Feature #16111
Gateway support - Whonix and Invizbox
0%
Description
Tails is amnesic, and there are not many (if any) other secure amnesic options out there. However, many security researchers rate whonix-gateway to be much more secure than Tails internal Tor support/handling. I would like the best of both worlds.
Tails would detect if traffic is being directed through Tor. If that check is done using an onion link, there is still a huge risk of a man in the middle, between Tails and Gateway. Ideally, there would be a VPN connection from Tails to the separate Gateway host.
Without a secure way to automatically detect a gateway, and disable an on-host tor connection, I recommend the addition of a new boot-option which activates the external gateway mode of operation.
This feature is probably quite a significant change. I would recommend it as a major version feature, and inclusion of Whonix-Gateway virtualised within Tails. This would mean both Tails desktop, and the virtualised Whonix-Gateway would be amnesic. The user would then be able to optionally disable the internal Whonix-Gateway if they have a separate gateway host/device. Or if Tails is being run within QubesOS with a separate Whonix-Gateway VM.
see https://www.invizbox.com/, and https://www.whonix.org/wiki/Download
(There didn’t seem to be a specific feature request for this. I did try searching. There was mention of Whonix in some issues, but none which seem to focus squarely on it.)
Subtasks
Related issues
Related to Tails - Feature #12403: Make Tails work nicely inside of Qubes OS, without big paradigm shifts | In Progress | 2017-03-26 | |
Is duplicate of Tails - Feature #5748: Two-layered virtualized system | Confirmed |
History
#1 Updated by mercedes508 2018-11-09 09:47:11
- Assignee set to sampalmer
- Type of work changed from Code to Research
Hi,
> there is still a huge risk of a man in the middle, between Tails and Gateway.
Do you mean in the context of Tails only? If yes, which gateway are you talking about?
#2 Updated by sampalmer 2018-11-10 14:00:45
I’m speaking specifically of a Tor Gateway like Whonix. I’ll update the
description to make it clearer.
If there are two physical machines: If Tails used something like
Whonix-Gateway, traffic between the Tails Ethernet port and the
Whonix-Gateway machine port, then that traffic between the two hosts is
not encrypted. The user has to be careful, and sure that there is only a
direct ethernet link between the two hosts.
> Issue Feature #16111 has been updated by mercedes508.
>
> Assignee set to sampalmer
> Type of work changed from Code to Research
>
> Hi,
>
>> there is still a huge risk of a man in the middle, between Tails and
>> Gateway.
>
> Do you mean in the context of Tails only? If yes, which gateway are you
> talking about?
>
>
> ————————————————————
> Feature Feature #16111: Gateway support - Whonix and Invizbox
> https://redmine.tails.boum.org/code/issues/16111#change-94784
>
> * Author: sampalmer
> * Status: New
> * Priority: Normal
> * Assignee: sampalmer
> * Category:
> * Target version:
> * QA Check:
> * Feature Branch:
> * Type of work: Research
> * Blueprint:
> * Starter:
> * Affected tool:
> ————————————————————
> Tails is amnesic, and there are not many (if any) other secure amnesic
> options out there. However, many security researchers rate whonix-gateway
> to be much more secure than Tails internal Tor support/handling. I would
> like the best of both worlds.
>
> Tails would detect if traffic is being directed through Tor. If that check
> is done using an onion link, there is still a huge risk of a man in the
> middle, between Tails and Gateway. Ideally, there would be a VPN
> connection from Tails to the separate Gateway host.
>
> Without a secure way to automatically detect a gateway, and disable an
> on-host tor connection, I recommend the addition of a new boot-option
> which activates the external gateway mode of operation.
>
> This feature is probably quite a significant change. I would recommend it
> as a major version feature, and inclusion of Whonix-Gateway virtualised
> within Tails. This would mean both Tails desktop, and the virtualised
> Whonix-Gateway would be amnesic. The user would then be able to optionally
> disable the internal Whonix-Gateway if they have a separate gateway
> host/device. Or if Tails is being run within QubesOS with a separate
> Whonix-Gateway VM.
>
> see https://www.invizbox.com/, and https://www.whonix.org/wiki/Download
>
> (There didn’t seem to be a specific feature request for this. I did try
> searching. There was mention of Whonix in some issues, but none which seem
> to focus squarely on it.)
>
>
>
>
>
> —
> You have received this notification because you have either subscribed to
> it, or are involved in it.
> To change your notification preferences, please click here:
> https://labs.riseup.net/code/my/account
>
#3 Updated by mercedes508 2018-11-11 11:59:14
Hi,
ok, but what is the benefit compared to using Tails only?
Cheers.
#4 Updated by sampalmer 2018-12-02 09:30:36
There are two benefits:
1. Less threat of IP address being revealed
2. More software works safely
Tails in amnesic, but it isn’t invulnerable. It can be compromised via
Javacscript, and software could access the internet directly unexpectedly.
If it’s ever compromised, Tor is running in the same machine, and that
means it’s possible to reveal the real IP address to the attacker.
Also, it seems that Tor Browser is configured to explictly use the Tor
Proxy. This is bad. This means that configuration can be disabled, and
other software may access the internet directly.
Whonix-Gateway routes “everything” over Tor. No software needs to be
configured at all; that’s great, and makes it easier for Tails to support
more software with no security risk. Also, if it’s run on a dedicated host
or VM, it’s sandboxed, and impossible or very hard to compromise the Tor
client and expose the real IP address.
Both QubesOS and Whonix run Whonix-Gateway for Tor. If Tails also used
Whonix-Gateway it would close the final security vulnerabilities, and make
it undisputable that Tails is the best anonymous and secure platform.
> Issue Feature #16111 has been updated by mercedes508.
>
>
> Hi,
>
> ok, but what is the benefit compared to using Tails only?
>
> Cheers.
>
>
> ————————————————————
> Feature Feature #16111: Gateway support - Whonix and Invizbox
> https://redmine.tails.boum.org/code/issues/16111#change-94857
>
> * Author: sampalmer
> * Status: New
> * Priority: Normal
> * Assignee: sampalmer
> * Category:
> * Target version:
> * QA Check:
> * Feature Branch:
> * Type of work: Research
> * Blueprint:
> * Starter:
> * Affected tool:
> ————————————————————
> Tails is amnesic, and there are not many (if any) other secure amnesic
> options out there. However, many security researchers rate whonix-gateway
> to be much more secure than Tails internal Tor support/handling. I would
> like the best of both worlds.
>
> Tails would detect if traffic is being directed through Tor. If that check
> is done using an onion link, there is still a huge risk of a man in the
> middle, between Tails and Gateway. Ideally, there would be a VPN
> connection from Tails to the separate Gateway host.
>
> Without a secure way to automatically detect a gateway, and disable an
> on-host tor connection, I recommend the addition of a new boot-option
> which activates the external gateway mode of operation.
>
> This feature is probably quite a significant change. I would recommend it
> as a major version feature, and inclusion of Whonix-Gateway virtualised
> within Tails. This would mean both Tails desktop, and the virtualised
> Whonix-Gateway would be amnesic. The user would then be able to optionally
> disable the internal Whonix-Gateway if they have a separate gateway
> host/device. Or if Tails is being run within QubesOS with a separate
> Whonix-Gateway VM.
>
> see https://www.invizbox.com/, and https://www.whonix.org/wiki/Download
>
> (There didn’t seem to be a specific feature request for this. I did try
> searching. There was mention of Whonix in some issues, but none which seem
> to focus squarely on it.)
>
>
>
>
>
> —
> You have received this notification because you have either subscribed to
> it, or are involved in it.
> To change your notification preferences, please click here:
> https://labs.riseup.net/code/my/account
>
#5 Updated by mercedes508 2018-12-02 12:45:07
- Assignee changed from sampalmer to intrigeri
#6 Updated by intrigeri 2018-12-02 22:11:55
- QA Check set to Info Needed
#7 Updated by intrigeri 2018-12-08 08:57:38
- is duplicate of Feature #5748: Two-layered virtualized system added
#8 Updated by intrigeri 2018-12-08 08:57:47
- related to Feature #12403: Make Tails work nicely inside of Qubes OS, without big paradigm shifts added
#9 Updated by intrigeri 2018-12-08 09:01:43
- Status changed from New to Duplicate
- Assignee deleted (
intrigeri) - QA Check deleted (
Info Needed)
This idea has been floating around for years (Feature #5748) but it requires tons of UX design and coding work, and it will make some of the UX improvements we have in mind much harder to design & implement (Feature #10491). My current take on this is “woohoo, would be awesome to do that if we had unlimited resources, but in the current state of Tails the cost/benefit is much too high”.
A first step would be Feature #12403 but that does not even scratch the surface of the hard part of this problem.
#10 Updated by sampalmer 2018-12-22 00:47:55
intrigeri wrote:
> This idea has been floating around for years (Feature #5748) but it requires tons of UX design and coding work, and it will make some of the UX improvements we have in mind much harder to design & implement (Feature #10491). My current take on this is “woohoo, would be awesome to do that if we had unlimited resources, but in the current state of Tails the cost/benefit is much too high”.
>
> A first step would be Feature #12403 but that does not even scratch the surface of the hard part of this problem.
I disagree:
1) “This idea has been floating around for years (Feature #5748)” - on it’s own
this isn’t a reason not to.
2) “requires tons of UX design and coding work” - maybe for a polished
diamond, but to make this possible, there needs to be smaller steps toward
the final prize. I’m also suspect that UX design can be excluded from
initial versions; people prize security first and foremost.
3) “he cost/benefit is much too high” - The pursuit of the best security
is what drives the community behind this project. Perhaps the mountain is
too tall to conquer, but you must acknowledge there would be a massive
benefit. The absolute amount of effort might be too much; but the relative
value is easy to see.
The first step design:
- Ability to bypass Tor within Tails. This is something that is configured
during loading time along with other advanced options
- The user is warned that they still have amnesic protection, but are
losing network anonymity, and they understand the consequences.
- (There is a precedent for this - the unsafe browser)
- Users could use this mode with the direct internet
- Users could also use this mode via a gateway-tor system such as
Whonix-Gateway or Invizbox
I believe this will be much easier to start with than you might have
considered before. It will provide a massive about of benefit for the
least amount of effort.
Thanks
#11 Updated by intrigeri 2018-12-23 21:01:00
Thanks for your input.
If someone wants to work on this, I’ll happily take a look at a proof of concept branch that implements the first suggested iteration :)
I think this will help us quantify the amount of work needed to make it production-ready.