|
'''This is a draft, it is not complete and will be updated'''
|
|
**This is a draft, it is not complete and will be updated**
|
|
|
|
|
|
This page lists a set of "Best Practices" for producing anonymity centered Live CDs based on Tor.
|
|
This page lists a set of "Best Practices" for producing anonymity centered Live CDs based on Tor.
|
|
|
|
|
|
= Rationale =
|
|
# Rationale
|
|
|
|
|
|
An anonymity LiveCD is useful when not using a machine under the user's control. This could be a public lab, friend's house, or in a business. Software may be prevented from being installed. Another consideration is not only network sniffing but software installed on the machine that stores all activities, keystrokes, etc. A LiveCD would prevent these attacks, unless of course they are hardware based.
|
|
An anonymity LiveCD is useful when not using a machine under the user's control. This could be a public lab, friend's house, or in a business. Software may be prevented from being installed. Another consideration is not only network sniffing but software installed on the machine that stores all activities, keystrokes, etc. A LiveCD would prevent these attacks, unless of course they are hardware based.
|
|
|
|
|
|
= Goals =
|
|
# Goals
|
|
|
|
|
|
* Until we know what you *intended* to do, there's no way to say that there's a bug or problem in the configuration. So step one is to decide what you *meant* to do with your configuration. Then anybody who wants to can check to see if that's what you actually did.
|
|
* Until we know what you *intended* to do, there's no way to say that there's a bug or problem in the configuration. So step one is to decide what you *meant* to do with your configuration. Then anybody who wants to can check to see if that's what you actually did.
|
|
* People who want to do a security analysis of the configuration choices don't have to rederive them, and don't have to figure out whether to try to convince you to make a different choice vs convince you you've made a mistake. Rather, they can just look at the best practices webpage and decide from there if it looks good.
|
|
* People who want to do a security analysis of the configuration choices don't have to rederive them, and don't have to figure out whether to try to convince you to make a different choice vs convince you you've made a mistake. Rather, they can just look at the best practices webpage and decide from there if it looks good.
|
|
* People working on future LiveCDs don't need to start from scratch. Once a consensus exists, we raise the baseline for all the projects out there.
|
|
* People working on future LiveCDs don't need to start from scratch. Once a consensus exists, we raise the baseline for all the projects out there.
|
|
|
|
|
|
= Problems to Solve =
|
|
# Problems to Solve
|
|
|
|
|
|
* Different versions of programs have different config options. Do we need to come up with a standard for each version that people want to use? What if one version is considered 'better' but is not available for some LiveCD platforms? I guess we tackle these as they come up.
|
|
* Different versions of programs have different config options. Do we need to come up with a standard for each version that people want to use? What if one version is considered 'better' but is not available for some LiveCD platforms? I guess we tackle these as they come up.
|
|
* We don't have any non-linux LiveCDs represented here. I bet the application choices and recommended config options for a Windows-based LiveCD would be quite different. If such creatures even exist.
|
|
* We don't have any non-linux LiveCDs represented here. I bet the application choices and recommended config options for a Windows-based LiveCD would be quite different. If such creatures even exist.
|
|
* How do we want to specific configs, in this document inline? Linked to other documents? There are existing documents that cover such things.
|
|
* How do we want to specific configs, in this document inline? Linked to other documents? There are existing documents that cover such things.
|
|
|
|
|
|
= Applications =
|
|
# Applications
|
|
|
|
|
|
The applications have been broken into categories. Each category should have a set of expectations and then each application would have how that should be accomplished.
|
|
The applications have been broken into categories. Each category should have a set of expectations and then each application would have how that should be accomplished.
|
|
|
|
|
|
It seems best that more popular applications should be favored for the fact that vulnerabilities are more likely to be found in the applications that are used more. There may be good reasons to make other choices, this document should not imply to prohibit or discourage use of less popular applications.
|
|
It seems best that more popular applications should be favored for the fact that vulnerabilities are more likely to be found in the applications that are used more. There may be good reasons to make other choices, this document should not imply to prohibit or discourage use of less popular applications.
|
|
|
|
|
|
== Tor ==
|
|
## Tor
|
|
|
|
|
|
TODO: recommended Tor config.
|
|
TODO: recommended Tor config.
|
|
|
|
|
|
=== Tor Controllers ===
|
|
### Tor Controllers
|
|
|
|
|
|
* Tor controllers should be configured to work "out of the box".
|
|
* Tor controllers should be configured to work "out of the box".
|
|
* Tor should be started as a service and not by the controller. (May be some discussion here)
|
|
* Tor should be started as a service and not by the controller. (May be some discussion here)
|
|
|
|
|
|
=== Vidalia ===
|
|
### Vidalia
|
|
|
|
|
|
Qt based controller.
|
|
Qt based controller.
|
|
|
|
|
|
=== TorK ===
|
|
### TorK
|
|
|
|
|
|
KDE based controller.
|
|
KDE based controller.
|
|
|
|
|
|
== Web ==
|
|
## Web
|
|
|
|
|
|
The web browser is possibly the most important, and most problematic of the network applications.
|
|
The web browser is possibly the most important, and most problematic of the network applications.
|
|
|
|
|
... | @@ -52,11 +52,11 @@ The web browser is possibly the most important, and most problematic of the netw |
... | @@ -52,11 +52,11 @@ The web browser is possibly the most important, and most problematic of the netw |
|
|
|
|
|
Many users find it helpful to verify they are using Tor with an exit check service. The [[TheOnionRouter| Onion Router Page]] lists a number of such services in the "Random stuff" section which can be configured as a bookmark or homepage of privacy enabled browsers.
|
|
Many users find it helpful to verify they are using Tor with an exit check service. The [[TheOnionRouter| Onion Router Page]] lists a number of such services in the "Random stuff" section which can be configured as a bookmark or homepage of privacy enabled browsers.
|
|
|
|
|
|
=== Mozilla Firefox ===
|
|
### Mozilla Firefox
|
|
|
|
|
|
To preconfigure Firefox for Tor usage, install the Torbutton Add-On by extracting it to '''/path/to/firefox/extensions/{e0204bd5-9d31-402b-a99d-a6aa8ffebdca}'''.
|
|
To preconfigure Firefox for Tor usage, install the Torbutton Add-On by extracting it to **/path/to/firefox/extensions/{e0204bd5-9d31-402b-a99d-a6aa8ffebdca}**.
|
|
This way, it's installed globally for all users on the system. Then add these lines to '''/path/to/firefox/defaults/pref/firefox.js''':
|
|
This way, it's installed globally for all users on the system. Then add these lines to **/path/to/firefox/defaults/pref/firefox.js**:
|
|
{{{
|
|
```
|
|
pref("network.proxy.http", "localhost");
|
|
pref("network.proxy.http", "localhost");
|
|
pref("network.proxy.http_port", 8118);
|
|
pref("network.proxy.http_port", 8118);
|
|
pref("network.proxy.socks", "localhost");
|
|
pref("network.proxy.socks", "localhost");
|
... | @@ -71,74 +71,74 @@ pref("extensions.torbutton.https_port", 8118); |
... | @@ -71,74 +71,74 @@ pref("extensions.torbutton.https_port", 8118); |
|
pref("extensions.torbutton.https_proxy", "localhost");
|
|
pref("extensions.torbutton.https_proxy", "localhost");
|
|
pref("extensions.torbutton.socks_host", "localhost");
|
|
pref("extensions.torbutton.socks_host", "localhost");
|
|
pref("extensions.torbutton.socks_port", 9050);
|
|
pref("extensions.torbutton.socks_port", 9050);
|
|
}}}
|
|
```
|
|
The default Firefox bookmarks should be changed, too, since they contain a RSS feed which will be fetched automatically. To change the default bookmarks, edit the file '''/path/to/firefox/defaults/profile/bookmarks.html'''.
|
|
The default Firefox bookmarks should be changed, too, since they contain a RSS feed which will be fetched automatically. To change the default bookmarks, edit the file **/path/to/firefox/defaults/profile/bookmarks.html**.
|
|
* Include noscript extension to disable script that can compromise anonymity.
|
|
* Include noscript extension to disable script that can compromise anonymity.
|
|
|
|
|
|
OPTIONAL? To prevent the browser from keeping HTTP sessions open over existing circuits the following network settings should be applied. This will ensure that new circuits, such as requested via NEWNYM, will service subsequent HTTP requests.
|
|
OPTIONAL? To prevent the browser from keeping HTTP sessions open over existing circuits the following network settings should be applied. This will ensure that new circuits, such as requested via NEWNYM, will service subsequent HTTP requests.
|
|
|
|
|
|
'''/path/to/firefox/defaults/pref/firefox.js'''
|
|
**/path/to/firefox/defaults/pref/firefox.js**
|
|
{{{
|
|
```
|
|
pref("network.http.keep-alive", false);
|
|
pref("network.http.keep-alive", false);
|
|
pref("network.http.max-persistent-connections-per-proxy", 0);
|
|
pref("network.http.max-persistent-connections-per-proxy", 0);
|
|
pref("network.http.max-persistent-connections-per-server", 0);
|
|
pref("network.http.max-persistent-connections-per-server", 0);
|
|
}}}
|
|
```
|
|
|
|
|
|
'''about:config''':
|
|
**about:config**:
|
|
{{{
|
|
```
|
|
network.http.keep-alive = FALSE
|
|
network.http.keep-alive = FALSE
|
|
network.http.max-persistent-connections-per-proxy = 0
|
|
network.http.max-persistent-connections-per-proxy = 0
|
|
network.http.max-persistent-connections-per-server = 0
|
|
network.http.max-persistent-connections-per-server = 0
|
|
}}}
|
|
```
|
|
|
|
|
|
=== KDE Konqueror ===
|
|
### KDE Konqueror
|
|
|
|
|
|
TODO: How to pre-configure here.
|
|
TODO: How to pre-configure here.
|
|
|
|
|
|
== IRC ==
|
|
## IRC
|
|
|
|
|
|
=== irssi ===
|
|
### irssi
|
|
To configure irssi for Tor usage, it's enough to call it as
|
|
To configure irssi for Tor usage, it's enough to call it as
|
|
{{{
|
|
```
|
|
$ torify irssi
|
|
$ torify irssi
|
|
}}}
|
|
```
|
|
Note that this still leaks DNS queries, which must be handled separately. Alternatively, irssi can be configured to use a HTTP Proxy server. For Privoxy, you need to add the following configuration directive:
|
|
Note that this still leaks DNS queries, which must be handled separately. Alternatively, irssi can be configured to use a HTTP Proxy server. For Privoxy, you need to add the following configuration directive:
|
|
{{{
|
|
```
|
|
+limit-connect{1-}
|
|
+limit-connect{1-}
|
|
}}}
|
|
```
|
|
to its configuration. Note that this will cause raw HTML to be printed to irssi's status window in case of a connection error.
|
|
to its configuration. Note that this will cause raw HTML to be printed to irssi's status window in case of a connection error.
|
|
|
|
|
|
TODO: define apps
|
|
TODO: define apps
|
|
|
|
|
|
== Instant Messaging ==
|
|
## Instant Messaging
|
|
|
|
|
|
=== OTR ===
|
|
### OTR
|
|
|
|
|
|
OTR (Off The Record) is an authentication and encryption mechanism that is also supposed to have plausible deniability after the conversation. This should be considered. Each IM application must have OTR integration, OTR itself is a library.
|
|
OTR (Off The Record) is an authentication and encryption mechanism that is also supposed to have plausible deniability after the conversation. This should be considered. Each IM application must have OTR integration, OTR itself is a library.
|
|
|
|
|
|
=== Kopete ===
|
|
### Kopete
|
|
|
|
|
|
=== Gaim ===
|
|
### Gaim
|
|
|
|
|
|
== Email ==
|
|
## Email
|
|
|
|
|
|
=== Mixminion ===
|
|
### Mixminion
|
|
|
|
|
|
Anonymous emailing. At this time (Jun 2007) the software is alpha and the network is not large enough for strong anonymity.
|
|
Anonymous emailing. At this time (Jun 2007) the software is alpha and the network is not large enough for strong anonymity.
|
|
|
|
|
|
=== Mozilla Thunderbird ===
|
|
### Mozilla Thunderbird
|
|
|
|
|
|
=== KMail ===
|
|
### KMail
|
|
|
|
|
|
TODO: include config for mixminion.
|
|
TODO: include config for mixminion.
|
|
|
|
|
|
== Other ==
|
|
## Other
|
|
|
|
|
|
TODO: define
|
|
TODO: define
|
|
|
|
|
|
= Supporting Software =
|
|
# Supporting Software
|
|
|
|
|
|
== DNS proxies ==
|
|
## DNS proxies
|
|
|
|
|
|
If an application does not support SOCKS4a or SOCKS5 named requests a DNS proxy can be used to resolve names via Tor and prevent leakage of identifying information through DNS lookups. This must also be implemented when using a transparent proxy approach for any host applications.
|
|
If an application does not support SOCKS4a or SOCKS5 named requests a DNS proxy can be used to resolve names via Tor and prevent leakage of identifying information through DNS lookups. This must also be implemented when using a transparent proxy approach for any host applications.
|
|
|
|
|
... | @@ -146,11 +146,11 @@ Tor version 0.2.0.2-alpha includes support for transparent DNS proxy when a "DNS |
... | @@ -146,11 +146,11 @@ Tor version 0.2.0.2-alpha includes support for transparent DNS proxy when a "DNS |
|
|
|
|
|
TODO: list dns-proxy-tor location and usage; other DNS solutions like MAPADDRESS.
|
|
TODO: list dns-proxy-tor location and usage; other DNS solutions like MAPADDRESS.
|
|
|
|
|
|
== HTTP proxies ==
|
|
## HTTP proxies
|
|
|
|
|
|
HTTP proxies may be used to modify the request and/or cache the content. Caching is good for performance improvements, especially for a LiveCD since the session time is generally short.
|
|
HTTP proxies may be used to modify the request and/or cache the content. Caching is good for performance improvements, especially for a LiveCD since the session time is generally short.
|
|
|
|
|
|
=== Privoxy ===
|
|
### Privoxy
|
|
|
|
|
|
Privoxy removes various content from the documents including headers, ads, etc.
|
|
Privoxy removes various content from the documents including headers, ads, etc.
|
|
|
|
|
... | @@ -164,7 +164,7 @@ Some useful default actions include: |
... | @@ -164,7 +164,7 @@ Some useful default actions include: |
|
|
|
|
|
TODO: config and filter defaults that are current and useful.
|
|
TODO: config and filter defaults that are current and useful.
|
|
|
|
|
|
=== Squid ===
|
|
### Squid
|
|
|
|
|
|
Squid is useful for:
|
|
Squid is useful for:
|
|
* Caching
|
|
* Caching
|
... | @@ -177,48 +177,48 @@ Squid 2.x config settings: |
... | @@ -177,48 +177,48 @@ Squid 2.x config settings: |
|
|
|
|
|
TODO: identify config for common versions, especially those options that remove identifying information such as forwarder
|
|
TODO: identify config for common versions, especially those options that remove identifying information such as forwarder
|
|
|
|
|
|
== TCP proxies ==
|
|
## TCP proxies
|
|
|
|
|
|
Tor can be used as a transparent TCP proxy when DNS resolution is also performed via the Tor network. The "TransListenAddress" and "TransPort" config options provide a destination for TCP DNAT routing into Tor in the same fashion as transparent DNS proxy.
|
|
Tor can be used as a transparent TCP proxy when DNS resolution is also performed via the Tor network. The "TransListenAddress" and "TransPort" config options provide a destination for TCP DNAT routing into Tor in the same fashion as transparent DNS proxy.
|
|
|
|
|
|
In some cases it is useful to transparently proxy HTTP requests on port 80 through Squid and Privoxy, while the remaining non HTTP TCP connections are transparently proxied directly through Tor itself.
|
|
In some cases it is useful to transparently proxy HTTP requests on port 80 through Squid and Privoxy, while the remaining non HTTP TCP connections are transparently proxied directly through Tor itself.
|
|
|
|
|
|
== Network Safety / Firewall ==
|
|
## Network Safety / Firewall
|
|
|
|
|
|
* To ensure protection a host firewall can be used to redirect all non-Tor TCP traffic into Tor making use of the TransPort. HTTP (port 80) traffic could be routed into a proxy such as squid. This requires OS specifics.
|
|
* To ensure protection a host firewall can be used to redirect all non-Tor TCP traffic into Tor making use of the TransPort. HTTP (port 80) traffic could be routed into a proxy such as squid. This requires OS specifics.
|
|
|
|
|
|
=== Linux ===
|
|
### Linux
|
|
|
|
|
|
TODO: include iptables rules
|
|
TODO: include iptables rules
|
|
|
|
|
|
TODO: define other OS firewall configs
|
|
TODO: define other OS firewall configs
|
|
|
|
|
|
= Other Features =
|
|
# Other Features
|
|
|
|
|
|
* Run off of or copy to USB drive.
|
|
* Run off of or copy to USB drive.
|
|
* Install it to a harddisk.
|
|
* Install it to a harddisk.
|
|
|
|
|
|
= Security Concerns =
|
|
# Security Concerns
|
|
|
|
|
|
* No writing to swap space, may include sensitive information.
|
|
* No writing to swap space, may include sensitive information.
|
|
|
|
|
|
= Requirements =
|
|
# Requirements
|
|
|
|
|
|
* Obviously should fit on a standard CD
|
|
* Obviously should fit on a standard CD
|
|
* A CD less than 50 MB is good to fit on a "business card" CD.
|
|
* A CD less than 50 MB is good to fit on a "business card" CD.
|
|
* Should be as small as possible if the ability to be copied to a USB drive is supported.
|
|
* Should be as small as possible if the ability to be copied to a USB drive is supported.
|
|
|
|
|
|
= Documentation =
|
|
# Documentation
|
|
|
|
|
|
The LiveCD should be documented such that others can understand the choices made, why they were made, and how they are implemented. One of the goals of this document is to help with the "what" and "why" and some of the "how". Ultimately though the "how" must be clear in the LiveCD implementation documentation.
|
|
The LiveCD should be documented such that others can understand the choices made, why they were made, and how they are implemented. One of the goals of this document is to help with the "what" and "why" and some of the "how". Ultimately though the "how" must be clear in the LiveCD implementation documentation.
|
|
|
|
|
|
A public source repository is recommended, such as SVN.
|
|
A public source repository is recommended, such as SVN.
|
|
|
|
|
|
= Reproducibility =
|
|
# Reproducibility
|
|
|
|
|
|
* Implementations should be able to be built by others and the required information available. This would include the source to the software, configurations, etc. The process should yield consistent results.
|
|
* Implementations should be able to be built by others and the required information available. This would include the source to the software, configurations, etc. The process should yield consistent results.
|
|
|
|
|
|
= Existing Implementations =
|
|
# Existing Implementations
|
|
|
|
|
|
* [http://xsanr2oqmett7ovm.onion/wiki/show/Configurations ROCKate]
|
|
* [ROCKate](http://xsanr2oqmett7ovm.onion/wiki/show/Configurations)
|
|
* [http://incognito.anonymityanywhere.com/ Incognito LiveCD/USB] |
|
* [Incognito LiveCD/USB](http://incognito.anonymityanywhere.com/) |
|
\ No newline at end of file |
|
\ No newline at end of file |