sandcastle icon indicating copy to clipboard operation
sandcastle copied to clipboard

Published 20 hours ago verified publisher icon iflowfor8hours

option to make Sandstorm run anonymously, only through a Tor Hidden Service

Open jacksingleton opened this issue 9 years ago • 7 comments

There are some things that can be done independently of the sandstorm code.

Since this specific information leak comes from DNS, and DNS is a common source of information leakage, we can allow a toggle to resolve DNS via. Tor instead of the default resolvers. This might make sense to be split into a separate issue. This can be done through /etc/resolv.conf (would still allow direct nameserver queries) or by capturing the outbound packets at the firewall (captures all DNS traffic).

There may be threats not yet identified, either in sandstorm or grains. It may be beneficial to implement a toggle that redirects all outbound traffic on standard web ports to be sent through a transparent proxy that will scrub out common leaks. (privoxy comes to mind) While related, this would also probably be better as a separate issue.

The same basic procedure could be applied to ALL outbound traffic to be sent directly through tor's transparent proxy.

I would propose that all three of these features default to true if sandstorm_onion: true. If these preventative measures are combined with the sandstorm enhancements listed above, we can make it much more difficult for information to leak (accidental or otherwise).

  • ckxng

jacksingleton avatar Nov 16 '15 23:11 jacksingleton

Splitting this issue from #14 based on great recommendations from Cameron 👍

jacksingleton avatar Nov 16 '15 23:11 jacksingleton

I'll work on this over the next week.

cameroncking avatar Nov 16 '15 23:11 cameroncking

Actually, part 1 was the easiest of the three - and I knocked it out this evening.

cameroncking avatar Nov 17 '15 00:11 cameroncking

Cool, did you use resolv.conf or iptables forwarding?

jacksingleton avatar Nov 17 '15 00:11 jacksingleton

Merged!

We will have to think about how to look up MX records as currently our login depends on the server being able to send emails

jacksingleton avatar Nov 17 '15 01:11 jacksingleton

Email will not be reliable on an isolated server that's routing traffic over tor. I would expect email providers to heavily filter tor exit nodes, and mail sent over clearnet will immediately expose the server due to the mail headers. That being said, it's not impossible. Added issue #29

cameroncking avatar Nov 17 '15 01:11 cameroncking

Yeah you're right it wouldn't make sense to run the MTA locally when running in this mode. This might not be a problem then.

jacksingleton avatar Nov 17 '15 01:11 jacksingleton