Recommendations for browsing via Tor pre tor-browser?

Recommendations for browsing via Tor pre tor-browser?

[Christopher Lemmer Webber]

Anyone have recommendations on how they're doing web browsing via Tor,
sans tor-browser?  In the interim I have been using the more
lightweight, non-js using browsers like links.

What are you doing in the interim?  icecat with a set of extensions?
Or?

Re: Recommendations for browsing via Tor pre tor-browser?

[Arun Isaac]

> What are you doing in the interim?  icecat with a set of extensions?

I run `tor' from the command line. It opens up a SOCKS proxy at port
9050. I set that proxy in Icecat and use it along with Private Browsing
mode. I use the extension "MM3-ProxySwitch" to make switching proxies
convenient. I use an old version of uMatrix to block javascript. When
last I checked (many months back), the latest version of uMatrix wasn't
working in our Icecat. I also use the extension "Self-Destructing
Cookies" to automatically cleanup cookies once I don't need them (after
I close the tab of a website).

Re: Recommendations for browsing via Tor pre tor-browser?

[Ludovic Courtès]

Christopher Lemmer Webber <cwebber@dustycloud.org> skribis:

> Anyone have recommendations on how they're doing web browsing via Tor,
> sans tor-browser?  In the interim I have been using the more
> lightweight, non-js using browsers like links.

I use Privoxy, and as written in the ‘privoxy.conf’ example, I have:

         forward-socks5   /               127.0.0.1:9050 .

where Tor is listening on port 9050 (I use the Tor service of GuixSD.)

Ludo’.

Re: Recommendations for browsing via Tor pre tor-browser?

[Ricardo Wurmus]

Arun Isaac <arunisaac@systemreboot.net> writes:

>> What are you doing in the interim?  icecat with a set of extensions?
>
> I run `tor' from the command line. It opens up a SOCKS proxy at port
> 9050.

On GuixSD you can use the tor-service instead.

-- 
Ricardo

Re: Recommendations for browsing via Tor pre tor-browser?

[Arun Isaac]

>>> What are you doing in the interim?  icecat with a set of extensions?
>>
>> I run `tor' from the command line. It opens up a SOCKS proxy at port
>> 9050.
>
> On GuixSD you can use the tor-service instead.

Ah, that's nice. I didn't think of that! Thank you!

Re: Recommendations for browsing via Tor pre tor-browser?

[Christopher Lemmer Webber]

Ludovic Courtès writes:

> Christopher Lemmer Webber <cwebber@dustycloud.org> skribis:
>
>> Anyone have recommendations on how they're doing web browsing via Tor,
>> sans tor-browser?  In the interim I have been using the more
>> lightweight, non-js using browsers like links.
>
> I use Privoxy, and as written in the ‘privoxy.conf’ example, I have:
>
>          forward-socks5   /               127.0.0.1:9050 .
>
> where Tor is listening on port 9050 (I use the Tor service of GuixSD.)
>
> Ludo’.

I wonder if localhost + port is a good idea for tor or really any other
service.  Our experience with the confused deputy attack against guile's
live REPL makes me suspicious of anything that's localhost + port.

I notice that the Tor configuration file supports a unix domain socket:

       ControlSocket Path
           Like ControlPort, but listens on a Unix domain socket, rather than a TCP socket.  0 disables
           ControlSocket (Unix and Unix-like systems only.)

I wonder if that would be safer?  WDYT?

Re: Recommendations for browsing via Tor pre tor-browser?

[Nils Gillmann]

Christopher Lemmer Webber transcribed 254 bytes:
> Anyone have recommendations on how they're doing web browsing via Tor,
> sans tor-browser?  In the interim I have been using the more
> lightweight, non-js using browsers like links.
> 
> What are you doing in the interim?  icecat with a set of extensions?
> Or?
> 
I am cheating: I use torbrowser unwrapped, compiled by nix.
Icecat with proxy works probably.

Re: Recommendations for browsing via Tor pre tor-browser?

[Chris Marusich]

[-- Attachment #1: Type: text/plain, Size: 2526 bytes --]

Christopher Lemmer Webber <cwebber@dustycloud.org> writes:

> Ludovic Courtès writes:
>
>> Christopher Lemmer Webber <cwebber@dustycloud.org> skribis:
>>
>>> Anyone have recommendations on how they're doing web browsing via Tor,
>>> sans tor-browser?  In the interim I have been using the more
>>> lightweight, non-js using browsers like links.
>>
>> I use Privoxy, and as written in the ‘privoxy.conf’ example, I have:
>>
>>          forward-socks5   /               127.0.0.1:9050 .
>>
>> where Tor is listening on port 9050 (I use the Tor service of GuixSD.)
>>
>> Ludo’.
>
> I wonder if localhost + port is a good idea for tor or really any other
> service.  Our experience with the confused deputy attack against guile's
> live REPL makes me suspicious of anything that's localhost + port.
>
> I notice that the Tor configuration file supports a unix domain socket:
>
>        ControlSocket Path
>            Like ControlPort, but listens on a Unix domain socket, rather than a TCP socket.  0 disables
>            ControlSocket (Unix and Unix-like systems only.)
>
> I wonder if that would be safer?  WDYT?

I know what you mean, but I think having TOR listen on localhost is
safer than having a Guile REPL listen on localhost.  In the case of
Guile, the risk is arbitrary code execution.  In the case of TOR, I
suppose the risks might be that an attacker would be able to make
requests over TOR from your machine.  Perhaps by making such requests,
they might also be able to infer that you are using TOR (although it's
already possible to determine that a person is using TOR simply by
watching their IP traffic).  In any case, since TOR is functioning as a
proxy, not a Turing-complete programming language, the things an
attacker could do or learn by making requests from your machine to the
localhost TOR seem limited.  Compared to the risk of arbitrary code
execution, it seems much safer to me.

I run the TOR service on GuixSD, and I manually tell IceCat to use it as
a SOCKS5 proxy.  You can configure this in the "Advanced" section of the
"Preferences" menu.  IceCat also lets you send DNS requests over the
SOCKS5 proxy, which increases your privacy.  Unlike Ludo, I don't
currently use Privoxy; I just have some extensions installed that I
think are probably helpful (SpyBlock, HTTPS Everywhere, Privacy Badger,
NoScript).

I don't know if IceCat or Firefox supports a proxy via a UNIX domain
socket; I'd be curious to know if it did!

-- 
Chris

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 832 bytes --]

Re: Recommendations for browsing via Tor pre tor-browser?

[Devan Carpenter]

[-- Attachment #1: Type: text/plain, Size: 1067 bytes --]

Please keep in mind that none of the interim solutions are safe compared
to tor-browser. Even using icecat with NoJS & self-destructing cookies
(which are both extensions you absolutely should have, if you're going to 
use icecat over Tor) it still is inferior. One of the nicest things
about tor-browser that is missing from every other browser is its tab
isolation. Every tab you have open is an isolated session, with no
shared cookies (and even different tor circuits iirc). This way you
can't be tracked accross websites by your cookies.

There are some other anonymizing features that I forget now, but that's
the main one which stands out, and the point is that you should be very
cautious using another browser via Tor.

Christopher Lemmer Webber transcribed 254 bytes:
> Anyone have recommendations on how they're doing web browsing via Tor,
> sans tor-browser?  In the interim I have been using the more
> lightweight, non-js using browsers like links.
> 
> What are you doing in the interim?  icecat with a set of extensions?
> Or?
> 

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

Re: Recommendations for browsing via Tor pre tor-browser?

[Christopher Lemmer Webber]

Chris Marusich writes:

> I know what you mean, but I think having TOR listen on localhost is
> safer than having a Guile REPL listen on localhost.  In the case of
> Guile, the risk is arbitrary code execution.  In the case of TOR, I
> suppose the risks might be that an attacker would be able to make
> requests over TOR from your machine.  Perhaps by making such requests,
> they might also be able to infer that you are using TOR (although it's
> already possible to determine that a person is using TOR simply by
> watching their IP traffic).  In any case, since TOR is functioning as a
> proxy, not a Turing-complete programming language, the things an
> attacker could do or learn by making requests from your machine to the
> localhost TOR seem limited.  Compared to the risk of arbitrary code
> execution, it seems much safer to me.

What about sending messages to a specific .onion address to unmask you?
If you send a unique request to http://foobarbaz.onion/?id=50108560 (or
ip=...) you might be able to associate a specific address.

It may be that this is not as easily possible since I suspect Tor is not
as susceptable to a line-oriented attack, so maybe it's not a concern...
I dunno.

Re: Recommendations for browsing via Tor pre tor-browser?

[Christopher Lemmer Webber]

Thanks for that information... yes, I've suspected that tor-browser
was doing something special that way...

Devan Carpenter writes:

> Please keep in mind that none of the interim solutions are safe compared
> to tor-browser. Even using icecat with NoJS & self-destructing cookies
> (which are both extensions you absolutely should have, if you're going to 
> use icecat over Tor) it still is inferior. One of the nicest things
> about tor-browser that is missing from every other browser is its tab
> isolation. Every tab you have open is an isolated session, with no
> shared cookies (and even different tor circuits iirc). This way you
> can't be tracked accross websites by your cookies.
>
> There are some other anonymizing features that I forget now, but that's
> the main one which stands out, and the point is that you should be very
> cautious using another browser via Tor.
>
> Christopher Lemmer Webber transcribed 254 bytes:
>> Anyone have recommendations on how they're doing web browsing via Tor,
>> sans tor-browser?  In the interim I have been using the more
>> lightweight, non-js using browsers like links.
>> 
>> What are you doing in the interim?  icecat with a set of extensions?
>> Or?
>> 

Re: Recommendations for browsing via Tor pre tor-browser?

[Chris Marusich]

[-- Attachment #1: Type: text/plain, Size: 3978 bytes --]

Christopher Lemmer Webber <cwebber@dustycloud.org> writes:

> Chris Marusich writes:
>
>> I know what you mean, but I think having TOR listen on localhost is
>> safer than having a Guile REPL listen on localhost.  In the case of
>> Guile, the risk is arbitrary code execution.  In the case of TOR, I
>> suppose the risks might be that an attacker would be able to make
>> requests over TOR from your machine.  Perhaps by making such requests,
>> they might also be able to infer that you are using TOR (although it's
>> already possible to determine that a person is using TOR simply by
>> watching their IP traffic).  In any case, since TOR is functioning as a
>> proxy, not a Turing-complete programming language, the things an
>> attacker could do or learn by making requests from your machine to the
>> localhost TOR seem limited.  Compared to the risk of arbitrary code
>> execution, it seems much safer to me.
>
> What about sending messages to a specific .onion address to unmask you?
> If you send a unique request to http://foobarbaz.onion/?id=50108560 (or
> ip=...) you might be able to associate a specific address.
>
> It may be that this is not as easily possible since I suspect Tor is not
> as susceptable to a line-oriented attack, so maybe it's not a concern...
> I dunno.

I think you're right: the fact that a malicious actor can induce
requests to your localhost endpoint is cause for concern, even if the
exact methods of exploitation are not obvious.

I looked into this.  I learned that Firefox (and our IceCat) supports a
SOCKS proxy using UNIX domain sockets [1].  If you've started TOR with a
socks socket at /var/run/tor/socks-sock, you can tell IceCat (or
Firefox) to use it by entering the socket path as your SOCKS proxy.
Specifically, in the IceCat built by Guix, you would do this:

* Click on the "hamburger menu" in the upper right (the icon looks like
  three fat lines stacked on top of one another).
* Go to Preferences > Advanced > Connection > Settings.
* Select "Manual proxy configuration".
* Select SOCKS v5 (because v5, unlike v4, supports sending DNS queries
  through the SOCKS proxy).
* Enter "file:///var/run/tor/socks-sock" in the SOCKS Host field (no
  quotes required).  The UI still makes it seem like you need to enter a
  port, but you can put any value in here, and it won't matter, since
  UNIX domain sockets don't use ports.
* Scroll to the bottom and make sure "Proxy DNS when using SOCKS v5" is
  checked.
* Click OK.

Assuming that TOR is running and the permissions on its SOCKS socket
allow you access, you can browse to https://check.torproject.org/ and it
should tell you that you're connected over TOR.  You can also check the
TOR messages sent to /var/log/messages to confirm that stuff is
happening.

Since using a UNIX domain socket for TOR is probably better than using a
localhost endpoint, we should make it easy to run a configuration like
this via the tor-service.  Currently, it's a little awkward to do, since
to set it up, you need to arrange for the directory that contains the
socket to have certain permissions, or else TOR refuses to start.  If
nobody beats me to it, I could try my hand at this in a few days' time.

Devan Carpenter <mail@dvn.me> writes:

> Please keep in mind that none of the interim solutions are safe compared
> to tor-browser.
>
> [...]
>
> There are some other anonymizing features that I forget now, but that's
> the main one which stands out, and the point is that you should be very
> cautious using another browser via Tor.

For sure - I agree.  However, since we don't have TOR browser yet in
GuixSD, I think manually configuring IceCat to use the tor-service as a
SOCKSv5 proxy is better than nothing.  If we can do it over a UNIX
domain socket instead of via a localhost endpoint, so much the better.

Footnotes: 
[1]  https://trac.torproject.org/projects/tor/ticket/20111

-- 
Chris

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 832 bytes --]

Re: Recommendations for browsing via Tor pre tor-browser?

[Christopher Lemmer Webber]

Chris Marusich writes:

> I think you're right: the fact that a malicious actor can induce
> requests to your localhost endpoint is cause for concern, even if the
> exact methods of exploitation are not obvious.
>
> I looked into this.  I learned that Firefox (and our IceCat) supports a
> SOCKS proxy using UNIX domain sockets [1].  If you've started TOR with a
> socks socket at /var/run/tor/socks-sock, you can tell IceCat (or
> Firefox) to use it by entering the socket path as your SOCKS proxy.
> Specifically, in the IceCat built by Guix, you would do this:
>
> * Click on the "hamburger menu" in the upper right (the icon looks like
>   three fat lines stacked on top of one another).
> * Go to Preferences > Advanced > Connection > Settings.
> * Select "Manual proxy configuration".
> * Select SOCKS v5 (because v5, unlike v4, supports sending DNS queries
>   through the SOCKS proxy).
> * Enter "file:///var/run/tor/socks-sock" in the SOCKS Host field (no
>   quotes required).  The UI still makes it seem like you need to enter a
>   port, but you can put any value in here, and it won't matter, since
>   UNIX domain sockets don't use ports.
> * Scroll to the bottom and make sure "Proxy DNS when using SOCKS v5" is
>   checked.
> * Click OK.
>
> Assuming that TOR is running and the permissions on its SOCKS socket
> allow you access, you can browse to https://check.torproject.org/ and it
> should tell you that you're connected over TOR.  You can also check the
> TOR messages sent to /var/log/messages to confirm that stuff is
> happening.

Heck yeah!  This is awesome!

> Since using a UNIX domain socket for TOR is probably better than using a
> localhost endpoint, we should make it easy to run a configuration like
> this via the tor-service.  Currently, it's a little awkward to do, since
> to set it up, you need to arrange for the directory that contains the
> socket to have certain permissions, or else TOR refuses to start.  If
> nobody beats me to it, I could try my hand at this in a few days' time.

Please do.

While you're taking a crack at it, it might be cool if the
tor-hidden-services stuff could also accept unix domain sockets?  What
do you think?

Re: Recommendations for browsing via Tor pre tor-browser?

[Pierre Neidhardt]

[-- Attachment #1: Type: text/plain, Size: 1140 bytes --]

@Ludovic: I've tried setting up privoxy but I can't seem to get it to work.

>	privoxy /gnu/store/d3q0nz8568j32gslkc3lskxpzmimcx9z-privoxy-3.0.26/etc/privoxy/config

exits after a second.

--8<---------------cut here---------------start------------->8---
>	privoxy --no-daemon /gnu/store/d3q0nz8568j32gslkc3lskxpzmimcx9z-privoxy-3.0.26/etc/privoxy/config
2018-07-21 16:49:37.458 7ff8a464f740 Info: Privoxy version 3.0.26
2018-07-21 16:49:37.458 7ff8a464f740 Info: Program name: /home/ambrevar/.guix-profile/sbin/privoxy
--8<---------------cut here---------------end--------------->8---

does not output anything else and privoxy stays up.
Opening https://www.privoxy.org/config/ tells me that Privoxy is not being
used.

I've tried with forwarding to Tor, then using the SOCKS5 proxy on port 9050 in
IceCat, but also without forwarding, then using the HTTP(S) proxy on port 8118
in IceCat.

	sudo nmap -sT 127.0.0.1

does not return any 8118 port.


Also from the manual, tor forwarding is done with

       # forward-socks5t   /               127.0.0.1:9050 .

Note the trailing 't'.

-- 
Pierre Neidhardt

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 487 bytes --]

Re: Recommendations for browsing via Tor pre tor-browser?

[Ludovic Courtès]

Hello,

Chris Marusich <cmmarusich@gmail.com> skribis:

> I looked into this.  I learned that Firefox (and our IceCat) supports a
> SOCKS proxy using UNIX domain sockets [1].  If you've started TOR with a
> socks socket at /var/run/tor/socks-sock, you can tell IceCat (or
> Firefox) to use it by entering the socket path as your SOCKS proxy.
> Specifically, in the IceCat built by Guix, you would do this:
>
> * Click on the "hamburger menu" in the upper right (the icon looks like
>   three fat lines stacked on top of one another).
> * Go to Preferences > Advanced > Connection > Settings.
> * Select "Manual proxy configuration".
> * Select SOCKS v5 (because v5, unlike v4, supports sending DNS queries
>   through the SOCKS proxy).
> * Enter "file:///var/run/tor/socks-sock" in the SOCKS Host field (no
>   quotes required).  The UI still makes it seem like you need to enter a
>   port, but you can put any value in here, and it won't matter, since
>   UNIX domain sockets don't use ports.
> * Scroll to the bottom and make sure "Proxy DNS when using SOCKS v5" is
>   checked.
> * Click OK.
>
> Assuming that TOR is running and the permissions on its SOCKS socket
> allow you access, you can browse to https://check.torproject.org/ and it
> should tell you that you're connected over TOR.  You can also check the
> TOR messages sent to /var/log/messages to confirm that stuff is
> happening.
>
> Since using a UNIX domain socket for TOR is probably better than using a
> localhost endpoint, we should make it easy to run a configuration like
> this via the tor-service.  Currently, it's a little awkward to do, since
> to set it up, you need to arrange for the directory that contains the
> socket to have certain permissions, or else TOR refuses to start.  If
> nobody beats me to it, I could try my hand at this in a few days' time.

That would be great!  I wonder if Privoxy can forward over Unix-domain
sockets as well.

Also note that we’re running Tor in a container, which adds an extra
layer of wrapping around it.

Ludo’.

Re: Recommendations for browsing via Tor pre tor-browser?

[Christopher Lemmer Webber]

Ludovic Courtès writes:

> Also note that we’re running Tor in a container, which adds an extra
> layer of wrapping around it.

I didn't realize that... comforting to hear :)  I hope we can do more
sandboxing like this!