3723
« on: January 02, 2012, 09:40 pm »
Of course you should isolate firefox and other network facing applications using virtualization technology. You can even isolate Tor to a VM that runs a secure OS. Anyone who says this is counter productive to anonymity has no idea what the fuck they are talking about. Don't be confused by police PSYOP agents and the countless people who speak their (incorrect) opinions as if they are certainly factual. It really boils down to this:
If you do not isolate network facing applications, if they have critical remote code execution vulnerabilities (they do, although none may be publicly known at any given time), an attacker can take over the permissions of the application. After doing this, the attacker can deanonymize you without breaking Tor by by passing it on the application layer, for example instructing firefox to send data around Tor to a malicious server. This is only one of many ways the attacker could get your IP address after identifying a vulnerability in one of your network facing applications.
If you do isolate your network facing applications using virtualization software, even if an attacker exploits a vulnerability in one of them and roots your VM, they will not be able to get your external IP address. The VM itself is unaware of your external IP address, only knowing an internal IP address assigned to it. Now the attacker needs to find an additional vulnerability in Tor, or a vulnerability that allows them to break out of the virtualization solution, before they can get your external IP address with a proxy by pass attack. It is worth noting that if an attacker roots your VM they will be able to reduce the anonymity Tor provides you from traffic analysis attacks to roughly the same as Tor provides to hidden services, which is substantially less than Tor provides to non-hidden service clients. This is because an attacker can force a hidden service to open an arbitrary number of new circuits, but can not force a normal client to open an arbitrary number of new circuits. However, if the attacker has rooted the VM of a network facing application that routes its traffic through Tor, they can force Tor to open an arbitrary number of circuits.
Follow the tutorial linked above that OVDB admin made, but do not use polipo. Polipo is insecure and has anonymity degrading bugs in it, and should not be used. Modern versions of firefox allow for socks proxy routing without the need for an additional http proxy, you probably need to allow proxified DNS in your about:config though. Nobody should be using polipo anymore. But do follow the linked tutorial just skip the polipo portions.
OpenBSD provides a wide range of automatic security features which further increases your security from application layer exploits. For example, if you have a 64 bit CPU and or CPU with nx bit capabilities , OpenBSD will prevent an attacker from exploiting entire classes of potential vulnerabilities that may be (read: are) present in your network facing applications.
You may also be interested in reading about mandatory access control systems, like the previously mentioned virtualization technique mandatory access controls offer security via isolation. However, it is harder to use mandatory access control systems to isolate applications from Tor / external IP address.
Law enforcement are going to start doing all of their wiretap and tracing operations on the application layer, because they can't break GPG or reliably break Tor (although they probably can break it for small random selections of users, they can't break it for a given selected target in the majority of cases), but they can exploit one of the endless streams of vulnerabilities in applications like Firefox. They are starting to work with corporations that sell them prepackaged exploit kits for such attacks.
It is worth noting that law enforcement will have a much easier time to trace SR users with such attacks after they have taken over the SR server, although it is not impossible for them to 'leap frog' the server (for one example, GPG has had remote code execution vulnerabilities that allow an attacker to launch arbitrary code merely by having the target decrypt exploit ciphertexts...such a ciphertext could be sent through a secure non-compromised SR server).
It is also worth noting that the NSA stockpiles as mny remote code execution vulnerability intelligence / exploits as possible, and can trace through Tor on the application layer / steal plaintexts / keys on the application layer, with ease.