System-wide Tor support proposal
This is a proposal on ways to integrate Tor in Debian to increase security.
The problem: Installing Tor and torifying the existing applications is a non-trivial task and it's currently left to the user. Detecting and preventing leaks requires a lot of effort due to the number of network-enabled applications running on the average system, especially desktops.
Use cases:
- $user runs many network-enabled applications, including some cron-based "updaters" she's not aware of. $user travels to an airport/hotel/conference/country with a potentially hostile network. $user wants to use her regular environment instead of Tails. She switches a "torify everything" global setting knowing that any Tor-capable application will now use Tor and other applications will be prevented from leaking traffic.
Appliance developers (e.g. FreedomBox contributors) want to enable "torify everything" by default and let users opt-out if they wish so.
Requirements:
- Globally torify applications
- Drop non-Tor traffic when enabled
Do not perform Transparent proxying
- Torify application selectively [optional]
- Warn users when traffic is being dropped [optional]
Implementation
Version 1:
A script is used to set up a firewall to drop non-Tor traffic. A wrapper is used to set an environment variable to proxy *only* a set of whitelisted "Tor-safe" applications.
export http_proxy=http://........./ export https_proxy=$http_proxy export no_proxy="localhost,127.0.0.1,localaddress,.localdomain.com"
The whitelist is maintained by the developers of the script.
Version 2:
Tor-safe applications are packaged with a new field in the debian/control file or a dedicated "tor.conf" configuration file to instruct the wrapper on how to torify them is the right way.
Some application might be designed to behave differently depending if they are going through a regular proxy or Tor. (e.g. disable unsafe features/plugins, mangle/hide timestamps...)