From mboxrd@z Thu Jan 1 00:00:00 1970 From: Christopher Lemmer Webber Subject: Re: Recommendations for browsing via Tor pre tor-browser? Date: Fri, 20 Jul 2018 12:11:49 -0400 Message-ID: <877elp7upm.fsf@dustycloud.org> References: <87zhywl72t.fsf@dustycloud.org> <87muuvjwwj.fsf@gnu.org> <87tvp3l2eb.fsf@dustycloud.org> <87wotriunz.fsf@gmail.com> <87in5bi490.fsf@dustycloud.org> <87d0viinjj.fsf@gmail.com> Mime-Version: 1.0 Content-Type: text/plain Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:36785) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1fgY0W-00089X-P3 for help-guix@gnu.org; Fri, 20 Jul 2018 12:11:53 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1fgY0V-00065H-Dy for help-guix@gnu.org; Fri, 20 Jul 2018 12:11:52 -0400 In-reply-to: <87d0viinjj.fsf@gmail.com> List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: help-guix-bounces+gcggh-help-guix=m.gmane.org@gnu.org Sender: "Help-Guix" To: Chris Marusich Cc: Devan Carpenter , help-guix Chris Marusich writes: > I think you're right: the fact that a malicious actor can induce > requests to your localhost endpoint is cause for concern, even if the > exact methods of exploitation are not obvious. > > I looked into this. I learned that Firefox (and our IceCat) supports a > SOCKS proxy using UNIX domain sockets [1]. If you've started TOR with a > socks socket at /var/run/tor/socks-sock, you can tell IceCat (or > Firefox) to use it by entering the socket path as your SOCKS proxy. > Specifically, in the IceCat built by Guix, you would do this: > > * Click on the "hamburger menu" in the upper right (the icon looks like > three fat lines stacked on top of one another). > * Go to Preferences > Advanced > Connection > Settings. > * Select "Manual proxy configuration". > * Select SOCKS v5 (because v5, unlike v4, supports sending DNS queries > through the SOCKS proxy). > * Enter "file:///var/run/tor/socks-sock" in the SOCKS Host field (no > quotes required). The UI still makes it seem like you need to enter a > port, but you can put any value in here, and it won't matter, since > UNIX domain sockets don't use ports. > * Scroll to the bottom and make sure "Proxy DNS when using SOCKS v5" is > checked. > * Click OK. > > Assuming that TOR is running and the permissions on its SOCKS socket > allow you access, you can browse to https://check.torproject.org/ and it > should tell you that you're connected over TOR. You can also check the > TOR messages sent to /var/log/messages to confirm that stuff is > happening. Heck yeah! This is awesome! > Since using a UNIX domain socket for TOR is probably better than using a > localhost endpoint, we should make it easy to run a configuration like > this via the tor-service. Currently, it's a little awkward to do, since > to set it up, you need to arrange for the directory that contains the > socket to have certain permissions, or else TOR refuses to start. If > nobody beats me to it, I could try my hand at this in a few days' time. Please do. While you're taking a crack at it, it might be cool if the tor-hidden-services stuff could also accept unix domain sockets? What do you think?