TOC(noheading, depth=0)

WARNING: THIS PAGE IS HEAVILY DEPRECIATED. IT ONLY REMAINS FOR HISTORICAL VALUE - DO NOT FOLLOW THE INSTRUCTIONS PROVIDED HERE!

wpolipo

wpolipo - polipo manger init script to improve Tor stream isolation.

UNFINISHED!

Currently only works in Whonix. Can not listen twice on one port. Example: If we open a http listener on 9104, 9118 and 9119 to which Tor socks port it should be automatically redirected?

UPDATE 1

Written by proper/adrelanos. Only tested on Debian GNU/Linux, will probable also work on Ubuntu GNU/Linux. Compatible with polipo's default init script.

The purpose of this script is to prevent Tor identity correlation through circuit sharing. (proposal 171 separate streams)

Many applications do not support socks proxy settings, only http proxy settings. Torsocks also fails to torify many applications, especially gui applications. Polipo can be used to translate http traffic to socks traffic. The drawback of using polipo is, that it under normal circumstances, only has one http listen port and only forwards to one Tor socks parent proxy port.

For Tor stream isolation, wpolipo can open multiple http listen ports and forward them to to different Tor socks parent proxy ports. Setting PORTS=("9104" "9118") will listen on 127.0.0.1:9104 and forward to 127.0.0.1:XXXX and will also listen on 127.0.0.1:9118 and forward to 127.0.0.1:YYYY. Multiple instances of polipo will be started and temporary configuration files will be automatically created.

Open a file /etc/init.d/wpolipo.

sudo nano /etc/init.d/wpolipo

Inset the following content.

## get it from:
https://github.com/adrelanos/Whonix/blob/master/whonix_workstation/etc/init.d/wpolipo

You may wish to configure on which ports polipo should listen on.

PORTS=("9104" "9118" "9119")

Make wpolipo it executable.

sudo chmod +x /etc/init.d/wpolipo

Open torrc.

sudo nano /etc/tor/torrc

And add.

## UNFINISHED
## Won't work. Can not listen twice on one port.
SocksPort 9104
SocksPort 9118
SocksPort 9119

Restart Tor.

sudo service tor restart

Run wpolipo.

sudo service wpolipo start

If you want to autostart wpolipo, use the following.

sudo update-rc.d wpolipo defaults

See also

You may also be interested in uwt - modified usewithtor to improve Tor stream isolation, see torsocks.

Polipo

Polipo is a caching & http-proxy server re-developed to forward http, https network traffic more efficiently inside a SOCKS proxy, like Tor. It's functionality can also be identified as: HTTP2SOCKS or HTTPS2SOCKS.

If you are connecting over encrypted HTTPS scheme, with original author's website, here, then make sure, received SSL cert's SHA1 fingerprint have exactly this: 4F:0A:85:95:D2:1F:42:73:DA:53:70:0A:31:93:10:79:82:CC:5B:F4.

From the Tor FAQ:

''"I need an HTTP proxy. Where did Polipo go?

''In the past, Tor bundles included an HTTP proxy like Privoxy or Polipo, solely to work around a bug in Firefox that was finally fixed in Firefox 6. Now you don't need a separate HTTP proxy to use Tor, and in fact leaving it out makes you safer because Torbutton has better control over Firefox's interaction with websites.

''If you are trying to use some external application with Tor, step zero should be to reread the set of warnings for ways you can screw up. Step one should be to try to use a Socks proxy rather than an http proxy — Tor runs a Socks proxy on port 9050 on Windows, or see above for OSX and Linux.

If that fails, feel free to install privoxy or polipo. You can use our old polipo config file if you like. However, please realize that this approach is not recommended for novice users."

Alternative download locations of polipo are here:

• univ-paris-diderot (v1.1.1, 2014-05-14).
• torproject (v1.0.5, 2010-01-13).
• [http://git.wifi.pps.univ-paris-diderot.fr/?p=polipo.git;a=summary] (current trunk).
• github (current trunk mirror).
• freehaven (v1.0.4.1, 2010-01-31).

<a name="gpg2socksWindows"></a>

PGP/GPG via Polipo-to-SOCKS on Windows

GPG related files for Windows still cannot use SOCKS directly, as of Nov 05, 2013 {insert link to info-source}; TorProject fix request; search for official fix-"SOCKS" request.

Consequently, a HTTP-proxy-To-SOCKS-proxy type of software is still needed in Windows. Specifically, you will need a HTTP-proxy or a HTTPS-proxy in Windows, that can forward PGP/GPG related traffic toward the Tor-proxy (a SOCKS 5/4A proxy), when using Thunderbird, which is configured to go through Tor-proxy, or when you want to execute command-lines related to PGP or GPG & want to go through Tor-proxy.

Do not use polipo proxy in windows for anything else, other than PGP/GPG, or for very light volume simple traffic forwarding. Use other, more safer proxy software, for other purposes.

Steps to INSTALL & USE on Windows:

• Step 1: Place polipo binary files inside this folder : Tor Browser\App\
• Step 2: The folder "Polipo" will not exist inside "Tor Browser\Data" folder, so create that.
• Step 3: Get & use the polipo config file polipo.conf file, and place(Copy-Paste) that config file inside this folder: Tor Browser\Data\Polipo\
• Step 4: Edit the "Tor Browser\Data\Polipo\polipo.conf" file, and:

Change the below line:

_socksParentProxy = "localhost:9050"_

Into this line:

_socksParentProxy = "127.0.0.1:9150"_

• Step 5: either do step 5a, or do step 5b.
• Step 5a: If you are using Tor software which includes Vidalia, then edit "vidalia.conf" file located inside this folder:

Tor Browser\Data\Vidalia\

Goto the "[General]" section, and add these 3 lines or make sure these exists:

<center>
<b>vidalia.conf</b><br />
<textarea name="vidaliaConfPolipo" id="vidaliaConfPolipo" rows="4" cols="60" readonly="readonly" style="text-align: left;">
ProxyExecutable=.\\App\\polipo.exe
ProxyExecutableArguments=" -c .\\Data\\Polipo\\polipo.conf"
RunProxyAtStart=true
</textarea></center>

If you "Exit" once from Vidalia (and restart Vidalia), then polipo should start automatically, when "Tor" binary executable file will start-up.

• Step 5b: If you are using Tor software which does not include Vidalia, then on your windows Desktop create an empty Text/TXT file first, and rename it to "polipo-proxy.cmd", right-click on it, and Edit it, and add/place below 10 lines:

<center>
<b>polipo-proxy.cmd</b><br />
<textarea name="polipoProxyCmd" id="polipoProxyCmd" rows="11" cols="70" readonly="readonly" style="text-align: left;">
@echo off
echo -- Starting Polipo HTTP2SOCKS proxy using "polipo.conf" file --
echo -- Listen IP: 127.0.0.1, HTTP-proxy Port: 8118 --
echo -- Forward IP: 127.0.0.1, SOCKS 5/4A Port: 9150 --
set PolipoL1=%cd%
cd "%PolipoL1%\App\"
cd /D "%PolipoL1%\App\"
start polipo.exe -c ..\..\Data\Polipo\polipo.conf
cd "%PolipoL1%\"
cd /D "%PolipoL1%\"
</textarea></center>

Right-click on this "polipo-proxy.cmd" file on your Desktop, select "Cut" option.

Press [WindowsButton] + [E] both keyboard buttons at the same time, to startup the Windows Explorer (this will work on all Windows editions), browse into your "Tor Browser" folder (or search for it), click on "Tor Browser" folder, right-click on an empty area in right-side pane, and select "Paste", to move this "polipo-proxy.cmd" file inside the "Tor Browser" folder.

Right-click on the file "polipo-proxy.cmd" file (inside the "Tor Browser" folder), and select "Copy" option, and go back to your Desktop's empty area, do a right-click & select "Paste shortcut" option, now you can use (double-click on) this shortcut icon on your Desktop, to start-up the polipo-proxy, when you will be using GnuPG/GPG/PGP related commands or functions for Anonymity (and Privacy) related purpose.

• Step 6: see option 6a or 6b, see which fits your need.
• Option 6a: You may use advanced GnuPG/GPG (or PGP) parameters like shown below, in Thunderbird's Enigmail addon's Preference settings, it is a one/single long line:

<center>
<b>gpg/pgp options</b><br />
<textarea name="gpgOptions" id="gpgOptions" rows="7" cols="60" readonly="readonly" style="text-align: left;">
&#160;--throw-keyids --no-emit-version --no-comments --display-charset utf-8 --keyserver-options no-auto-key-retrieve,no-try-dns-srv,http-proxy=http://127.0.0.1:8118 --keyserver hkp://pgp.surfnet.nl,hkp://zimmermann.mayfirst.org,hkp://sks.mit.edu,hkp://2eghzlv2wwcq7u7y.onion,hkp://subkeys.pgp.net,hkp://pool.sks-keyservers.net
</textarea></center>

• Please see TorBirdy project's page/area, or TorBirdy wiki docs at TorProject area for more up-to-date information.

• TorBirdy is an addon/extension for Mozilla Thunderbird, Icedove, Mozilla Sunbird, etc email-clients software. It can set Anonymity (and Privacy) related various configurations, to block various leaks, in those email-client software.

• The last/current TorBirdy release, includes advanced GPG parameters/options, which can be viewed from torbirdy.js (torproject), or from torbirdy.js (github). Find (Ctrl+F) the config line which have this word _extensions.enigmail.agentAdditionalParam_, under that line, each GPG parameters/options are shown. TorBirdy addon, if enabled, it itself will auto join all those additional GPG parameters/options as a single line of parameter command-line inside Enigmail/OpenPGP's Preference settings.

• GnuPG(GPG) files from GPG4Windows vanilla edition, (or GPG files from GPG-Portable edition), can be copied into a sub-folder inside your email-client software, or into your own choice of Anonymity related GPG sub-folder, and then such sub-folder can be specified inside the Enigmail/OpenPGP addon's preference settings, as a location of GPG binary/executable files, instead of using local system's default or global GPG related binary/executable files. Such separate GPG binary & related files can be safely used for Anonymity (and Privacy) purpose.

• And gpg.conf file can be obtained from here: gpg.conf (github), or gpg.conf (torproject). In Windows, place gpg.conf file inside that Anonymity related GPG sub-folder, and then edit+change the gpg.conf file's below config line:

_keyserver-options http-proxy=socks5``:``//TORIP:TORPORT_

into below line:

_keyserver-options http-proxy=http``:``//127.0.0.1:8118_

TorBirdy is still in beta/experimental stage, so use it based on your own choice/need and at your own risk.

• Current/last GnuPG for Windows, and with above long GPG parameters, should not leak any DNS. But if you are using older "GnuPG for Windows" or older OpenPGP, then, make sure to select/choose block/deny option for any DNS related permissions/prompts when shown to you from your Firewall/Security related software, for the GnuPG binary/executable files, which are specifically located AND started from inside Anonymity related GPG sub-folder. Such GnuPG/OpenPGP binary/executable files (when used for Anonymity & Privacy purpose) ONLY need to connect with 127.0.0.1:8118, nothing else.

• Using HKPS scheme based connection with pgp/gpg keyserver is better than using a HKP scheme, just like using HTTPS with a server is better than using HTTP. HKPS, HTTPS uses encrypted packets and connection, so someone in middle cannot modify, specially when email-client will connect with destination keyserver, via/using any type of proxy. HiddenService(onion-host) based servers are better than open internet servers. A TLS encrypted HKPS/HTTPS supported & connection based HiddenService(onion-host) server is better than a HKP/HTTP based HiddenService(onion-host).

• Option 6b: you may use (shown above) the long gpg parameters/options in a (shell) command-line, but pick only one of the gpg/pgp keyserver, for your Anonymity and Privacy related PGP or GPG functions. If you want to use shorter (shell) command-line, with (almost) all GPG related options (related to Anonymity and Privacy), then first pre-specify all related options inside a gpg.conf file, and use that specific gpg.conf file in your (shell) command-line. Pls see links for gpg.conf mentioned inside Option 6a, and see the GnuPG link to view gpg/pgp keyserver list & other shell commands and configurations.

• Some domain-name owners and software developers published+declared their GPG key and GPG fingerprint directly on PGP related DNS records, such GPG Keys can be obtained via GPG tools (or "DiG" tools from ISC) and loaded into the GPG keyring. If a local DNS-Server supports full DNSSEC authentications, and also supports encrypted TCP upstream via Tor-proxy, toward an encryption supported remote & full DNSSEC based DNS-Server, then such method is rated comparatively higher in WoT (Web of Trust levels), than using a non-encrypted or encrypted or a non-HiddenService or HiddenService based gpg/pgp keyserver(s), as GPG/DiG tools can obtain GPG keys directly from the actual author's/developer's domain-name. If domain-name is DNSSEC-signed then such GPG-key's trust-level is even higher in WoT. The DNS2SOCKS" software can forward DNS & DNSSEC related any queries via Tor-proxy to a remote DNS-Server. And socat can do simple traffic encryption. These three (polipo, DNS2SOCKS, socat) when combined, allow to send encrypted DNSSEC based DNS queries to remote DNS-Servers via Tor-proxy, when remote DNS-Server is also pre-configured to support such "socat" based traffic decryption. Even better is to use one local Unbound or DNSSEC-Trigger based DNS-Server, and attach with virtual/tap network interface, and send DNS traffics via Tor-proxy using a SSH based (virtual/tap) ethernet to SOCKS forwarding tunnel, (with DNS-Server's own encryption feature enabled (for double-layer of encryption) or disabled, and) with TCP-only upstream traffic feature enabled, to another remote SSH based SOCKS to ethernet decryption process, where a local "Unbound"/"DNSSEC-Trigger" based DNS-Server running in remote-side & DNS-Server is attached with another virtual/tap ethernet.

End of "PGP/GPG via Polipo-to-SOCKS on Windows" section.

End of "polipo" section.

End of page.