject.org.

It was originally written for a Linux/UNIX environment. It should include some instructions for Windows and OS X users too. You should read the documentation at https://www.torproject.org first.

For wiki editors

Use only link identifiers which start with a letter or the underscore character (_) and don't use identifiers with spaces inside them. Things like that make the page invalid (X)HTML and nobody wants that. Feel free to edit this page --- it's a wiki, after all, driven by your contribution!

WARNING

Proxy and socks settings

Proxy and socks settings are mostly implemented by programmers to improve connectivity, not anonymity.

Many people think developers implemented the applications proxy settings with anonymity in mind. That is a big mistake. They did not. See Bittorrent for example.

Protocol leaks

Tor provides only anonymity for DNS and the transmission of the TCP stream. Everything inside the stream, the application protocol, needs to be scrubbed. For example, if the applications uses advanced techniques to determine your real external IP and sends it over the anonymized TCP stream, then, what you wanted to hide, your real external IP, isn't hidden. Exactly this happens with Bittorrent.

Many applications have been written to work around firewalls and blocking internet service providers, such as Bittorrent clients and Skype. No matter if you use "correct" proxy settings (socks4a) and/or external applications for torification, some applications will use advanced techniques to determine your external non-Tor IP. Like said before, those applications were never made with anonymity in mind, but with evading firewalls.

You do not have to believe the statements of any random wiki contributor. Do believe the official warnings from torproject.org.

Quote: "Tor does not protect all of your computer's Internet traffic when you run it. Tor only protects your applications that are properly configured to send their Internet traffic through Tor. To avoid problems with Tor configuration, we strongly recommend you use the Tor Browser Bundle. It is pre-configured to protect your privacy and anonymity on the web as long as you're browsing with the Tor Browser itself. Almost any other web browser configuration is likely to be unsafe to use with Tor."

Many applications can also leak other problematic data such as:

  • your real external non-Tor IP, as described above
  • your time zone (example: IRC clients through CTCP)
  • your user name (example: ssh through login)
  • the name and version of the client or server you are using (example: Apache web server leaks software name and version; IRC clients leak client name and client version through CTCP)
  • metadata can be as risk. Click MAT and read 'What is a metadata ?' and 'Why metadata can be a risk for your privacy ?'
  • Depending on your Mode Of Anonymity you obviously shouldn't mix applications which you do use non-anonymously with your anonymous use. For example, if a login name or password of yours can be traced back to your identity, it's like you committing suicide. Tor can not protect you from that.
  • Or even send the content of your RAM. (example: error reporting, Transparent Proxy Leaks)
  • A lot information which the application sends on request from a server. (example: most Web Browsers beside the Tor Browser)
  • Hardware serial numbers might be used for fingerprinting and in worst case, lead back to you.
  • License keys of non-free software is often transmitted and might lead back to you.

You should keep care, not to leak such information. Such information can be potentially used for de-anonymizing, fingerprinting or to exploit your application. This is what the Torify HOWTO is all about. It provides instructions how applications have to be configured to prevent protocol leaks.

Deceiving Autoship Detection

When you post some stuff online using Tor and some while you are not on Tor, you are at risk, for example if you make the same mistakes. Public available research and circumvention of this thread is rare:

Exit Nodes Eavesdropping

In the Tor FAQ you must read the section "Can't the third server see my traffic?". In short: every exit node can spy your unencrypted exit traffic and even worse, inject malicious code into the stream. Be aware of that.

Do not connect to any server anonymously and non-anonymously at the same time!

For example, do not connect this way to webservers, do not download this way and also do not join IRC servers this way. Once your internet connection breaks down, all your connections will break and it won't be hard for an adversary to guess what's up.

Do not mix Modes of Anonymity!

We begin with an over view about the different Modes of Anonymity.

mode(1): user anonymous; any recipient

  • example: post anonymously a message in a message board/mailing list/comment field
  • example: whistleblower and such
  • You are anonymous.
  • Your real IP stays hidden.
  • Location privacy. Your location remains secret.

mode(2): user knows recipient; both use Tor

  • example: Both, sender and recipient know each other and both use Tor.
  • They can communicate with each other without that any third party can find out, that they are communicating with each other.
  • You are NOT anonymous.
  • Your real IP stays hidden.
  • Location privacy. Your location remains secret.

mode(3): user with no anonymity using Tor; any recipient

  • example: Login with your real name into any services, such as webmail, twitter, facebook, etc...
  • You are obviously NOT anonymous. As soon as you log into an account where you entered your real name the website knows your identity. Tor can not make that magically anonymous.
  • Your real IP stays hidden.
  • Location privacy. Your location remains secret.

mode(4): user with no anonymity; any recipient

  • example: normal browsing without Tor.
  • You are NOT anonymous.
  • Your real IP gets revealed.
  • Your location gets revealed.

Conclusion

It's not wise to combine mode(1) and mode(2). For example, if you have an im/mail/etc. account and use that one for mode(1), you are advised not to use the same account for mode(2).

It's also not wise to mix two ore more modes inside the same Tor session, as they could share the same exit node (identity correlation).

Also other combinations are potentially dangerous.

Tor over Tor

When using a transparent proxy, it is possible to start a Tor session from the client as well as from the transparent proxy, creating a "tor over tor" scenario. Doing so produces undefined and potentially unsafe behavior.

In theory you can get 6 hops instant of 3. However, it is not guaranteed that you'll get 3 different hops. You could end up with same hops, maybe in reverse or mixed order.

It is not clear if this is safe. It has never been discussed.

https://www.torproject.org/docs/faq.html.en#ChooseEntryExit You get the best security that Tor can provide when you leave the route selection to Tor; overriding the entry / exit nodes can mess up your anonymity in ways we don't understand.

Therefore Tor over Tor usage is highly discouraged.

https://trac.torproject.org/projects/tor/ticket/5611#comment:2

Software updaters

Do not use automatic software updates over Tor that do not verify downloads. Operating system updates are generally secure. If you use Linux and only apt-get/yum you are fine. 3rd party applications on Windows are likely problematic. If the updates aren't signed/authenticated malevolent exit nodes can change what code is downloaded and installed and thereby gain remote code execution.

If you don't use a generic system (such as Tails or Whonix's Whonix-Workstation) the software update can leak identifying fingerprints (what software and versions are installed) to exit nodes and repository mirrors.

Ubuntu Software updates are vulnerable against "stale-proxy" attacks. The exit node or exit node's ISP could prevent you, from seeing new updates. To circumvent this, switch your identity after (trying) to update and check for updates again.

License keys

Be very careful when using commercial software. If you bought a license file or serial number it will be often transmitted when you use the software. If you bought or payed over non-anonymous channels, it might lead back to you.

Getting from key/fingerprint form many different Tor exits

Sometimes it is required to get for example a GPG fingerprint or SSL fingerprint. You can not get it through a pre-secure channel and you know, that malicious Tor exit nodes could tamper with it. In that case it is often recommend to ask several times for the information while using different exit nodes. While this makes sense to lower the chance that all exit nodes you used are compromised, it's not a perfectly secure solution. See the graph below.

user -> ISP -> lots of servers (just look at some trace routes) -> Tor guard/bridge -> ISP... -> Tor middle node -> ISP... -> Tor exit node -> ISP -> lots of servers -> ISP of destination server -> destination server.

With the method described above you can only lower the chance that multiple exit nodes or multiple exit node's ISPs are compromised. You can never erade the possiblity, that the ISP of the destination server is compromised. No amount of fetches through different Tor exits can does help here.

Terminology

  • torify; torification: The generic term. Either by proxification, socksification, transsocksification. Take measures to ensure, that an application, which has not been designed for use with Tor (such as TorChat), will to use only Tor for internet connections. Also ensure that there are no leaks from DNS, UDP or the protocol.
  • proxify; proxification: Not exclusively a Tor term. Has two meanings. a) Use the proxy settings of the application and add a http or socks proxy. b) Use an external wrapper to force the application to use a http or socks proxy.
  • socksify; socksification: Not exclusively a Tor term. Has two meanings. a) Use the proxy settings of the application and add a socks proxy. b) Use an external wrapper to force the application to use a socks proxy.
  • transsocksify; transsocksification: Not exclusively a Tor term. Redirect an application or operating system transparently through a socks proxy using a gateway and/or packet filter. (example: Tor's transparent proxy; Squid)
  • Unauthenticated: You can not be sure with whom you are exchanging data. A MITM (such as a Tor exit node or ISP) can redirect you to a malicious server. They can also inject malicious things into the traffic.
  • Unencrypted: A MITM (such as a Tor exit node or ISP) can see all the traffic in clear text.

Overview about different methods for Torification

There are three different methods to torify applications.

Security overall:

  • Leaks of your real IP address after you got rooted, are only impossible, if your machine has no other option than exiting traffic through Tor. (Transparent or Isolated Proxy).
  • About protocol leaks (leak of your time zone through CTCP/irc; browser fingerprinting; Bittorent leaks; See warning above!; etc.) you always have to keep care of.

Classical / common way: use the application's proxy settings

Advantages:

  • Does not need third party software (wrapper).
  • Only a few proxy settings needed, sometimes a few more settings like 'use remote DNS' are required.

Disadvantages:

  • Each application has to be checked and configured against DNS leaks.
  • The application is not forced to honor the proxy settings. Some applications such as Skype and Bittorrent do not care, what the proxy settings are and use direct connections anyway. Also once the application is infected, it's not forced to honor the application settings.

Not so common: use a wrapper: force the application to use a proxy (torsocks/usewithtor)

wrapper

Advantages:

  • No proxy settings inside the application needed.
  • Nothing like 'use remote DNS' can be forgotten.

Disadvantages:

  • It's a redirector. Not a jail. Applications may still decide to use fancy techniques to archive direct connections. Also once the application or machine is infected with malware, it can break out of the redirector.
  • There are/were serious leaks, which leak your IP, because of bugs. For example, IPv6 can still leak your IP when using torsocks.
  • It also does not magically prevent protocol leaks, see torsocks homepage for details.

Update:
To prevent identity correlation through circuit sharing use uwt. torsocks

Even less common: use a Transparent Proxy

Transparent Proxy (Insecure.)
All applications will be forced through the same TransPort, thus mixing them all into the same circuit which leads to identity correlation through circuit sharing.

Security:

Advantages:

  • No proxy settings inside the application needed.
  • Nothing like 'use remote DNS' can be forgotten.

Disadvantages:

  • More complex and complicated, requires additional software.
  • Too many non-IP related leaks, which are nonetheless serious issues. Rather use an Isolated Proxy.

Even less common: use an Isolated Proxy

Isolated Proxy (Secure.)
All applications can only access internet over Tor. Direct connections are impossible due to either a virtual internal network and/or physical isolation.

Each application gets their own SocksPort. Can still be combined with Trans- and DnsPort. [...]

Depending on implementation, can provide some protocol leak and fingerprinting protection. For example see Whonix's Protocol-Leak-Protection and Fingerprinting-Protection.

Example implementation: Whonix.

How to review an application

Some hints how to do it, tor-talk wget - secure?.

Ticket: #5553 "prevent protocol leaks; Tor client connection API or protocol review howto"

How to torify specific programs

The following pages have good explanations of how you can configure programs to use Tor. Please follow the below mentioned links.

SupportPrograms (general overview about support programs)

Client applications

  • Web Browsers
  • E-mail
  • Instant Messaging
  • IRC
  • SILC
  • FTP
  • GnuPG
  • ssh
  • Under Misc you will find the following...
    • Filesharing / Bittorrent
    • Unix and Linux Configuration (basic stuff)
    • Mac OS X Configuration (basic stuff)
    • APT
    • wget
    • SSH
    • Putty
    • vpnd
    • Subversion (SVN)
    • YUM
    • KsCD and KDE applications in general
    • XMMS - The X Multimedia System
    • nc (netcat)
    • Any TCP-based protocol

Server software

Impossible to torify

  • ping - can not work with Tor, ICMP is not supported by Tor
  • ping6 - can not work with Tor, IPv6 is not supported by Tor
  • miredo - IPv4 to IPv6 tunnel client - can not work with Tor, because it needs UDP
  • gogo6client - IPv4 to IPv6 tunnel client - can not work with Tor, because it needs UDP
  • RetroShare

Remailing

Credits and Legal Notes

Credits and Legal Notes

Also see