wiki:doc/TorifyHOWTO

Version 71 (modified by trac, 10 years ago) (diff)

--

#pragma section-numbers on ## Copyright (c) 2004 Thomas Sjogren. ## Distributed under the MIT license, ## See ./LegalStuff for a full text ##Original version available at http://www.northernsecurity.net/articles/torify.html [:../:up to Tor]

Table of Contents TableOfContents?

TORifying software HOWTO

Note that this is a very brief document on how to make various programs use Tor as a proxy; you should read the documentation at tor.eff.org first. Since most programs use similar locations for various settings, the following examples will get you going most of the time. If you're using anything that needs some exotic workarounds, or your distribution doesn't use SysV (/etc/init.d/ startup scripts), for example, this guide currently won't help you a lot, since it is a bit bash and Debian specific. Feel free to edit this page; it's a Wiki, after all.

Basic Configuration Issues

Unix and Linux Configuration

Under Unix and GNU/Linux, most HTTP capable applications, like lynx, wget and curl, will honor the value of the http_proxy environment variable. Some applications use all lower case, some all upper, so specify both to be safe.

Add the following lines to your $HOME/.bash_profile, $HOME/.bashrc, or env settings:

http_proxy=http://127.0.0.1:8118/
HTTP_PROXY=$http_proxy
export http_proxy HTTP_PROXY

Anchor(DNSNote)?

About DNS and tsocks

tsocks correctly replaces connect(2) calls with calls to your SOCKS proxy (Tor), but it doesn't do anything about requests to your DNS server. This means that if you refer to any machines by hostname when you're using tsocks, you'll be sending that hostname over the network, perhaps leaking the fact that you are about to connect to the corresponding server.

Other applications that use SOCKS 4 or SOCKS 5 directly often have the same shortcoming.

Tor 0.0.8 (or later) has a workaround for this problem; until we can hack tsocks (or a work-alike) to support DNS, instead of using a hostname directly, first use tor-resolve to resolve the hostname into an IP (via Tor) and then use that IP address with your tsocks-ified application.

See [:TheOnionRouter/TorFAQ#SOCKSAndDNS: the FAQ] for more information.

Anchor(socat)?

About socat

socat is a multipurpose relay for bidirectional data transfer. It is possible to use socat as a general means by which programs agnostic of SOCKS can use Tor by connecting to a local TCP port.

Socat (for SOcket CAT) establishes two bidirectional byte streams and transfers data between them. Data channels may be files, pipes, devices (terminal or modem, etc.), or sockets (Unix, IPv4, IPv6, raw, UDP, TCP, SSL). It provides forking, logging and tracing, different modes for interprocess communication and many more options.

It can be used, for example, as a TCP relay (one-shot or daemon), as an external socksifier, as a shell interface to Unix sockets, as an IPv6 relay, as a netcat and rinetd replacement, to redirect TCP-oriented programs to a serial line, or to establish a relatively secure environment (su and chroot) for running client or server shell scripts inside network connections.

Suppose that you wanted to connect to an IRC server running on barbaz.com, port 6667.

socat TCP4-LISTEN:4242,fork SOCKS4A:localhost:barbaz.com:6667,socksport=9050

Connecting to localhost, port 4242, would then be equivalent to connecting to barbaz.com, port 6667, via Tor.

What interests us most for Tor is that it supports socks4a redirection, allowing your client to connect to an hidden service. Assuming you want to join to an hidden irc server running on foo.onion on port 6667.

You might want to start a local tunnel that forwards connection for local port 4242 to this service using Tor.

socat TCP4-LISTEN:4242,fork SOCKS4A:localhost:foo.onion:6667,socksport=9050

Warning: socat versions up to and including 1.3.2.2 had a bug that would use SOCKS4A only when a direct DNS resolution attempt failed, thus possibly revealing which DNS names you accessed through socat. See this post tor-dev for details.

Web browsers

Konqueror

Settings -> Configure Konqueror -> Proxy -> Manually Specify the proxy settings -> Setup

HTTP/S Proxy: 127.0.0.1 port 8118

Or edit $HOME/.kde/share/config/kioslaverc:

...
ProxyType=1
...
NoProxyFor=127.0.0.1,localhost
...
httpProxy=http://127.0.0.1:8118
httpsProxy=http://127.0.0.1:8118

Setup -> Network Options

HTTP Proxy:  127.0.0.1 port 8118

Or edit /etc/links.cfg (system-wide) or $HOME/.links/links.cfg (per-user):

...
http_proxy 127.0.0.1:8118
...

Lynx

Lynx will respect the http_proxy enviroment variable, but you can edit /etc/lynx.cfg:

...
http_proxy:http://127.0.0.1:8118/
https_proxy:http://127.0.0.1:8118/
...
no_proxy:localhost,127.0.0.1
...

Mozilla Firefox

Edit -> Preferences -> General -> Connection Settings -> Manual proxy configuration

HTTP Proxy: 127.0.0.1 port 8118
SSL Proxy: 127.0.0.1 port 8118
SOCKS v5

To change the proxy configuration for all Firefox users on your machine, edit the /usr/lib/mozilla-firefox/greprefs/all.js file:

...
pref("network.proxy.type",                  1);
...
pref("network.proxy.http",         "127.0.0.1");
pref("network.proxy.http_port",          8118);
pref("network.proxy.ssl",          "127.0.0.1");
pref("network.proxy.ssl_port",           8118);
pref("network.proxy.socks",                 "");
pref("network.proxy.socks_port",            0);
pref("network.proxy.socks_version",         5);
pref("network.proxy.no_proxies_on",         "localhost, 127.0.0.1");
...

Also, Mac OS X users should change the above preferences by entering about:config in the URL bar because the firefox preferences dialog is a bit screwy.

Email

Fetchmail

This isn't the most elegant solution, but it works. Rename your /etc/init.d/fetchmail file to {fetchmail-orig, for example, then save the script below as /etc/init.d/fetchmail, and restart fetchmail with /etc/init.d/fetchmail restart. Your mail will now be fetched through the Tor network.

#!/bin/sh
#
# Fetchmail+Tor init script
#

set -e

# Defaults
DAEMON=/usr/bin/tsocks
FMINIT=/etc/init.d/fetchmail-orig
PATH=/sbin:/bin:/usr/sbin:/usr/bin

test -f $DAEMON || exit 0

case "$1" in
	start)
		$DAEMON $FMINIT start
		;;
	stop)
		$DAEMON $FMINIT stop
		;;
	force-reload|restart)
		$DAEMON $FMINIT restart
		;;
	try-restart)
		$DAEMON $FMINIT try-restart
		;;
	awaken)
		$DAEMON $FMINIT awaken
		;;
	debug-run)
		$DAEMON $FMINIT debug-run
		;;
	*)
		echo "Usage: /etc/init.d/fetchmail {start|stop|restart|force-reload|awaken|debug-run}"
		echo "  start - starts system-wide fetchmail service"
		echo "  stop  - stops system-wide fetchmail service"
		echo "  restart, force-reload - starts a new system-wide fetchmail service"
		echo "  awaken - tell system-wide fetchmail to start a poll cycle immediately"
		echo "  debug-run [strace [strace options...]] - start a debug run of the"
		echo "    system-wide fetchmail service, optionally running it under strace"
		exit 1
		;;
esac

exit 0

An alternative configuration for fetchmail for those that prefer to start it on a per-user basis. Add the following to the user's .bashrc:

CONF_FILE="$HOME/.fetchmailrc"
PID_FILE="$HOME/.fetchmail.pid"
FETCHMAIL="/usr/bin/fetchmail"
TSOCKS="/usr/bin/tsocks"

  function FetchMailAlive () {
    if test -f $CONF_FILE && test -f $FETCHMAIL; then
      if test -f $PID_FILE; then
        if ! kill -0 `cut -d \  -f1 $PID_FILE` 2>/dev/null; then
          eval $($TSOCKS $FETCHMAIL)
          echo New FetchMail started. >&2
        fi
      else
        eval $($TSOCKS $FETCHMAIL)
        echo New FetchMail started. >&2
      fi
    else
      echo Fetchmail not installed or configured properly. >&2
    fi
  }

# Call it
FetchMailAlive

Then it checks for a running fetchmail daemon every time a new shell is opened and starts one if needed.

You may want to look up your mail server's IP with tor-resolve and use the IP in place of a hostname; see the note on tsocks and DNS above.

Instant messaging

Gaim

Preferences -> Network -> Proxy

Proxy type: Socks 5
Host: 127.0.0.1
Port: 9050

See the note on tsocks and DNS above.

Psi

Psi is a Jabber client with support for additional Jabber JEP-0027 encryption, with GnuPG and Socks 5 proxy support.

Account Setup -> Modify -> Connection -> Proxy -> Edit -> New

Properties:
Name: Tor
Type: SOCKS Version 5
Settings:
Host: 127.0.0.1
Port: 9050

See the note on tsocks and DNS above.

IRC/SILC

Irssi

If you are running Privoxy, as recommended, you can just configure irssi's own proxy settings to use Privoxy as an HTTP proxy. Otherwise, you can run Irssi with tsocks irssi. Unfortunately, as mentioned above, Irssi's own proxy configuration options are HTTP specific.

For Gentoo and Debian users: torify irssi. Note that torify is just a shell script that calls tsocks after setting the config file to /etc/tor/tor-tsocks.conf so it is not Gentoo/Debian specific.

For OpenBSD users, you can either hack tsocks to work (as of 3.6 there is no port) or you can use dante. Dante is in the ports system. A simple example config that works with irssi and Tor looks like this for /etc/socks.conf (client configuration only)

route {
        from: 0.0.0.0/0   to: 0.0.0.0/0  via: 127.0.0.1  port = 9050
        proxyprotocol: socks_v4
}

and then you can run socksify irssi assuming that Tor is running on localhost:9050.

You may want to look up your IRC server's IP with tor-resolve and use the IP in place of a hostname; see the [:#DNSNote: note on tsocks and DNS] above.

X-Chat

Settings-> Preferences -> Network -> Network setup -> Proxy server

Hostname: 127.0.0.1
Port: 9050
Type: Socks5

See the note on tsocks and DNS above.

SILC

Since the SILC client is based on Irssi, you can follow the same procedure to make it use Tor. Combining Tor and SILC might be one of the safest ways to communicate with someone over the Internet. More information about SILC is available at its website.

Silky

Silky is a GTK2 SILC client. It does not currently support SOCKS, so the best way to make it work with Tor is using socat (IMO).:

socat TCP4-LISTEN:6666 SOCKS4A:localhost:silc.silcnet.org:706,socksport=9050

And then tell Silky to connect to localhost:6666.

BitchX

In order to use BitchX with tor, you first need to get ProxyChains, a *NIX-only HTTP and SOCKS proxy client. On Debian systems, install the proxychains package. Once installed, just add

socks5 127.0.0.1 9050
http localhost 8118

to the ProxyChains config file at ~/.proxychains/proxychains.conf. Now that it is configured, type proxychains bitchx at the command line.

The gentoo build of proxychains seems to be broken on x86 arch. Using tsocks BitchX or torify BitchX works well.

You may want to look up your IRC server's IP with tor-resolve and use the IP in place of a hostname; see the note on tsocks and DNS above.

mIRC

Mirc.co.uk: Proxies and Firewalls

File -> Options -> Connect -> Firewall

Mark the "Use SOCKS Firewall" box.

Protocol: SOCKS4
Hostname: 127.0.0.1
Port: 9050

Trillian

Preferences -> Advanced Preferences -> Proxy Server

BitTorrent

Same procedure as with BitchX, but using proxychains btdownloadcurses.

Azureus

See http://azureus.sourceforge.net/doc/AnonBT/.

Misc

GnuPG

Add or edit the following lines in your $HOME/.gnupg/gpg.conf:

keyserver x-hkp://yod73zr3y6wnm2sw.onion
keyserver-options honor-http-proxy broken-http-proxy

You may obviously use any public keyserver, like subkeys.pgp.net, but hidden services are preferred. At the time of this writing. only two key servers running as hidden servers are publicly available -- d3ettcpzlta6azsm.onion/ and yod73zr3y6wnm2sw.onion.

After that is done, just run

export http_proxy=http://127.0.0.1:8118/
gpg --refresh-keys

If you don't want to write the export line every time, you can add alias gpg='http_proxy=http://127.0.0.1:8118/ gpg' to your .bashrc file as well; if you have set the http_proxy environment variable, you may skip this step.

Wget

Wget will also respect the http_proxy enviroment variable, but you can edit /etc/wgetrc:

...
http_proxy = http://localhost:8118
use_proxy = on
...

Anchor(sshconnect)?

SSH: Method 1 (connect)

These instructions should work on most *nix systems. Tested on Mac OS X 10.3.x and Debian GNU/Linux.

1 - Upgrade your SSH to an OpenSSH version that has Socks 5 support. The OpenSSH client that is shipped with Mac OS X 10.3 (aka Panther) - OpenSSH_3.6.1p1 - will not work correctly. Download, build and install the current stable version from the OpenSSH website. If you're using Mac OS X, using fink may be easier for you.

2 - Download and build the connect source code. Connect will allow socket connections using SOCKS4/5 and HTTP tunnels. For detailed information on connect, please visit its website.

A pre-compiled version of connect for Mac OS X is available here. (md5sum: b5180cb789813fc958209c58b99039fa)

Install connect into the /usr/local/bin directory.

3 - Add the following line to your ssh_config file located at: /etc/ssh/ssh_config (system-wide) or $HOME/.ssh/config (on a per-user basis).

If you used fink to install OpenSSH, it is located at /sw/etc/ssh/ssh_config.

ProxyCommand /usr/local/bin/connect -4 -S 127.0.0.1:9050 %h %p

All SSH connections will now go through tor.

You may want to look up your SSH server's IP with tor-resolve and use the IP in place of a hostname; see the note on tsocks and DNS above.

Anchor(sshsocat)?

SSH: Method 2 (socat)

Use socat as described above. One way to access an SSH server via Tor is to socat to make a tcp4 listener and relay to your local Tor client, then ssh to it. It's not the nicest way. Using OpenSSH, then you can use the ProxyCommand option in your ~/.ssh/config file, as follows:

{{{Host MyHost-tor

ProxyCommand socat - SOCKS4A:localhost:barbaz.com:22,socksport=9050}}}

Now you can simply use ssh MyHost-tor.

Similarly, if you have an SSH server running as a hidden service, then you will wish to ssh to it with minimal fuss.

{{{Host MyHost-tor

ProxyCommand socat - SOCKS4A:localhost:MyHost.onion:22,socksport=9050}}}

This method is more secure than using tsocks ssh MyHost.onion because ssh will first resolve the hostname, and then try to connect to it. This means that you lose by giving away your IP address during the DNS lookup.

Using wildcards and parameter expansions features of SSH you can put a single configuration for all .onion addresses:

{{{Host *.onion

ProxyCommand socat STDIO SOCKS4A:localhost:%h:%p,socksport=9050}}}

If you want every SSH communication to go through Tor, you can even say :

{{{ Host *

ProxyCommand socat STDIO SOCKS4A:localhost:%h:%p,socksport=9050}}}

Remailing

This How-To is intended to increase the security and anonymity of Remailing for email and usenet to the *highest* possible level.

In this How-To I detail the use of the remailer client QuickSilver; I use this example as QS is the client I use. Another excellent, free and open-source client is Jack B. Nymble 2 (Panta's Mod); either client can use the routes I describe.

This How-To details:

  1. How to route your QS FTP Plugin downloads through QS > Tor > QS FTP Page
  1. How to route your Stats Updates (via. SSL [HTTPS]) though QS > Stunnel > Tor > Stats Updates
  1. How to route your SMTP & M2N messages (via. TLS) through QS > Stunnel > Tor > SMTP/M2N
  1. How to download NG messages (via. TLS) through QS > Stunnel > Tor > NNTPS
  1. How to route your SMTP & M2N messages (via. Hidden Services) through QS > Tor > Hidden Services > SMTP/M2N
  1. How to download NG messages (via. Hidden Services) through QS > Tor > Hidden Services > NNTP
This How-To is written in laymen's language; but it's not "dumbed down". }}}

{{{ 
These instructions should work fine for any OS, but I have only tested them on Windows XPHome and 98se (don't worry, I'm not an average Windoze user ;-). }}}

=== TLS, Tor, SMTP & Mail2News ===

If you use remailers you can also use TLS and Tor to add additional layers of encryption and anonymity.  There are only a few remailers that accept TLS connections and offer non-standard SMTP ports; my favorite is mail.bananasplit.info, another good one is panta-rhei.dyndns.org.

Functionality of remailer's mail servers can be checked at http://www.noreply.org/tls/   .  Pay particular attention to the "TLS" column which indicates the type of ciphers that the mail server supports.  In order to gain maximum benefit, try and pick ones that use 'Ephemeral' ciphers.  Generally speaking these will begin with either "EDH" or "DHE".   Also, try to ensure the remailer you choose has a "yes" in the column "2525"; Tor Exit Policy blocks port 25 and 119 (SMTP and NNTP) by default.

I assume you have a working knowledge of MixMaster, Reliable, Cyberpunks, PGP (6.5.8.ckt 08), Stunnel, QuickSilver (or JBN2 Panta mod) and Tor.

All these programs and apps are free and open-source (except SocksCap).  Some programs (like SocksCap) are OS specific; you'll need to find a Socks forwarding program for your OS.

With these configurations in place, use of QS and the remailer network should be completely masked.  You will have no obvious connections to stats sources, all outgoing mail from QS will not exhibit Mixmaster characteristics and downloading of messages from alt.anonymous.messages will also be concealed.

==== QS FTP Component Downloads ====

After you first install QS.exe (current release) you should use QS "Update Wizard" to download QS plugins (POP, PGP, NNTP, etc) and MixMaster.  

You can use the route of QS > Tor > QS FTP Page to download QS plugins and MixMaster.  

If you use this route an advasary won't know your accessing QS's FTP Page; all they can see is your using the Tor Onion Route Network.  There is no indication your using a remail client or that your accessing the FTP page and downloading plugins, updates and MixMaster.


{{{ Start QS > Help > Update Wizard > Proxy:

Proxy Host: 127.0.0.1
Proxy Port: 9050
Socks Level: 4a

Click "Next" to access the QS FTP page. }}}

{{{
Highlight the .exe, .sig or .txt files you want to download via. QS > Tor > QS FTP and click "Next". }}}

After you download a file re-access the QS FTP as per above and choose your next download. 


==== QS HTTPS Remailer Statics & Key Ring Updates  ====

You can configure QS to access remailer Stats pages via. SSL (HTTPS).  In this example I use Banana's HTTPS Stats page; Panta also offers an SSL (HTTPS) Stats Page.  These Stats Pages are accessed via. QS > Stunnel > Tor > Stats Page.  

These settings will route Stats Update traffic via. SSL (HTTPS) from Banana's HHTPS Stats Page; alternatively you could use Panta's SSL (HHTPS) Stats Page.  

If you use QS, Stunnel and Tor to access Banana's Stats Page (echolot) via. an SSL (HTTPS) connection your Stats downloads will be totally anonymous.  An advasary would have no idea your accessing the Stats Page or that you use Mixmaster or the remailing network.

{{{ Start QS > Tools > Remailers > Proxy:

Proxy Host: 127.0.0.1
Port: 4430
Socks Level: <none> }}}

Copy and paste the follwing URL's into the appropriate Stats URL Pages in the QS URL Manager.  Then, double click on the new Banana "echolot" Stats URL in each Stats Page to bring the new Banana URL to the top of each list:

{{{  Start QS > Tools > Remailers > URL Manager:

Mix List: http://localhost:4430/echolot/mlist.txt
Mix Keys: http://localhost:4430/echolot/pubring.mix
Mix Type II: http://localhost:4430/echolot/type2.list
Cpunk List: http://localhost:4430/echolot/rlist.txt
Cpunk Keys: http://localhost:4430/echolot/pgp-all.asc }}}

After you click "OK" QS will bring up the "Statistics & Keyrings" window.  Ensure the 'echolot' URL's you just entered are in the appropriate text bars (e.x. mlist.txt, rlist.txt, etc).

In the "Statistics & Keyrings" window check the follow boxes:

{{{
mlist.txt [http://localhost:4430/echolot/mlist.txt]

rlist.txt [http://localhost:4430/echolot/rlist.txt]

Error Check (this disables Type2.list) }}}

The box Type2.list should be unavailable; Type2.list isn't necessary with QS, Richard created Type1.list to better serve QS's preferred use of TypeII MixMaster remailers.  Type1.list is a bit easier to read and allows QS to seamlessly use MixMaster remailers. 

The boxes "Pubring.txt" and "Pubring.asc" don't need to checked as QS automaticaly updates these Stats with the first Stat Update each day.

==== Type I & Type II Remailer Security Issues ====

This section isn't  directly related to TLS or Tor; but this is an important remailing security issue and I didn't think it was too far off-topic.

This section covers the use and security issues of Cypherpunks (Type I) and MixMaster (Type II) remailers.  

===== Type II Exit Remailer =====

For increased security and reliability you can choose the Type II remailer to use as your hardcoded Exit remailer in your remailer new message header 'Chain:'.

When choosing your hardcoded Exit remailer for your remailer chain read the "cap codes" of each remailer listed in the MixMaster keyring by accessing MixMaster Keyring.  

Attempt to choose a Type II remailer with the following capabilities: 
{{{
 N = Posting to News
 C = Compression
 m = posting via. M2N }}}

Ensure you *don't* choose a remailer with this capability:
{{{
 M = Middleman Only }}}

Also, read the "mlist.txt" to enusure your choosing a remailer with very good "uptime" (100%) and quality "history".

{{{
Mlist.txt is located under View > mlist.txt. }}}

Here is a samle message header with a Type II remailer hardcoded as the Exit remailer in the header 'Chain:':

{{{
Chain: banana,*,*,starwars; copies=6 }}}

===== Reply Block, ESUB and A.A.M. Issues =====

A single Type I ESUB capabiable remailer is required in your reply block.  QS requires this ESUB remailer to ensure proper delivery of your ESUB messages to a.a.m. 

Type I remailers are located on the Cypherpunks keyring; this is the only time it's wise to use Type I remailers (besides NymServer Cypherpunk Keys).   

{{{
If you don't use ESUB and a.a.m. in your reply block (and why wouldn't you?) this section doesn't apply to you.   }}}

Your reply block route will look like this: 
{{{
message origin > Your NymServer > ESUB remailer > M2N > a.a.m. (ESUB message). }}}

When chooseing your hardcoded reply block ESUB remailers read the "cap strings" of each remailers listed in the Cypherpunks keyring.  

Choose about 4 Cypherpunk ESUB remailers to be used in your reply block; the rest of the remailers can be barred for greater security.

If your PGP Nymkeys use DSS then select reply block ESUB remailers that have DSS keys.

Also, read the rlist.txt enusure your choosing remailers with very good "uptime" (100%) and quality "history".
 
{{{
Rlist.txt is located under View > rlist.txt. }}}

Attempt to choose Type I remailers with the following capabilities:

{{{
 pgp
 mix
 cpunk
 esub 
 ek  
 latent }}}

Ensure you *don't* choose remailers with this capability:

{{{
 middle }}}

Here is a sample reply block with a ESUB remailer to a.a.m.; don't use these Encrypt-Key: and Encrypt-Subject: passcodes.

{{{
Reply-Block:                                               
  Anon-To: italy
  Encrypt-Key: asdfklh349
italy
  Anon-To: mail2news_munge@bananasplit.info
  Encrypt-Subject: alkhj98743nd
  Encrypt-Key: alskfn98745khsd
  Newsgroups: alt.anonymous.messages
  Subject: What you want
mail2news_munge@bananasplit.info }}}


===== Barring Type I Remailers =====

Another option that can increase your security is to "bar" all remailers in QS's Cypherpunk Keyring *except* those which serve as your NymServer (config keys); and a few ESUB remailers which will serve as your single reply block ESUB capaibable remailer.

Your Cypherpunk keyring could have 3-4 good DSS remailers and 2 good config keys enabled (2 different NymServers).  

Cypherpunk remailers are Type I remailers, these were the first generation of remailers; Type I remailers are less secure than Type II remailers.

By barring these Cypherpunk remailers you force QS to use only MixMaster Type II remailers in your remailer chain; Type II remailers offer increased security and allow the use of DSS keys.

Once you've decided which Type I rely block ESUB remailers you want to keep and you've dedicded which NymServer (config) keys you want to keep; you can bar all other Cypherpunk keys. 

Note:
{{{
If you created your PGP Nym Keys with the DSS algorythm then select NymServers and reply block ESUB remailers that offer DSS keys.  You can then bar all other remailers (and keys) on the Cypherpunk Keyring. }}}

====== DSS vs. RSA ======

It is concidered more secure to use the DSS algorythm for your PGP Nym Keys and to select DSS capable NymServers and DSS capable remailers for use in your reply block (Type I) and message header 'Chain:' (Type II).

==== QS New Message Window TLS Settings ====

This section of the How-To describes the configuration of QS new message headers, template and proxies.

===== QS New Message Proxy Settings =====

When you are in the window where you encrypt your message and create the message headers there is a box in the upper right; disable it.

{{{ 
Start QS > header create/ message send window > uncheck the "use Proxy" box }}}

===== QS New Message TLS SMTP Template =====

This template will route QS traffic as so:

QS > Stunnel (via. Sockscap) > Tor (via. port 2525) > Tor Entry Node > Tor Middleman Node > Tor Exit Node > mail.bananasplit.info (Entry Remailer & Host) > Random Middleman Remailer > Ramdom Middleman Remailer > itlay (Exit Remailer) > reciepent. 

This route completly anonymizes your use of the remailer network; an advasary will have no idea your remaling for Email or posting to Usnet.

This template is an example of a config. message to hod.aarg.net; any SMTP mail will work.
 
Copy and paste this into the headers section of the send mail window:

{{{
Host: 127.0.0.1:2525
From: your nym here <your nym h...@hod.aarg.net>
From: your nym here
Chain: banana,*,*,italy; copies=6
To: con...@hod.aarg.net
Subject: 
Pgp: sign= your nym PGP here ; encrypt= your nym PGP here  }}}

Note:  You need to hard code Banana as the first remailer in your chain if your going to use the Banana TLS Host.

Note: You need to add a Banana HashCash Token to use Banana as the Entry Remailer; get HashCash here:
 http://www.panta-rhei.dyndns.org/downloads/ 

===== QS New Message TLS SMTP M2N Template =====

This template will route traffic to Usenet via. the route described above then on though Banana's M2N gateways.

Copy and paste this into the headers section of the send mail window:

{{{
Host: 127.0.0.1:2525
From: your nym here <your nym h...@hod.aarg.net>
From: your nym here
Chain: banana,*,*,italy; copies=6
References:
To: mail2news_munge@bananasplit.info,mail2news@bananasplit.info
Newsgroups:
X-Hashcash: You need Banana's HashCash Token to post via. M2N.
Subject: 
Pgp: sign= your nym PGP here ; encrypt= your nym PGP here  }}}

Note:  You need to hard code Banana as the first remailer in your chain if your going to use the Banana TLS Host.

Note: You need to add a Banana HashCash Token to use Banana M2N; get HashCash here:
 http://www.panta-rhei.dyndns.org/downloads/ 

==== Configure Stunnel ====

This template will accecpt QS traffic via. LocalHost (127.0.0.1) on Port 2525 (SMTP & M2N), Port 2000 (NNTPS) or Port 4430 (HHTPS) and uses Zax's bananasplit.info as the TLS host.  

This template will work for:

A. Sending TLS SMTP
  
B. Sending TLS SMTP M2N

C. Downloading Stats data via. TLS (HTTPS)

D. Downloading NNTPS on-topic NG messages via. TLS.

Copy and paste this into your Stunnel .conf file:

{{{
debug = 7
output = log.txt
client = yes
options = all
RNDbytes =  2048
RNDfile = bananarand.bin
RNDoverwrite = yes
#
[BANANA_TLS_SMTP]
protocol = smtp
accept  = 2525
connect = mail.bananasplit.info:2525
delay = no   
#
[BANANA_NNTPS_GROUPS]
accept = 2000
connect = news.bananasplit.info:5563
delay = no
#
[BANANA_HTTPS_STATS]
accept = 4430
connect = www.bananasplit.info:443
delay = no }}}


==== Configure SocksCap ====

SocksCap will route traffic from Stunnel into Tor using Socks5.

Import the address of Stunnel.exe shortcut into SocksCap; then when you want to use Stunnel click "Run Socksified".

{{{ 
Start SocksCap > File > Setup >

127.0.0.1:9050
Socks 5
Resolve all names remotely }}}

==== Configure Tor ====

Upgrade to current stable (or test) release; default setup. 

==== DLing TLS & Tor NG Messages ====

You can also setup QS to download on-topic messages from news.bananasplit.info via. QS > Stunnel > Tor.

All the settings that are requred you have already configured; all you need to do is configure the QS News Plugin (NNTP).


===== QS NNTP Account Manager Setup =====

{{{
Start QS > Tools > News Accounts > 

New > News Server > news.bananasplit.info
News Groups and Subjects > On-topic groups; use Esub for a.a.m }}}

{{{
Start QS > Tools > News Accounts > Proxy >

Proxy Server > 127.0.0.1
Proxy Port > 2000
Socks Level > 5 }}}


=== Remailing SMTP & NNTP via. Tor Hidden Services ===

Panta offers Hidden Services for remailing via. SMTP, M2N and downloading on-topic security/anonymity NNTP NG messages (posting disabled).

Remailing SMTP, M2N and downloadig NNTP NG messages via. Hidden Services prevents an adavsary from knowing you use SMTP, M2N or NNTP.  I am not sure if this more secure than useing TLS but it seems more anonymous to me.

Another advantage to using Hidden Services is they resist D.D.S. and D.O.S. attacts; as does the MixMaster network to a certain extent.

At the time of writing (05-11-05) only Tor 0.1.x.x (test versions) are capable of routing SMTP, M2N and NNTP traffic via. Hidden Services.  I have been unable to use Tor 0.0.9.x.x for SMTP, M2N and NNTP via. Hidden Seriveces.  

The 0.1.x.x test versions of Tor provide better Dir Support, Hidden Services support, etc.  I am currently useing the latest test release 0.1.0.5-rc; as this release provides the best Hidden Services support and fixes some bugs in prior 0.1.x.x test releases.

{{{
Please be aware:
I notice a conciderable increase in latency when DLing NG messages via. Hidden Services versus DLing NG messages via. QS > Stunnel > Tor > NNTPS. 

Also, occasionally when downloading NG messages QS times out due to a Tor node issue. In this case simply shutdown and restart QS News then begin downloading again. }}}

==== QS New Message Window Hidden Services Settings ====

This section detials the configuration of QS so you can send SMTP, M2N and downloading on-topic NNTP NG messages through Tor Hidden Services.


===== QS New Message Header Proxy Settings =====
 
When you are in the window where you encrypt your message and create the message headers there is a box in the upper right; enable it.

{{{ 
Start QS > header create/ message send window > check the "use Proxy" box >

Proxy: 127.0.0.1:9050
Socks4a
Check the use Tor box }}} 

===== QS New Message SMTP Hidden Services Template =====

This template will route SMTP traffic through the Hidden Service to Panta then on to your reciepent.

Copy and paste this into the headers section of the send mail window:

{{{
Host: rjgcfnw4sd2jaqfu.onion
From: your nym here <your nym h...@hod.aarg.net>
From: f...@bar.com
Chain: panta,*,*,italy; copies=6
To: xxx@hod.aarg.net
Subject: test a
Pgp: sign= your nym PGP here ; encrypt= your nym PGP here }}}

Note:  You need to hard code Panta as the first remailer in your chain if your going to use the Panta Hidden Service.

Note: You need to add a Panta HashCash Token to use Panta as the Entry Remailer; get HashCash here:
 http://www.panta-rhei.dyndns.org/downloads/ 


===== QS New Message SMTP M2N Hidden Services Template =====

This template will route traffic to Usenet via. the route described above then on though Panta's M2N gateways.

Copy and paste this into the headers section of the send mail window:

{{{
Host: rjgcfnw4sd2jaqfu.onion
From: your nym here <your nym h...@hod.aarg.net>
From: f...@bar.com
Chain: panta,*,*,italy; copies=6
References:
To: mail2news-hashcash@panta-rhei.dyndns.org,mail2news-hashcash_nospam@panta-rhei.dyndns.org
X-Hashcash: You need Panta's HashCash Token to post via. M2N.
Subject: 
Pgp: sign= your nym PGP here ; encrypt= your nym PGP here }}}

{{{

Note: Make sure to un-wrap the 
"To: mail2news-hashcash@panta...,mail2news-hashcash_nospam@panta..." header }}}

Note:  You need to hard code Panta as the first remailer in your chain if your going to use the Panta Hidden Service.

Note: You need to add a Panta HashCash Token to use Panta M2N; get HashCash here:

http://www.panta-rhei.dyndns.org/downloads/ 

==== Configure Tor ====

Upgrade to current test release (at present 0.1.0.5-rc); default setup. 

{{{
Note: If you arn't going to use Hidden Services SMTP, M2N and NNTP than you can use the latest stabel Tor release.  If you want to use Hidden Service's you will need to upgrade to Tor 0.1.0.5-rc as this test relese allow QS to access Hidden Services.

==== Downloading Hidden Services NG Messages ====

You can also setup QS to download on-topic messages from rjgcfnw4sd2jaqfu.onion via. QS > Tor >.

All the setting requred you have already configured; all you need to do is confire the QS News Plugin (NNTP).

===== QS NNTP Account Manager Setup =====

{{{
Start QS > Tools > News Accounts > 

New > News Server > rjgcfnw4sd2jaqfu.onion
News Groups and Subjects > On-topic groups; use Esub for a.a.m }}}

{{{
Start QS > Tools > News Accounts > Proxy >

Proxy Server > 127.0.0.1
Proxy Port > 9050
Socks Level > 4a }}}


==== Hidden Services End Notes ====

A. Banana also offers a NNTP and SMTP, M2N via. Tor Hidden Services.  ZAX's hidden services are down right now but he's getting them up soon. 

As far as I understand you can post & dl though Banana'a hidden NNTP portal.

B. Occasionally when I dl messages from Panta's Hidden NNTP I get an error message from QS stating "1060 not a winsock err" (something to that effect). This is caused by a problem with one of the Tor nodes (most
likley).

In this case wait 2 minutes then retry dling from the a.a.m.  Every 60 seconds or so of inactivity Tor creates a new route which should allow you access to the Hidden Services.  If you still can't gain access to
the Hidden Services shutdown/restart Tor & QS; that should do the trick. 

C. Don't have Stunnel running in system tray when your using Hidden Services and QS; this causes QS to lock and give me "unable to wipe" error message; requiring hard restart of QS.

==== Hidden Services Security Issues ====

===== Tor Rendezvous Node =====

The rendezvous node of the Tor network is where you and the Panta or Banana hidden service meet, IMHO the rendezvous node should be verified; by default it  is unverified.

***NOTE:  It is possible this tweak may decrease the overall anonymity of the Tor network.  I don't think that by forcing Tor to use verified rendezvous nodes it's anonymity will weaken; as this tweak only slighlty decreases the selection and number of nodes.

{{{
It may be wise to *not* apply this tweak at this time.  I am not an expert on Tor or Onion Routing so I can't say if this tweak should positivly be applied or not.

>>I would like an experts opinon on this matter please.<<
}}}

Rendezvous node tweak:

{{{
1. Open Torrc file

2. find the section "client options"

3. find the line labeled "AllowUnverifiedNodes middle,rendezvous"

4. delete this ",rendezvous"

5. save file and close

6. restart Tor }}}

Now the rendezvous node must have it's PGP sig and Tor fingerprint w/valid email on file with the Tor network (DirPort).  

===== EHLO Answer =====

There is a *large* anonymity hole in the use of remailers and Tor Hidden Services.  When you use remailers (SMTP) on Tor's Hidden Service your real Host and IP can be leaked via. EHLO answer to the Tor Introduction Points server, OR and Rendezvous Point node.

QS spoofs the EHLO answer (as does JBN2 Panta mod) so your Host and IP are secure.

=== Everyday Use ===

Your done!  Now to use the monster you created:

==== TLS Stats Page ====

A. Start QS

B. Start SocksCap

C. Start Stunnel via. SocksCap

D. Start Tor

E. QS > Tools > Remailers > Update 

==== TLS SMTP/M2N ====

A. Start QS

B. Start SocksCap

C. Start Stunnel via. SockCap

D. Start Tor

E. Use either template for TLS SMTP or M2N

==== TLS NNTPS DLing ====

A. Start QS

B. Start SocksCap

C. Start Stunnel via. SockCap

D. Start Tor

E. Start QS News Pluging

F. Select News Account for "news.bananasplit.info"

E. Start Dling messages

==== Hidden Service SMTP/M2N ====

A. Start QS

B. Start Tor

C. Use either template for Hidden Service SMTP or M2N 

==== Hidden Service NNTP ====

A. Start QS

B. Start Tor

C. Start QS News Plugin

D. Select News Account for "rjgcfnw4sd2jaqfu.onion"

E. Start DLing messages

=== Further Reading ===

Panta Hidden service info & JBN/Tor:

http://www.panta-rhei.dyndns.org/pantawiki/HowToJbnAndTor 

Panta's website:

http://www.panta-rhei.dyndns.org/

Banana's website:

http://www.bananasplit.info/ 

Banana's TLS/SSL SMTP webpage:

http://www.bananasplit.info/mailtls.html 

Banana's Stunnel How-To webpage:

http://www.bananasplit.info/stunnel.html 

TLS@noreply:

http://www.noreply.org/tls/ 

QS website:

http://www.quicksilvermail.net/  

=== In A Perfect World... ===

...SocksCap speaks Socks4a, both Panta and Banana offer NNTPS and SMTP(TLS) via. Tor Hidden Services on port 563 &
2525 (or other ports).

This way we could use NNTPS and SMTP(TLS) through QS > Stunnel > Tor > Hidden Servies > NNTPS/SMTP(TLS).

Thus, having an encrypted end-to-end route through Tor Hidden Services without an advasary knowing were using anything but the Tor network. 

I don't know if this is possible as Hidden Services may not allow a Stunnel (TLS) forward ex.:

{{{
#[PANTA_TLS_SMTP_HIDDEN_SERVICES]
#accept = 2525
#connect = rjgcfnw4sd2jaqfu.onion
#delay = no }}}

Or something of that nature...


== Credits ==

Thomas Sjogren with Northern Security started this howto and still maintains a copy at:
        http://www.northernsecurity.net/articles/torify.html

Other Contributing Authors:
        * Dave Vehrs
        * Nick Mathewson
        * Thomas Hardly
        * tyranix
        * HereHere
        * Zax
}}}
}}}
}}}
}}}
}}}
}}}
}}}
}}}
}}}
}}}
}}}
}}}
}}}
}}}
}}}
}}}
}}}
}}}
}}}
}}}
}}}
}}}
}}}
}}}
}}}
}}}
}}}
}}}
}}}
}}}
}}}