Hide Tor and [[:Template:Project name]] use from the ISP

From Whonix
Revision as of 08:06, 20 June 2019 by Patrick (talk | contribs)
Jump to navigation Jump to search
Advanced Documentation Previous page: Alternative DNS Resolver Index page: Advanced Documentation Next page: Host a Bridge or Tor Relay Hide Tor and Template:Project name use from the ISP


TODO: this page needs to be updated. See: Hiding Tor / Whonix is difficult beyond practicalityarchive.org iconarchive.today icon

Introduction

In many cases Template:Project name users are likely to be Tor "power users" who:

  • Have higher security and anonymity goals than normal Tor users; and
  • Often host Onion Services and pair other advanced configurations with Tor.

Various adversaries might ask themselves why individuals are choosing to adopt a hardened platform. Depending on your assessed threat model and location, government policies on Tor might necessitate the hiding of Template:Project name and/or Tor use from the Internet Service Provider (ISP).

General Advice

Table: General Advice

Category Description
Bridges Only Using private and obfuscated bridges alone does not provide strong guarantees of hiding Tor use from the ISP. As Jacob Appelbaum has noted: [1] [2]

Some pluggable transports may seek to obfuscate traffic or to morph it. However, they do not claim to hide that you are using Tor in all cases but rather in very specific cases. An example threat model includes a DPI device with limited time to make a classification choice - so the hiding is very specific to functionality and generally does not take into account endless data retention with retroactive policing.

Hide Tor Use

Hiding the fact that you are a Tor user is difficult and you must be very careful. Some tips are below, but it is recommended to read this entire page:

  • Prefer private obfuscated bridges or VPN/SSH tunnels: This configuration is preferred over public obfuscated bridges. The reason is the latter have a greater likelihood of being censored, simply because they are publicly listed.
  • To hide Tor from the ISP it might be safest to combine both private obfuscated bridges and a VPN/SSH, by connecting to the VPN/SSH relay first and then connecting to the private obfuscated bridge.
    • On the other hand, solely using a private obfuscated bridge (i.e. no VPN/SSH) would be preferable for those who want to hide that they are using Tor and do not want to "come on the radar" by utilizing a VPN or SSH.
Hide Template:Project name Use

For technical details, click on "Learn More" on the right side.

  • Traffic from Whonix-Gateway also routed over Tor: Starting from Whonix version 0.2.1, traffic from Whonix-Gateway is also routed over Tor. This approach conceals the use of Whonix from entities monitoring the network.
  • Gateway's own traffic not essential for anonymity: To preserve the anonymity of a user's Whonix-Workstation activities, it is not essential to route Whonix-Gateway's own traffic through Tor. (Note: The gateway is mainly a tool that helps route traffic; it does not typically contain personal activity data.)
  • DNS configuration on Whonix-Gateway has limited impact: Altering DNS settings on Whonix-Gateway in /etc/resolv.conf only impacts DNS requests made by Whonix-Gateway's applications that utilize the system's default DNS resolver. (DNS is like the internet's phonebook - it translates website names to IP addresses.) By default, no applications on Whonix-Gateway that generate network traffic use this default resolver. All default applications on Whonix-Gateway that produce network traffic (like apt, systemcheckarchive.org iconarchive.today icon, sdwdate) are explicitly configured, or forced by uwt wrappers, to use their dedicated Tor SocksPort (refer to Stream Isolation).
  • Whonix-Workstation DNS requests handled via Tor: Whonix-Workstation's default applications are configured to use dedicated Tor SocksPorts (see Stream Isolation), avoiding the system's default DNS resolver. Any applications in Whonix-Workstation not set up for stream isolation - such as nslookup - will use the default DNS server configured in Whonix-Workstation (through /etc/network/interfaces), which points to Whonix-Gateway. These DNS requests are then redirected to Tor's DnsPort by the Whonix-Gateway firewall. (This ensures DNS lookups still go through Tor even if they use the default method.) Changes in Whonix-Gateway's /etc/resolv.conf do not influence Whonix-Workstation's DNS queries.
  • Tor process traffic allowed direct internet access: Traffic produced by the Tor process, which by Debian's default operates under the account debian-tor and originates from Whonix-Gateway, can access the internet directly. This is permitted because the Linux user account debian-tor is exempted in the Whonix-Gateway Firewall and allowed to use the "regular" internet. (This is necessary for Tor to establish its connections.)
  • Tor mostly uses TCP traffic: As of Tor version 0.4.5.6 (with no changes announced at the time of writing), the Tor software predominantly relies on TCP traffic. (TCP is a common protocol used for stable internet connections.) For further details, see Tor wiki page, chapter UDP. For DNS, please refer to the next footnote.
  • Tor's DNS independence and exceptions: Tor does not depend on, nor use, a functional (system) DNS for most of its operations. IP addresses of Tor directory authorities are hardcoded in the Tor software by Tor developers. (That means Tor knows important addresses in advance and doesn't need to look them up.) Exceptions include:
    • Proxy with domain name: Proxy settings that use proxies with domain names instead of IP addresses.
    • Pluggable transport domain resolution: Some Tor pluggable transports, such as meek lite, which resolve domains set in url= and front= to IP addresses, or snowflake's -front.
VPN/SSH Strength Using a VPN or SSH does not provide a strong guarantee of hiding Tor use from the ISP either. [3] VPNs and SSHs are vulnerable to an attack called website traffic fingerprinting. [4]

Warnings

Table: Hiding Tor / Template:Project name Considerations

Category Description
Building from Source
  • Building Template:Project name learning resources can be accessed with Tor Browser.
  • If Template:Project name is built from source, the build scripts will download a specific set of software packages with apt-get, Tor Browser with curl, update-command-not-found etc. and the ISP might recognize this activity.
  • If you understand the build scripts, Template:Project name can be built by applying the commands and configuration files manually.
  • See also Dev/Build Anonymity.
Known VPN/SSH User Consider whether the ISP knowing you are a VPN/SSH user is an acceptable risk.
Safe Configuration Setup the SSH/VPN tunnel and/or private obfuscated bridges first -- depending on the desired configuration, read this entire section.
Secure Tor Download Download Tor through a trusted ISP in your (home) country or through SSH/VPN, particularly before entering a hostile environment.
Secure Template:Project name Download
Secure Template:Project name Operation From Template:Project name 7 onwards, it has been unnecessary to turn off the network connection before starting Template:Project name for the first time, [5] thanks to Template:Project name Setup Wizard - Connection Wizard and its sucessor Anon Connection Wizard. Therefore, hiding Tor / Template:Project name usage relies upon either a SSH/VPN or private obfuscated bridge, as outlined on this page.
Trusted Sources If you think about it, how is it possible to obtain Tor Browser and obfuscated bridges and/or VPN/SSH without the ISP noticing? This is a classic chicken-and-egg problem. The answer is receiving these resources from a trusted source. This problem cannot be solved by Template:Project name and it is a Tor upstream question.

Methods

Using a Proxy

It is impossible to safely use a proxy! The connection between the user and the proxy is unencrypted and this applies to all proxies: http, https, socks4, socks4a and socks5. [6] This means the ISP can still clearly see that connections are made to the Tor network. This fact is only mentioned here because proxies are constantly (falsely) suggested as a solution whenever this topic comes up in public arenas.

Using SSH or VPN

See the Warnings above first. By default all Template:Gateway product name traffic is routed through Tor, meaning that traffic must first be routed through SSH/VPN. To tunnel all Tor-related traffic this way:

  1. See Combining Tunnels with Tor and ignore the proxy-related material.
  2. Next read:

Either of these configurations will hide Tor use from the ISP. If the server is outside a national firewall, then this is also a way to circumvent Tor censorship.

If zero trust is placed in any SSH or VPN providers, then anonymously host your own in a safe place. However, this cannot be hosted in the same location where you want to hide Tor -- a safe, remote place is required which has a different IP from your own.

Using Private and Obfuscated Bridges

See the Warnings above first. Anon Connection Wizard can configure Tor to use private and obfuscated Bridges. This will make it harder for ISPs and national firewalls to detect and block Tor, but it does not prevent a determined and well-resourced adversary from finding out that you are using Tor; research is ongoing, see obfsproxy.

Footnotes

Template:Reflist

Advanced Documentation Previous page: Alternative DNS Resolver Index page: Advanced Documentation Next page: Host a Bridge or Tor Relay

Notification image

We believe security software like Whonix needs to remain Open Source and independent. Would you help sustain and grow the project? Learn more about our 14 year success story and maybe DONATE!