[guardian-dev] Tor isolating proxy - or how to prevent "friendly fire"

Timur Mehrvarz timur.mehrvarz at riseup.net
Fri Jan 10 04:38:14 EST 2014


On 09.01.2014 02:05, Tom Ritter wrote:
> 
> I generally do this by using iptables and a bridge IP, block all access
> to anything but the bridge.
> 
> ...
> 
> https://github.com/iSECPartners/LibTech-Auditing-Cheatsheet/blob/master/README.md#appendix-a-examining-an-application-for-proxy-leaks
> 

I think I prefer the Isolating Proxy (1) approach: "An Isolating Proxy
requires at least two machines." "The Gateway is solely used to run Tor
and has two network interfaces."

A setup like this does not require root (nor any iptables mods) on the
"Workstation" device. And the "Gateway" device can be a mobile device
also. Why not?

One related issue:

The TransparentProxyLeaks document (2) mentions serial numbers in
software. How can I make sure Firefox on Android won't leak such unique
data? As mentioned before, I am unable to stop
org.mozilla.firefox.UpdateService from executing, despite "Automatic
updates" being turned off in the UI. And some "Health service" seems to
run occasionally, despite being turned off as well. Do I have to build
my own, non-chatty version of FF (aka "Tor browser")?


(1)
https://trac.torproject.org/projects/tor/wiki/doc/TorifyHOWTO/IsolatingProxy
(2)
https://trac.torproject.org/projects/tor/wiki/doc/TransparentProxyLeaks#Linux



More information about the Guardian-dev mailing list