From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.io!.POSTED.blaine.gmane.org!not-for-mail From: Philip Kaludercic Newsgroups: gmane.emacs.devel Subject: Re: Making package.el talk over Tor Date: Sun, 17 Dec 2023 11:51:50 +0000 Message-ID: <87zfy9kpwp.fsf@posteo.net> References: <8734ybkqf4.fsf@disroot.org> <87sf54q2t8.fsf@posteo.net> <87o7etlzx7.fsf@posteo.net> Mime-Version: 1.0 Content-Type: text/plain Injection-Info: ciao.gmane.io; posting-host="blaine.gmane.org:116.202.254.214"; logging-data="35182"; mail-complaints-to="usenet@ciao.gmane.io" Cc: akib@disroot.org, emacs-devel@gnu.org To: Richard Stallman Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org Sun Dec 17 12:52:26 2023 Return-path: Envelope-to: ged-emacs-devel@m.gmane-mx.org Original-Received: from lists.gnu.org ([209.51.188.17]) by ciao.gmane.io with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1rEph3-0008xR-Qx for ged-emacs-devel@m.gmane-mx.org; Sun, 17 Dec 2023 12:52:26 +0100 Original-Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1rEpge-0006Ly-96; Sun, 17 Dec 2023 06:52:00 -0500 Original-Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1rEpgc-0006Ll-E2 for emacs-devel@gnu.org; Sun, 17 Dec 2023 06:51:58 -0500 Original-Received: from mout01.posteo.de ([185.67.36.65]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1rEpgZ-0008Fc-0i for emacs-devel@gnu.org; Sun, 17 Dec 2023 06:51:57 -0500 Original-Received: from submission (posteo.de [185.67.36.169]) by mout01.posteo.de (Postfix) with ESMTPS id 5872D24002A for ; Sun, 17 Dec 2023 12:51:51 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=posteo.net; s=2017; t=1702813911; bh=S5UMrxtd6zOb2MCn2bKT88EfMG7NOa7/BmvLD2bbk98=; h=From:To:Cc:Subject:Autocrypt:Date:Message-ID:MIME-Version:From; b=otHj3LbexBuA5nGyO5gqdw4m8zBhbxFRqfoqmqQo1CTJR+lOk5VWrdGu6GuenPg5c 3paP32/cWVQUqnzr/W2ZjsYSd7pbTmBmyXO51BsCSQc9ufuivN1UebQMGTBnm5nnrk CBJ7qOTYV/aYkcbnT5L8NlOfTdVH5RvWuTXwfmNlP51XPE9WXkZUVFnOgbIets187o YTi5491YVaJFVinJN/Hu3oFLDEC/cSDb17Iyfd2Qa2SHug7CU6BaTKIPnpezxjrWb+ WwinzFwvKoccVhvjUatO2yLLmFHxlfEKmtshq6Qw+01KuljmNtZV3Hn9cTX8Ml4Ca+ ipQlrodDgPiBg== Original-Received: from customer (localhost [127.0.0.1]) by submission (posteo.de) with ESMTPSA id 4StLsL3kcFz6txT; Sun, 17 Dec 2023 12:51:50 +0100 (CET) In-Reply-To: (Richard Stallman's message of "Sat, 16 Dec 2023 22:21:13 -0500") X-Hashcash: 1:20:231217:emacs-devel@gnu.org::mKnUQyNKpQzxi0Lw:PTf X-Hashcash: 1:20:231217:akib@disroot.org::d19RpxYS844eZuv9:0WhD X-Hashcash: 1:20:231217:rms@gnu.org::LrsWBiLHOn4VvaA7:5ZZ Autocrypt: addr=philipk@posteo.net; keydata= mDMEZBBQQhYJKwYBBAHaRw8BAQdAHJuofBrfqFh12uQu0Yi7mrl525F28eTmwUDflFNmdui0QlBo aWxpcCBLYWx1ZGVyY2ljIChnZW5lcmF0ZWQgYnkgYXV0b2NyeXB0LmVsKSA8cGhpbGlwa0Bwb3N0 ZW8ubmV0PoiWBBMWCAA+FiEEDg7HY17ghYlni8XN8xYDWXahwukFAmQQUEICGwMFCQHhM4AFCwkI BwIGFQoJCAsCBBYCAwECHgECF4AACgkQ8xYDWXahwulikAEA77hloUiSrXgFkUVJhlKBpLCHUjA0 mWZ9j9w5d08+jVwBAK6c4iGP7j+/PhbkxaEKa4V3MzIl7zJkcNNjHCXmvFcEuDgEZBBQQhIKKwYB BAGXVQEFAQEHQI5NLiLRjZy3OfSt1dhCmFyn+fN/QKELUYQetiaoe+MMAwEIB4h+BBgWCAAmFiEE Dg7HY17ghYlni8XN8xYDWXahwukFAmQQUEICGwwFCQHhM4AACgkQ8xYDWXahwukm+wEA8cml4JpK NeAu65rg+auKrPOP6TP/4YWRCTIvuYDm0joBALw98AMz7/qMHvSCeU/hw9PL6u6R2EScxtpKnWof z4oM Received-SPF: pass client-ip=185.67.36.65; envelope-from=philipk@posteo.net; helo=mout01.posteo.de X-Spam_score_int: -53 X-Spam_score: -5.4 X-Spam_bar: ----- X-Spam_report: (-5.4 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H5=-1, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01 autolearn=unavailable autolearn_force=no X-Spam_action: no action X-BeenThere: emacs-devel@gnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Emacs development discussions." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org Original-Sender: emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org Xref: news.gmane.io gmane.emacs.devel:313917 Archived-At: Richard Stallman writes: > [[[ To any NSA and FBI agents reading my email: please consider ]]] > [[[ whether defending the US Constitution against all enemies, ]]] > [[[ foreign or domestic, requires you to follow Snowden's example. ]]] > > > 185.220.101.26 - - [14/Dec/2023:13:04:00 +0100] "GET /test HTTP/1.1" 301 169 "https://amodernist.com/" "URL/Emacs Emacs/30.0.50 (PureGTK; x86_64-pc-linux-gnu)" > > > As you can see the User-Agent indicates that I am using Emacs, what > > version and even my architecture. Compare that to the user agent that > > you'd regularly encounter from an average browser: > > We should (1) let users specify what User-Agent to send, That is already possible using the `url-user-agent' user option. > and (2) maybe > choose a different default. 1+ > Icecat, by default, identifies itself as some widely used proprietary > browser running on Windows. While helpful, it could also be dangerous if the server decides to send the user content that only a widely used proprietary browser running on Windows could process. > > Other than the user-agent, there are certainly other bits of behaviour > > that a malicious actor can use to track a user, such as the order in > > which HTTP headers are transmitted, the size of chunks by which the > > client sends and receives data and of course what requests aren't being > > sent (e.g. due to a lack of Javascript in EWW). > > We could work on making Emacs-based browsing more similar to the most > common browsers, in such aspects of visible behavior. > > > and of course what requests aren't being > > sent (e.g. due to a lack of Javascript in EWW). > > Compareed with the harm done by _running_ the page's Javascript, > giving evidence of not running Javascript is arguably a far lesser > evil. The way I see this, this is a security/privacy vs freedom issue. If you really want to blend in, you have to behave the way most people do. > That said, one important method for preventing sites from effectively > profiling you is to connect to them through Tor. In fact, connecting > directly enables OTHERS that observe your network traffic to figure > out what you are talking to! Tor hides your IP address, in which sense it acts like a trusted VPN service, but I am just trying to emphasise that (in general) just using Tor as a transport layer can give users a false sense of security. > That is why I want to connect to the Emacs package repo via Tor. > I am not worried about being profiled by the Emacs package repo! > > More generally, if all that distinguishes you in the actual > interaction with a site is that you don't run the Javascript, and you > connect through Tor, whatever site you are talking to will have > trouble distinguishing you from other users that don't run the > Javascript. True, but considering how infrequent this is on a global scale, "no Javascript" still holds a lot of information. > > That being said: All of this doesn't matter that much for package.el, > > since most people are accessing it via Emacs. > > I agree. However, these issues may have some real importance for the case > of using EWW to look at pages _other than_ the Emacs package repo. Right, that is where my concerns from above apply. Richard Stallman writes: > [[[ To any NSA and FBI agents reading my email: please consider ]]] > [[[ whether defending the US Constitution against all enemies, ]]] > [[[ foreign or domestic, requires you to follow Snowden's example. ]]] > > > If you have a Tor daemon running on your system, it should provide a > > SOCKS proxy by default, > > I believe it does that. > > meaning that you can configure every package > > that uses url.el to go through this proxy (unless I have misunderstood > > something): > > Maybe that is possible. But I know very little about sockets or how > to use them. I would appreciate precise advice about what I should do > to tell package.el to connect using Tor. That was the code you quoted below with `url-gateway-method'. > You sent this code > > (let ((conn > (open-network-stream > "test" (current-buffer) "gnu.org" "http" > :type 'shell > :shell-command "torsocks nc %s %p"))) > (process-send-string conn "GET / HTTP/1.0\r\n\r\n")) > > but I don't think that is a solution ready to use. It looks like a > proposed approach for designing that solution. > > Also, the end of your message MAY mean that this approach is not > applicable to package.el. Yes, this was just a proof of concept integrating torsocks into a network connection open from within Emacs. > > If you have a Tor daemon running on your system, it should provide a > > SOCKS proxy by default, meaning that you can configure every package > > that uses url.el to go through this proxy (unless I have misunderstood > > something): > > > --8<---------------cut here---------------start------------->8--- > > (setq url-gateway-method 'socks > > socks-server '("Tor" "localhost" 9050 5)) > > --8<---------------cut here---------------end--------------->8--- > > > That being said, while testing I noticed that when connecting to a > > server I have access to, I always receive two requests, one from a Tor > > exit node and one from my current IP address. Unless I missed something > > obvious, that might be a bug. > > I await word about further progress. I will try and look into if I am mis-configuring something, and otherwise report a bug. > When I know enough to be able to do it, I will add a feature to > package.el for a user option to tell it to go through Tor always. Stefan Kangas writes: > Richard Stallman writes: > >> > 185.220.101.26 - - [14/Dec/2023:13:04:00 +0100] "GET /test >> > HTTP/1.1" 301 169 "https://amodernist.com/" "URL/Emacs >> > Emacs/30.0.50 (PureGTK; x86_64-pc-linux-gnu)" >> >> > As you can see the User-Agent indicates that I am using Emacs, what >> > version and even my architecture. Compare that to the user agent that >> > you'd regularly encounter from an average browser: >> >> We should (1) let users specify what User-Agent to send, and (2) maybe >> choose a different default. >> >> Icecat, by default, identifies itself as some widely used proprietary >> browser running on Windows. > > Should we bump the default to 'paranoid'? Do what icecat does? That wouldn't send any Use-Agent header at all, which is still fingerprintable. Richard mentioned that Icecat uses a false user agent like Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.3 but that would have to be updated on a regular basis, to keep up with whatever is being used. That being said, I don't believe that this is enough, if we take the threat model into account that a Tor user is operating under. In their case, it probably is the best to just use the Tor Browser. > Does the remote ever need to know if we're using X11 or PureGTK? > I think they don't, and we should never add that information, in any > configuration. Yes, it might make sense to just add `os' to `url-privacy-level'. >> > Other than the user-agent, there are certainly other bits of behaviour >> > that a malicious actor can use to track a user, such as the order in >> > which HTTP headers are transmitted, the size of chunks by which the >> > client sends and receives data and of course what requests aren't being >> > sent (e.g. due to a lack of Javascript in EWW). >> >> We could work on making Emacs-based browsing more similar to the most >> common browsers, in such aspects of visible behavior. > > If you are very concerned about your privacy, it's probably better to > browse the web using the Tor web browser and eschew Emacs altogether. > > How about telling users about this in the EWW manual? 1+ -- Philip Kaludercic