Re: Making package.el talk over Tor

[Philip Kaludercic <philipk@posteo.net>]

Richard Stallman <rms@gnu.org> writes:

> [[[ To any NSA and FBI agents reading my email: please consider    ]]]
> [[[ whether defending the US Constitution against all enemies,     ]]]
> [[[ foreign or domestic, requires you to follow Snowden's example. ]]]
>
>   > 185.220.101.26 - - [14/Dec/2023:13:04:00 +0100] "GET /test HTTP/1.1" 301 169 "https://amodernist.com/" "URL/Emacs Emacs/30.0.50 (PureGTK; x86_64-pc-linux-gnu)"
>
>   > As you can see the User-Agent indicates that I am using Emacs, what
>   > version and even my architecture.  Compare that to the user agent that
>   > you'd regularly encounter from an average browser:
>
> We should (1) let users specify what User-Agent to send, 

That is already possible using the `url-user-agent' user option.

>                                                          and (2) maybe
> choose a different default.

1+

> Icecat, by default, identifies itself as some widely used proprietary
> browser running on Windows.

While helpful, it could also be dangerous if the server decides to send
the user content that only a widely used proprietary browser running on
Windows could process.

>   > Other than the user-agent, there are certainly other bits of behaviour
>   > that a malicious actor can use to track a user, such as the order in
>   > which HTTP headers are transmitted, the size of chunks by which the
>   > client sends and receives data and of course what requests aren't being
>   > sent (e.g. due to a lack of Javascript in EWW).
>
> We could work on making Emacs-based browsing more similar to the most
> common browsers, in such aspects of visible behavior.
>
>   >  and of course what requests aren't being
>   > sent (e.g. due to a lack of Javascript in EWW).
>
> Compareed with the harm done by _running_ the page's Javascript,
> giving evidence of not running Javascript is arguably a far lesser
> evil.

The way I see this, this is a security/privacy vs freedom issue.  If you
really want to blend in, you have to behave the way most people do.

> That said, one important method for preventing sites from effectively
> profiling you is to connect to them through Tor.  In fact, connecting
> directly enables OTHERS that observe your network traffic to figure
> out what you are talking to!

Tor hides your IP address, in which sense it acts like a trusted VPN
service, but I am just trying to emphasise that (in general) just using
Tor as a transport layer can give users a false sense of security.

> That is why I want to connect to the Emacs package repo via Tor.
> I am not worried about being profiled by the Emacs package repo!
>
> More generally, if all that distinguishes you in the actual
> interaction with a site is that you don't run the Javascript, and you
> connect through Tor, whatever site you are talking to will have
> trouble distinguishing you from other users that don't run the
> Javascript.

True, but considering how infrequent this is on a global scale, "no
Javascript" still holds a lot of information.

>   > That being said: All of this doesn't matter that much for package.el,
>   > since most people are accessing it via Emacs.
>
> I agree.  However, these issues may have some real importance for the case
> of using EWW to look at pages _other than_ the Emacs package repo.

Right, that is where my concerns from above apply.

Richard Stallman <rms@gnu.org> writes:

> [[[ To any NSA and FBI agents reading my email: please consider    ]]]
> [[[ whether defending the US Constitution against all enemies,     ]]]
> [[[ foreign or domestic, requires you to follow Snowden's example. ]]]
>
>   > If you have a Tor daemon running on your system, it should provide a
>   > SOCKS proxy by default,
>
> I believe it does that.
>
>                             meaning that you can configure every package
>   > that uses url.el to go through this proxy (unless I have misunderstood
>   > something):
>
> Maybe that is possible.  But I know very little about sockets or how
> to use them.  I would appreciate precise advice about what I should do
> to tell package.el to connect using Tor.

That was the code you quoted below with `url-gateway-method'.

> You sent this code
>
>     (let ((conn
>            (open-network-stream
>             "test" (current-buffer) "gnu.org" "http"
>             :type 'shell
>             :shell-command "torsocks nc %s %p")))
>       (process-send-string conn "GET / HTTP/1.0\r\n\r\n"))
>
> but I don't think that is a solution ready to use.  It looks like a
> proposed approach for designing that solution.
>
> Also, the end of your message MAY mean that this approach is not
> applicable to package.el.

Yes, this was just a proof of concept integrating torsocks into a
network connection open from within Emacs.

>   > If you have a Tor daemon running on your system, it should provide a
>   > SOCKS proxy by default, meaning that you can configure every package
>   > that uses url.el to go through this proxy (unless I have misunderstood
>   > something):
>
>   > --8<---------------cut here---------------start------------->8---
>   > (setq url-gateway-method 'socks
>   >       socks-server '("Tor" "localhost" 9050 5))
>   > --8<---------------cut here---------------end--------------->8---
>
>   > That being said, while testing I noticed that when connecting to a
>   > server I have access to, I always receive two requests, one from a Tor
>   > exit node and one from my current IP address.  Unless I missed something
>   > obvious, that might be a bug.
>
> I await word about further progress.

I will try and look into if I am mis-configuring something, and
otherwise report a bug.

> When I know enough to be able to do it, I will add a feature to
> package.el for a user option to tell it to go through Tor always.

Stefan Kangas <stefankangas@gmail.com> writes:

> Richard Stallman <rms@gnu.org> writes:
>
>>   > 185.220.101.26 - - [14/Dec/2023:13:04:00 +0100] "GET /test
>>   > HTTP/1.1" 301 169 "https://amodernist.com/" "URL/Emacs
>>   > Emacs/30.0.50 (PureGTK; x86_64-pc-linux-gnu)"
>>
>>   > As you can see the User-Agent indicates that I am using Emacs, what
>>   > version and even my architecture.  Compare that to the user agent that
>>   > you'd regularly encounter from an average browser:
>>
>> We should (1) let users specify what User-Agent to send, and (2) maybe
>> choose a different default.
>>
>> Icecat, by default, identifies itself as some widely used proprietary
>> browser running on Windows.
>
> Should we bump the default to 'paranoid'?  Do what icecat does?

That wouldn't send any Use-Agent header at all, which is still
fingerprintable.  Richard mentioned that Icecat uses a false user agent like

  Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.3

but that would have to be updated on a regular basis, to keep up with
whatever is being used.  That being said, I don't believe that this is
enough, if we take the threat model into account that a Tor user is
operating under.  In their case, it probably is the best to just use the
Tor Browser.

> Does the remote ever need to know if we're using X11 or PureGTK?
> I think they don't, and we should never add that information, in any
> configuration.

Yes, it might make sense to just add `os' to `url-privacy-level'.

>>   > Other than the user-agent, there are certainly other bits of behaviour
>>   > that a malicious actor can use to track a user, such as the order in
>>   > which HTTP headers are transmitted, the size of chunks by which the
>>   > client sends and receives data and of course what requests aren't being
>>   > sent (e.g. due to a lack of Javascript in EWW).
>>
>> We could work on making Emacs-based browsing more similar to the most
>> common browsers, in such aspects of visible behavior.
>
> If you are very concerned about your privacy, it's probably better to
> browse the web using the Tor web browser and eschew Emacs altogether.
>
> How about telling users about this in the EWW manual?

1+

-- 
Philip Kaludercic