|
|
[[TOC(noheading, depth=0)]]
|
|
|
|
|
|
= Isolating Proxy Concept =
|
|
|
# Isolating Proxy Concept
|
|
|
To my knowledge, using a physically isolated Isolating Proxy is currently the safest ^2^ Tor setup...
|
|
|
|
|
|
An Isolating Proxy is much different from a [https://trac.torproject.org/projects/tor/wiki/doc/TransparentProxy Transparent Proxy]. A pure Transparent Proxy suffers from [https://trac.torproject.org/projects/tor/wiki/doc/TransparentProxyLeaks Transparent Proxy Leaks]. While a Transparent Proxy routes all ^1^ traffic through Tor and blocks the rest ^1^, an Isolating Proxy solves the Transparent Proxy Leaks problem and is about security by isolation.
|
|
|
An Isolating Proxy is much different from a [Transparent Proxy](https://trac.torproject.org/projects/tor/wiki/doc/TransparentProxy). A pure Transparent Proxy suffers from [Transparent Proxy Leaks](https://trac.torproject.org/projects/tor/wiki/doc/TransparentProxyLeaks). While a Transparent Proxy routes all ^1^ traffic through Tor and blocks the rest ^1^, an Isolating Proxy solves the Transparent Proxy Leaks problem and is about security by isolation.
|
|
|
|
|
|
An Isolating Proxy requires at least two machines. Those machines can be either virtual machines or two physically isolated machines. Both machines are connected through an isolated LAN. One machine is called Gateway. The other one is called Workstation.
|
|
|
|
... | ... | @@ -15,41 +15,43 @@ The Workstation is used to run all client applications (such as Tor Browser, XCh |
|
|
|
|
|
DNS leaks clear are impossible, because the Workstation does not have a working system DNS resolver. The Workstation could install a system DNS resolver, but it also would have to be configured to use Tor's SocksPort.
|
|
|
|
|
|
IP leaks are also impossible. Client applications which suffer from proxy bypass bugs will be unable to connect. They can only connect through Tor's SocksPort. Client applications can also not leak the clearnet IP through the protocol ([https://trac.torproject.org/projects/tor/wiki/doc/TorifyHOWTO/Misc like BitTorrent]), where the protocol leaks the clearnet IP somewhere.
|
|
|
IP leaks are also impossible. Client applications which suffer from proxy bypass bugs will be unable to connect. They can only connect through Tor's SocksPort. Client applications can also not leak the clearnet IP through the protocol ([like BitTorrent](https://trac.torproject.org/projects/tor/wiki/doc/TorifyHOWTO/Misc)), where the protocol leaks the clearnet IP somewhere.
|
|
|
|
|
|
IP/DNS leaks would require an adversary to break into the Gateway (when using physical isolation) or to break the Virtual Machine (when using Virtual Machines). The Whonix project, which is very close to an Isolating Proxy (see below), documented how much effort is required and which attacks can break such a setup, see [https://www.whonix.org/wiki/Comparison_with_Others#Attacks Attacks on Whonix].
|
|
|
IP/DNS leaks would require an adversary to break into the Gateway (when using physical isolation) or to break the Virtual Machine (when using Virtual Machines). The Whonix project, which is very close to an Isolating Proxy (see below), documented how much effort is required and which attacks can break such a setup, see [Attacks on Whonix](https://www.whonix.org/wiki/Comparison_with_Others#Attacks).
|
|
|
|
|
|
Isolating Proxy is a newly coined term by adrelanos.
|
|
|
|
|
|
,,^1^ Depending on type and implementation.,, [[BR]]
|
|
|
,,^2^ Safe from clearnet IP discovery.,, [[BR]]
|
|
|
,,^1^ Depending on type and implementation.,,
|
|
|
|
|
|
== What is the benefit of an Isolating Proxy over a Transparent Proxy? ==
|
|
|
,,^2^ Safe from clearnet IP discovery.,,
|
|
|
|
|
|
|
|
|
## What is the benefit of an Isolating Proxy over a Transparent Proxy?
|
|
|
|
|
|
* The user is more in control, which traffic gets routed over Tor. While a Transparent Proxy Anonymizing Middlebox routes all traffic over Tor, an Isolating Proxy routes only traffic over Tor, where the applications are using socks proxy settings or a socksifier. Various "misc" traffic is blocked.
|
|
|
* Software not classified as malware, but still phoning home without the user being aware of it and without knowing the exact contents of the phone home message, will be unable to connect.
|
|
|
* Examples: popularity-contest, copyright protection software, anti-cheat software...
|
|
|
* This is important. Crash reporting software sometimes sends contents of RAM over unencrypted connections.
|
|
|
* For more examples, please see [https://trac.torproject.org/projects/tor/wiki/doc/TransparentProxyLeaks TransparentProxyLeaks].
|
|
|
* For more examples, please see [TransparentProxyLeaks](https://trac.torproject.org/projects/tor/wiki/doc/TransparentProxyLeaks).
|
|
|
* Off-the-shelf malware (adding the user to a botnet) will be unable to connect. Manual action is required to configure the malware to use the SocksPort. The malware authors have not yet adapted using the SocksPort. This is of course no help against targeted attacks.
|
|
|
* Windows users profit more from an Isolating Proxy than other operating systems, because Windows suffers more from "misc" traffic.
|
|
|
|
|
|
= Isolating Proxy Example Implementation =
|
|
|
# Isolating Proxy Example Implementation
|
|
|
To my knowledge, other than the description above, there are currently no pure Isolating Proxies available as instructions, source code or download.
|
|
|
|
|
|
[https://www.whonix.org Whonix] is the closest example implementation available as source code and download. It uses an Isolating Proxy with an additional Transparent Proxy, which can be optionally disabled.
|
|
|
[Whonix](https://www.whonix.org) is the closest example implementation available as source code and download. It uses an Isolating Proxy with an additional Transparent Proxy, which can be optionally disabled.
|
|
|
|
|
|
The [http://theinvisiblethings.blogspot.com/2011/09/playing-with-qubes-networking-for-fun.html Qubes OS + Tor blog post] are instructions for a Transparent Proxy, but with could be with some effort transformed into an Isolating Proxy.
|
|
|
The [Qubes OS + Tor blog post](http://theinvisiblethings.blogspot.com/2011/09/playing-with-qubes-networking-for-fun.html) are instructions for a Transparent Proxy, but with could be with some effort transformed into an Isolating Proxy.
|
|
|
|
|
|
= Isolating Proxy Graphical Illustrations =
|
|
|
== Illustration using Physical Isolation ==
|
|
|
# Isolating Proxy Graphical Illustrations
|
|
|
## Illustration using Physical Isolation
|
|
|
None available yet.
|
|
|
|
|
|
== Illustration using Virtual Machines ==
|
|
|
=== Whonix ===
|
|
|
[[Image(https://whonix.org/w/images/thumb/9/90/Whonix.jpg/800px-Whonix.jpg)]]
|
|
|
## Illustration using Virtual Machines
|
|
|
### Whonix
|
|
|
![https://whonix.org/w/images/thumb/9/90/Whonix.jpg/800px-Whonix.jpg](https://whonix.org/w/images/thumb/9/90/Whonix.jpg/800px-Whonix.jpg)
|
|
|
|
|
|
=== Qubes OS ===
|
|
|
The [http://theinvisiblethings.blogspot.com/2011/09/playing-with-qubes-networking-for-fun.html Qubes OS + Tor blog post] actually describes a Transparent Proxy, but it could be turned into an Isolating Proxy. The illustration is the same.
|
|
|
### Qubes OS
|
|
|
The [Qubes OS + Tor blog post](http://theinvisiblethings.blogspot.com/2011/09/playing-with-qubes-networking-for-fun.html) actually describes a Transparent Proxy, but it could be turned into an Isolating Proxy. The illustration is the same.
|
|
|
|
|
|
[[Image(http://1.bp.blogspot.com/-eG2Y4_xJxD0/ToMgWVNiEjI/AAAAAAAAAJI/pWNCiXq-qKs/s400/qubes-torproxy-config.png)]] |
|
|
\ No newline at end of file |
|
|
![http://1.bp.blogspot.com/-eG2Y4_xJxD0/ToMgWVNiEjI/AAAAAAAAAJI/pWNCiXq-qKs/s400/qubes-torproxy-config.png](http://1.bp.blogspot.com/-eG2Y4_xJxD0/ToMgWVNiEjI/AAAAAAAAAJI/pWNCiXq-qKs/s400/qubes-torproxy-config.png) |
|
|
\ No newline at end of file |