wiki:doc/TorifyHOWTO

Version 558 (modified by Jaruga, 3 days ago) (diff)

Overhaul.

TorifyHOWTO - An Overview

The documents contained within this section provide information and instructions on configuring various software to securely connect to the Internet via Tor. As the network is constantly evolving, the knowledge and understanding about anonymity online also evolves. Implementations and other aspects of online anonymity become more and more complex. For example: In past times, an end user would simply change the internal settings of a particular piece of software to "torify" it, like Mozilla Firefox - this is no longer recommended. As we learned more on the subject and implementation of online anonymity, we discovered it was increasingly easy for a user to leak sensitive information to those interested in obtaining it. More details on this are provided in the below sections.

In short, do not torify any applications yourself unless you know exactly what you are doing. If, however, you wish to study the complexities surrounding the subject, then please feel free to indulge yourself and even go as far as providing new instructions or implementations. In the meantime, see this article more as a reference for developers and advanced users. If you don not fall into one of these two categories then for your own security, stick with the Tor Browser from https://www.torproject.org.

This article was originally written for a Linux/UNIX based environment. It should include some instructions for Windows and Mac users too. That being said, you should read the documentation at https://www.torproject.org before attempting to "torify" any applications yourself.

For wiki editors

Use only link identifiers which start with a letter or the underscore character (_) and don't use identifiers with spaces inside them. Things like that make the page invalid (X)HTML and nobody wants that. Feel free to edit this page - it's a wiki, after all, driven by your contribution!

Terminology

  • Torify; Torification: The generic term. Either by proxification, socksification or transsocksification. Take measures to ensure that an application, which has not been designed for use with Tor (such as TorChat), will use only Tor for internet connectivity. Also ensure that there are no leaks from DNS, UDP or the application protocol.
  • Proxify; Proxification: This is not exclusively a Tor term and has two meanings
    • Use the proxy settings of the application and add a HTTP or SOCKS proxy
    • Use an external wrapper to force the application to use an HTTP or SOCKS proxy
  • Socksify; Socksification: Also not exclusively a Tor term and also has two meanings:
    • Use the proxy settings of the application and add a SOCKS proxy
    • Use an external wrapper to force the application to use a SOCKS proxy
  • Transsocksify; Transsocksification: Not exclusively a Tor term. Redirect an application or operating system transparently through a SOCKS proxy using a gateway and/or packet filter. For example: Tor's transparent proxy or Squid
  • Unauthenticated: You can not be sure with whom you are exchanging data. A MITM attack (such as a Tor exit node or ISP) can redirect you to a malicious server. They can also inject malicious things into the traffic.
  • Unencrypted: A MITM attack (such as a Tor exit node or ISP) can see all the traffic in clear text.

Warnings and Advisories

The following section contains several security and privacy focused topics that users should be aware of. Please be sure to read it carefully, and take the time to fully understand the potential and limitations of Tor. You will make yourself and the entire network safer in the process!

Protocol leaks

Tor provides only anonymity for DNS and the transmission of the TCP stream. Everything inside the stream, the application protocol, needs to be scrubbed. For example, if the application uses advanced techniques to determine your real external IP and sends it over the anonymized TCP stream, then what you wanted to hide, your real external IP, isn't hidden. This is exactly what happens with BitTorrent. Some applications may also choose to ignore and therefore not honor the proxy configuration you provide. This is something else you need to consider. Firefox was prone to this issue, as noted here: Firefox Proxy Bypass Bugs.

Many applications have been written to work around firewalls and blocking Internet service providers, such as BitTorrent clients and Skype. Regardless of your use of "correct" proxy settings (SOCKS4a) and/or external applications for torification, some applications will use advanced techniques to determine your external non-Tor IP address. As said previously, those applications were never made with anonymity in mind, but were designed to evade firewalls to allow them to function as expected.

All-in-all, you do not have to believe the statements of any random wiki contributor. However do take note and understand the official warnings from torproject.org.

Quote: "Tor does not protect all of your computer's Internet traffic when you run it. Tor only protects your applications that are properly configured to send their Internet traffic through Tor. To avoid problems with Tor configuration, we strongly recommend you use the Tor Browser. It is pre-configured to protect your privacy and anonymity on the web as long as you're browsing with the Tor Browser itself. Almost any other web browser configuration is likely to be unsafe to use with Tor."

Many applications can also leak other problematic and/or sensitive data, such as:

  • Your real external non-Tor IP address, as described above
  • Your time zone (for example: IRC clients through CTCP)
  • Your user name (for example: ssh through login)
  • The name and version of the client or server you are using (for example: Apache web server leaks software name and version number; IRC clients leak client name and client version number through CTCP)
  • Metadata can be a risk. Click MAT and read 'What is a metadata?' and 'Why metadata can be a risk for your privacy?'
  • Depending on your Mode Of Anonymity you obviously shouldn't mix your use of protected (anonymous) applications with applications not passing through the Tor network or some other form of anonymity. For example, if a login name or password of yours can be traced back to your personal identity, then you are defeating the purpose entirely. Tor can not protect you from this kind of activity
  • Even sending the contents of your RAM can be dangerous. For example: error reporting, leading to Transparent Proxy Leaks)
  • A lot of information which the application sends on request from a server (for example: most web browsers beside the Tor Browser)
  • Hardware serial numbers might be used for fingerprinting and in the worst case scenario, lead back to you.
  • License keys of non-free software is often transmitted and might lead back to you.

You should take care not to leak such information. Information along these lines can be potentially used for de-anonymizing, fingerprinting or to exploit your application. This is what this article is all about: it provides instructions on how applications must be configured to prevent protocol leaks.

Deceiving Authorship Detection

When you post material online on a forum or chatroom using Tor, then repeat this process again without using Tor, you put your identity at risk.

Public available research and circumvention of this threat is rare:

Proxy and SOCKS settings

Proxy and SOCKS settings are mostly implemented by programmers to improve connectivity, not anonymity. Many people think developers implemented the application's proxy settings with anonymity in mind. That is a big mistake. They did not. See BitTorrent for example.

Exit Nodes Eavesdropping

In the Tor FAQ you must read the section "Can't the third server see my traffic?". In short, every exit node can spy on your unencrypted exit traffic and even worse, inject malicious code into the stream - be aware of this.

Avoid letting identities cross

It's highly recommended that you do not connect to any remote server in this manner. That is, do not create a Tor link and a non-Tor link to the same remote server at the same time. In the event your Internet connection breaks down (and it will eventually), all your connections will break at the same time and it won't be hard for an adversary to put the pieces together and determine what public IP belongs to what Tor IP, potentially identifying you directly.

Remember: Modes of anonymity do not mix!

Let us begin with an overview of the different Modes of Anonymity:

mode(1): user anonymous; any recipient

  • Scenario: post anonymously a message in a message board/mailing list/comment field
  • Scenario: whistleblower and such
  • You are anonymous.
  • Your real IP stays hidden.
  • Location privacy: your location remains secret.

mode(2): user knows recipient; both use Tor

  • Scenario: both sender and recipient know each other and both use Tor.
  • They can communicate with each other without any third party being wise to their activity or even the the knowledge that they are communicating with each other.
  • You are NOT anonymous.
  • Your real IP stays hidden.
  • Location privacy: your location remains secret.

mode(3): user with no anonymity using Tor; any recipient

  • Scenario: login with your real name into any services, such as webmail, Twitter, Facebook, etc...
  • You are obviously NOT anonymous. As soon as you log into an account where you entered your real name the website knows your identity. Tor can not make you anonymous in these situations.
  • Your real IP stays hidden.
  • Location privacy. Your location remains secret.

mode(4): user with no anonymity; any recipient

  • Scenario: normal browsing without Tor.
  • You are NOT anonymous.
  • Your real IP gets revealed.
  • Your location gets revealed. Conclusion

It's not wise to combine mode(1) and mode(2). For example, if you have an IM or email account and use that via mode(1), you are advised not to use the same account for mode(2). We have explained previously why this is an issue.

It's also not wise to mix two or more modes inside the same Tor session, as they could share the same exit node (identity correlation).

It's also possible that other combinations of modes are dangerous and could lead to the leakage of personal information or your physical location.

Tor over Tor

When using a transparent proxy, it is possible to start a Tor session from the client as well as from the transparent proxy, creating a "Tor over Tor" scenario. Doing so produces undefined and potentially unsafe behavior. In theory, however, you can get six hops instead of three, but it is not guaranteed that you'll get three different hops - you could end up with the same hops, maybe in reverse or mixed order. It is not clear if this is safe. It has never been discussed.

You can choose an entry/exit point, but you get the best security that Tor can provide when you leave the route selection to Tor; overriding the entry / exit nodes can mess up your anonymity in ways we don't understand. Therefore Tor over Tor usage is highly discouraged.

https://trac.torproject.org/projects/tor/ticket/5611#comment:2

Software updates

Do not use automatic software updates over Tor that do not verify downloads. That being said, operating system updates are generally secure. If you use GNU/Linux and only your package management software suite then you can consider yourself safe, as modern package managers contain mechanisms to verify the authenticity of packages. On the other hand, third party applications on Windows are likely problematic, For example, if the updates aren't signed/authenticated, malevolent exit nodes can change what code is downloaded and installed and thereby gain remote code execution rights. This could potentially lead to your public IP address and your physical location being revealed. If you don't use a generic system (such as Tails or Whonix's Whonix-Workstation), then the software update can leak identifying fingerprints (what software and versions are installed) to exit nodes and repository mirrors.

Ubuntu software updates are vulnerable against "stale-proxy" attacks. The exit node or exit node's ISP could prevent you from seeing new updates. To circumvent this, switch your identity after trying to update and check for updates again.

Software identifiers

Be very careful when using any software, especially proprietary (s.a freeware and commercial) one.

  • If you bought a license file or serial number it will be often transmitted when you use the software.
    • If you bought or paid over non-anonymous channels (credit card, web payment system, not (enough) laundered pseudonymous cryptocurrency), it might lead back to you.
    • If you used the same software in any couple of anonymity modes, you will be deanonymized.
    • If you used the same software for different identities, they will be linked to each other.
  • Some proprietary software (especially the one which requires its users to buy a license) derives identifiers from hardware and/or environment, so even completely separate installation in completely separate OS may deanonymize you.
  • It is possible to explicitly or steganographically insert hardware and environment identifiers into documents to be able to track and profile users violating DMCA or using the software for illegal purposes.
  • Some software discloses information about the system while checking for updates or sending error reports.

Getting from key/fingerprint form many different Tor exits

Sometimes it is required to get a GPG fingerprint or an SSL fingerprint. You can not get it through a pre-secure channel and it's possible a malicious Tor exit node could tamper with it during transit. In that case it is often recommended to ask several times for the information while using different exit nodes. While this may reduce the chances that you use a compromised exit node to retrieve the key/fingerprint, it's not a perfect solution. See the graph below.

User -> ISP -> Lots of servers (just look at some trace routes) -> Tor guard/bridge -> ISP -> Tor middle node -> ISP -> Tor exit node -> ISP -> Lots of servers -> ISP of destination server -> Destination server.

With the method described above you can only lower the chance that multiple exit nodes or multiple exit node's ISPs are compromised. You can never eradicate the possiblity that the ISP of the destination server is compromised. No amount of fetches through different Tor exit nodes can help here.

Bridge Firewall

Don't waste your energy on additional firewall rules to only connect to (some [hand] selected) Tor bridges or to only connect to the Tor network. It won't work out. The concept and why it fails is described in the Bridge Firewall article.

General Torifying Information

There are three different methods to torify applications:

Security overall:

Classical / common way: use the application's proxy settings

Advantages:

  • Does not need third party software (wrapper)
  • Only a few proxy settings needed, sometimes a few more settings like 'use remote DNS' are required

Disadvantages:

  • Each application has to be checked and configured against DNS leaks
  • The application is not forced to honor the proxy settings. Some applications such as Skype and BitTorrent do not care what the proxy settings are and use direct connections anyway. Also once the application is infected, it's not forced to honor the application settings

Uncommon: Use a wrapper: force the application to use a proxy (torsocks)

Advantages:

  • No proxy settings inside the application are needed
  • The use of 'Use Remote DNS' is not required, nor can it be forgotten

Disadvantages:

  • It's a redirector, not a jail. Applications may still decide to use fancy techniques to achieve direct connections. Also once the application or machine is infected with malware, it can break out of the redirector
  • There is no guarantees of it remaining bug-free.
  • It also does not magically prevent protocol leaks, see torsocks homepage for details.

Update:
To prevent identity correlation through circuit sharing use uwt, see torsocks.

Even less common: use a Transparent Proxy

Transparent Proxy (Insecure.)
All applications will be forced through the same TransPort, thus mixing them all into the same circuit which leads to identity correlation through circuit sharing.

Security:

Advantages:

  • No proxy settings inside the application needed
  • The use of 'Use Remote DNS' is not required, nor can it be forgotten

Disadvantages:

  • More complex and complicated, requires additional software
  • Too many non-IP related leaks, which are nonetheless serious issues. Rather use an Isolating Proxy

Even less common: use an Isolating Proxy

Isolating Proxy (Secure.)
All applications can only access internet over Tor. Direct connections are impossible due to either a virtual internal network and/or physical isolation.

Each application gets their own SocksPort. This can still be combined with Trans- and DnsPort.

Depending on the implementation, this can provide some protocol leak and fingerprinting protection. For example see Whonix's Protocol-Leak-Protection and Fingerprinting-Protection.

Example implementation: Whonix.

Client applications

Server software

Difficult to torify

  • ping - ICMP is not supported by Tor 1, 2
  • ping6 - IPv6 is not supported by Tor 1, 2
  • miredo - IPv4 to IPv6 tunnel client - UDP is not supported by Tor 1, 2
  • gogo6client - IPv4 to IPv6 tunnel client - UDP is not supported by Tor 1, 2
  • RetroShare 1, 3. The software now optionally ships in a "Torrified" form where Tor is launched and configured by Retroshare as a QProcess, which allows to run a hidden node where connections to friends only happen through the Tor proxy.

1 Needs a Transparent Proxy (see above) or Whonix (see above).
2 Impossible directly over Tor. First establish an anonymous tunnel to a server, which supports the required feature (ICMP, UDP or IPv6) and use the tunnel to run the application. There is very few documentation available and it's very hackish, see Whonix and Tunnel UDP over Tor.
3 Whonix's Documentation states, there is experimental support for RetroShare over Tor.

Credits and Legal Notes

Credits and Legal Notes

See also