[Whonix-devel] [qubes-devel] Re: Circuit isolating proxy?

• Previous message: [Whonix-devel] [qubes-devel] Re: Circuit isolating proxy?
• Next message: [Whonix-devel] [Tails-dev] Tails control port filter proxy in Whonix?
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

William Budington:
> Since the browser is such a large attack surface, for whonix-ws VMs
> which only use Tor Browser, I wonder if access to the control port
> could be fully denied?  It seems so.  Since the Tor Launcher isn't
> actually bootstrapping tor, the control port is only used for the
> "New Identity" functionality, so you'll lose that.  But if you kill
> the `socat` process forwarding 9151, the browser seems to work fine.

[Btw to kill all socat for testing one can use: "sudo service
anon-ws-disable-stacked-tor stop"]

> It seems like the "New Identity" functionality could be implemented
> on the whonix-gw side:
> https://blog.torproject.org/category/tags/new-identity
> 
> Looks like the Tor Browser use of the control port isn't going away,
> though.  And in fact may be increasing in the future:
> https://trac.torproject.org/projects/tor/ticket/9675

Yes. That's why we have the filter.

Btw the full rationale can be found here:
https://www.whonix.org/wiki/Dev/Control_Port_Filter_Proxy

Best regards,
Patrick

• Previous message: [Whonix-devel] [qubes-devel] Re: Circuit isolating proxy?
• Next message: [Whonix-devel] [Tails-dev] Tails control port filter proxy in Whonix?
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]