A proposal for the Lantern-Gateway
124 views
Skip to first unread message
iry
Mar 12, 2017, 2:15:15 PM3/12/17
to qubes...@googlegroups.com
Hi everyone!
I am Iry.
The attachment is my proposal for the Lantern-Gateway for Google Summer
Code. Could anyone offer me some feedback about it please? Any
recommendation, suggestion and criticism are very welcome and appreciated!
I am Iry.
The attachment is my proposal for the Lantern-Gateway for Google Summer
Code. Could anyone offer me some feedback about it please? Any
recommendation, suggestion and criticism are very welcome and appreciated!
Jean-Philippe Ouellet
Mar 12, 2017, 2:22:45 PM3/12/17
to iry, qubes-devel
inline in a plain-text email instead of as an attachment in a
proprietary file format.
iry
Mar 12, 2017, 4:24:56 PM3/12/17
to qubes...@googlegroups.com
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Jean-Philippe Ouellet:
Hi Jean!
Thank you very much for your suggestions! The following is my inline
proposal. I also reattached a .odt file for those who would like to see
it in a more organized form. Thank you very much for remind me my misuse
of the file format. I appologize for my mistakes.
The Lantern-Gateway
A censorship circumvention proxy qube
Abstract
This document is a proposal that may be accepted as one of the Qubes
OS’s 2017 Google Summer Code projects. I state the situation where
Lantern is one of a few censorship circumvention tools that works
effectively under heavy censorship circumstance. I argue that using a
Lantern-Gateway will bring a large number of advantages over using
Lantern in an AppVM in many aspects which includes security, privacy,
usability, compatibility and extensibility. I also discuss some brief
details about the implementation and point out that Whonix can serves as
a useful guideline to the development of the Lantern-Gateway. I also
review the previous work related to the topic in a hope to develop the
Lantern-Gateway on a solid and beneficial base stone. I conclude with an
argument that Lantern-Gateway can be a promising anti-censorship tool
that helps people in censored area enjoy their Internet freedom.
KeywordsLantern software; Qubes; Whonix; censorship circumvention;
I. Introduction
The Lantern-Gateway is a VM (virtual machine) which runs as a proxy qube
in Qubes OS (Operating System) [1]. Similar to Whonix-Gateway which has
a Tor client as a core component that routes all the coming traffic
through the Tor network [2], a Lantern-Gateway handles all the coming
traffic through a built-in Lantern client. Lantern is a free (as in
freedom) Internet censorship circumvention software developed by the
brave new software organization [3] which effectively helps its users
bypass the Internet censorship by proxying its encrypted traffic through
one of a set of uncensored web severs called Lantern server instead of
letting users try to access their target web sites directly [4].
II. Background
One may well ask why we should choose Lantern as the core censorship
circumvention tool in Lantern-Gateway. The simply and short answer is
that we could use any other censorship circumvention tool as a
replacement or substitution to Lantern, however, under some severe
censorship circumstance, Lantern may be the most reasonable choice among
all the other known censorship circumvention tools.
A. Assumption of Internet environment
To clarify, the “severe censorship circumstance” mentioned in this
report implicitly refers to the China mainland Internet environment.
Such an assumption has been made because of two reasons. Firstly, China
has the largest online population [5] and the population has been
growing fast [6], which means a solution to censorship circumvention
will potentially benefit more population. In addition, China has the
most sophisticated Internet censorship mechanism which includes the
infamous filtering system Great Fire Wall [7]. Therefore, a solution to
circumvent the Internet censorship in China is very likely to be a
useful way to circumvent the censorship under other systems, too.
B. Required operating system environment
Although the detailed discussion about the specific operating system on
which Lantern-Gateway will be based will be discussed in detail later in
this report, one simple agreement can be made that the Lantern-Gateway
should run in a Unix-like operating system because of the tremendous
benefits it offers, including the less difficulty in development and
maintenance and the mitigation on security and privacy concern.
III. Alternative Choices of Lantern
The following sub-paragraphs in this section will be several comparisons
between Lantern and other Internet censorship circumvention tools which
helps to support the argument that Lantern is currently one of the best
choices under the circumstance mentioned in the previous section due to
the lack of other effective censorship circumvention tools.
A. Tor
The direct connection to the Tor network in China has been blocked since
2009 [8]. This fact also means there is no way to connect to the Tor
network directly in other Tor-relied software, including Whonix-Gateway
and Tails. Besides, the problem also reflects another fact that the
Chinese users can not use Whonix or Tails without doing a certain amount
of configuration.
B. Tor Bridges
Tor “[b]ridges are unlisted Tor relays that make it possible for a user
to connect to the Tor network even if a censor blocks all publicly
listed Tor relays”[9]. However, Tor Bridges have also been blocked by
the Chinese authority [10].
C. Pluggable transports
Pluggable transports helps to “obfuscate Tor’s network protocol”[9],
making it hard for censors to detect the Tor traffic in order to prevent
the Tor network from being blocked. However, among all the possible
choices offered by the most recent Tor Browser Bundle (version 6.5.1),
including fte, meek-amazon, meek-azure, obfs3, obfs4, only the
meek-amazon option can sometimes be useful to circumvent the Internet
censorship in China [11]. Besides, meek-amazon is not an available
option in Whonix currently [12]. A worth noting fact is that both
Lantern and meek-amazon use the meek-like technology to bypass the
censorship [13].
D. Virtual Private Network (VPN)
Although VPN is one of the most common ways to bypass the censorship, it
may not be a very reasonable choice to be a default option used by the
Censorship-Circumvention-Gateway. Specifically, we doubt that the reason
why VPN can be widely-used by Chinese users is not because the
authority is not able to block it, instead, it may because almost all
the VPN providers available to Chinese citizens are under the strict
control of the Chinese authority [14]. Therefore, a free (as in price),
trusted and blocking-resistant VPN provider is comparatively rare. A
VPN-Gate “is an online service as an academic research at Graduate
School of University of Tsukuba, Japan” [15]. Although it has not failed
the requirements, the software it developed support Windows platform
only right now.
E. Psiphon3
Psiphon3 is an effective censorship circumvention tool. It adopts the
meek technology that is also used by Lantern and meek-amazon. However,
Linux is not the supported platform currently [16]. Several attempts to
run Psiphon3 under WineHQ in Unix-like operating system have been
failed, which can be an interesting topic for future development.
F. Free-gate and UltraSurf
Both Free-gate and UltraSurf are developed by companies which are
sponsored by FaLunGong. Since both of them are not open-source and can
only run on Windows, they are not the suitable choices to the
Lantern-Gateway.
G. Shadowsocks
Shadowsocks or other shadowsocks-like software including SSR, rely on an
individual web server to proxy their traffic [17], which means users
have to setup the proxy server themselves or purchase pre-configured
server from some trusted third parties. Also, the clients of
Shadowscocks-like softwares can only run on Windows Operating System.
H. I2P
I2P is a distributed network which is similar to Tor network from many
aspects. However, due to its unbearable small bandwidth and high delay,
I2P should be an alternative but not default choice in Lantern-Gateway.
Fortunately a large amount of related discussion and work has been done
[18], making the future implementation easier.
I. John-Do
John-Do network is also similar to the Tor network, which may be an
available choice to censorship circumvention tools in Lantern-Gateway.
IV. Advantages Of Lantern-Gateway
Although Lantern as a censorship circumvention software has many
advantages over other censorship circumvention tools, the benefits of
putting it in a standalone qube needs further discussion. The following
paragraphs will be a brief overview stating the advantage of using a
Lantern-Gateway instead of install it in any other AppVM solely.
A. Security
Since Qubes is a security-oriented operating system [19], it is safe to
assume its users have a higher expectation in terms of security than
average computer users. Therefore, a better security implementation can
be significantly essential. The following discussion indicates that it
can be very reasonable to isolate Lantern into a qube instead of letting
Lantern run in any AppVM.
1) Lantern software
Although Lantern has a high performance in bypassing the censorship, it
does not necessarily mean Lantern is very secure as well. Actually, as a
censorship circumvention tool, the ability to circumvent censorship is
the key factor that determines if it will be used by users, rather than
its security level. Therefore, it is reasonable for us to seek more
details and evidences before simplify assuming it is secure.
a) Lantern community
As we know, a thrive community behind a software is vital to a software
in many aspects which include security. This is partly because a thrive
community will be more likely to find a security flaw and fix the bug as
soon as possible. Considering some facts about the current Lantern
community, security is not their first priority.
b) security audit
As far as I know, no internal or external security audit has been done
for Lantern [20], which means it can be hard to tell if Lantern software
is secure enough or not.
2) Human Factors
The users of Qubes operating system may have a higher expectation in
terms of security, however, it does not mean that every Qubes user has
already been a security expert. We can still assume that users may
expect the Lantern-Gateway has a set of mechanism that reduces the
possibility of shooting their own feet. Similar to the mechanism offered
by Tor Browser Downloader in Whonix, a Lantern Downloader should be
offered in order to simplify and secure the downloading process when
users are trying to get the latest version of Lantern.
a) Download sources
The download process for Lantern is not as easy as one may expect,
especially for users in censored area. The official website of Lantern
has been blocked by at least Chinese authority, making it hard for one
without any other usable censorship circumvention tools to get a Lantern
.
Another trusted sources to download a binary Lantern software without
the help of any other censorship circumvention tools is its Github
download sources [21]. However, this is not widely-known by people,
especially for the first-time users since there is instruction for them
to know about it.
Considering the facts above, people who want to get a Lantern software
themselves may accidentally download it from untrusted sources and
install it without doing any verification, which may lead to a
compromise of the entire system. Given that there has already been some
malwares that pretend to being legal censorship circumvention tools
which secretly infect the victims’ computers [22], it is vital important
to download it from trusted sources.
b) Verification
It is reasonable to assume that most users will not do the verification
themselves. This can be shown in a current report. Tor Browser is a
privacy-oriented software, its users are expected to have a higher
awareness of security. However, there are still one out third users who
do not download the signature of it [23]. Therefore, we should provide a
mechanism that automatically do the verification rather than expect
users do it themselves.
c) Configuration
An improper configuration of a Lantern-Gateway may lead to unwanted
risk. Therefore, the configuration should be handle in a secure
mechanism offered by the developers instead of letting users do it
manually.
B. Privacy
The Lantern software is developed by a business company called brave new
software [3]. A business company should not be given as much trust as we
give to non-profits organization especially in terms of user privacy.
However, the good part is that we do not have to trust it. By placing
Lantern in an independent qube, it will not be able to collect the local
user behaviors that happen in other qubes. Additionally, a
whonix-gateway can be set up between Lantern-Gateway and an AppVM,
making all the traffic through the Lantern client encrypted by Tor
client already.
C. Usability
Apart from the reason that user may mess the qube up when downloading
and configuring Lantern-Gateway manually themselves, another important
reason that the Lantern-Gateway should handle the downloading and
configuration process automatically is because it will greatly improve
the usability of Lantern-Gateway. Regardless of the fact that the user
may not be acknowledge enough to follow an instruction to configure a
Lantern-Gateway, helping users to do the tasks mentioned above
automatically will also save a large amount of time for users. This
feature can be especially useful when users would like to set up several
Lantern-Gateways quickly.
According to the document of Lantern on Whonix wiki: “From the
beginning of version 3.0, Lantern implemented a bandwidth limitation of
800 MB/ month. When the bandwidth limit is reached, the connection is
slowed down and Free users are prompted to upgrade to Lantern Pro.
Specifically, the connection will be slowed down to approximately
20KB/s, making Lantern kind of unusable. On the other hand, considering
the payment methods Lantern company offers, it is merely impossible for
one to pay for Lantern Pro without damaging his/her privacy or/and
anonymity. An easy way to circumvent the problem describing above is to
set up a new VM and install a new Lantern application in it” [24]. That
is to say, it is predictable that a Lantern-Gateway user will have to
reinstall the Lantern-Gateway after a period of time. Therefore, it is
of importance to make the installation process as quick and simple as
possible.
D. Compatibility
Another benefit of using Lantern from a Lantern-Gateway over using it in
an AppVM is its better compatibility. That is to say, users do not have
to worry about if they can successfully install Lantern on their AppVMs.
Pratically, the AppVMs’ environment can be very different from one to
another, which means that the operating system of the AppVMs or the
software or dependency the AppVMs have installed may be very different
from one to another, making it hard to predict if Lantern will run
properly in it. Besides, the only Unix-like operating system officially
supported by Lantern is Ubuntu, which means one may have to compile the
sources code himself/herself when trying to run Lantern on an
unsupported distribution or operating system.
By using lantern through Lantern-Gateway, one can simply configure the
NetVM of their AppVM to be Lantern-Gateway. This implementation will
greatly improve the compatibility of the Lantern software, making it
possible for different qubes to proxy their traffic through Lantern
network.
E. Extensiblity
Although it is called Lantern-Gateway, it just means that the qube uses
Lantern as the default censorship circumvention tool. It is not hard to
imagine using other alternative censorship circumvention tools which are
also contained in it. This feature provides great extensibility to the
Lantern-Gateway because it not only offers user multiple options to
choose the most suitable censorship circumvention tools for themselves,
but also mitigates the potential negative influence caused by the
termination of the Lantern Project in the future. Notice that although
there is no evidence that Lantern will be ended in the future, however,
we should still take the possibility seriously since the ending of a
censorship circumvention tool also depends on the technology used by
censors. Once the Lantern was not able to circumvent the censorship, its
life will come to an end.
V. Implementation
The following paragraphs are a brief discussion about essential
implementation of the Lantern-Gateway. Since the Lantern-Gateway is very
similar to Whonix-Gateway, several features that have been
implementation in Whonix-Gateway can serve as good references which
guide the development of the Lantern-Gateway.
A. Operating System Choices
a) Fedora or Debian
According to the document about operating system on Whonix wiki, both
Debian and Fedora can be a reasonable choice for the distribution on
which Lantern-Gateway will be based [25]. According to some simple tests
which has been done by myself, both Debian and Fedora can be manually
configured into a Lantern-Gateway. A slight difference is that the
Lantern software has to be complied from sources code on Fedora OS
because no binary installation file for Fedora OS has been supported by
the Lantern community.
Considering the Lantern-Gateway as a potential project which may be
mentored by a Whonix developer, Debian will be a more realistic choice
since a large number of potential issues have been solved or
acknowledged by Whonix developers.
b) Fedora-minimal
Qubes OS has shipped a template called Fedora-minimal which “only
weighs about 300 MB and has only the most vital packages installed,
including a minimal X and xterm installation” [26]. A reduce of
unnecessary installation will lead to a smaller attacking surface which
may be very useful to mitigate potential security risk.
B. Major components
a) Installation Script
Similar to the Tor Browser Downloader in Whonix [27], a program that
downloads, verifies and configures the Lantern and other censorship
circumvention toos is needed in Lantern-Gateway. A simple shell script
can be written to implement those functions basing on the current
documentations [21]. If time permits, a GUI application will be
developed to increase the usability.
b) Lantern-Gateway-Setup
Sharing the similar function with the Whonix-Setup in Whonix[28], a
Lantern-Gateway-Setup can be used to let users choose which censorship
circumvention tools they would like to enable or disable.
c) Lantern-Gateway-Check
Similar to the WhonixCheck in Whonix [29], a Lantern-Gateway-Check can
be used to detect whether the censorship circumvention tools are out of
date and whether the Lantern-Gateway can effectively bypass the Internet
censorship.
VI. Conclusion
In conclusion, the Lantern-Gateway can be a very promising
anti-censorship tool. It will be very helpful for Qubes users to
circumvent the Internet censorship effectively and enjoy the free
Internet. The implementation of Lantern-Gateway will also benefit other
projects available on Qubes OS. Qubes/Whonix will benefit from it
because it will change the situation where currently available
censorship circumvention tool may not be effective enough to help Whonix
users connect to the Tor network. We can also expect that the
implementation of the Lantern-Gateway will attract more and more people
in censored area considering to adopt Qubes as their daily operating
system.
VII. Previous Work
Apart from the previous works that have been mentioned in the previous
discussion, the following resources will also be helpful:
1. A document on how to make a VPN Gateway manually:
https://www.qubes-os.org/doc/vpn/
2. A working repository related to I2P Gateway:
https://github.com/cle4r/var
3. A document on how to make a Lantern Gateway manually:
https://www.whonix.org/wiki/Lantern
References
[1]
https://theinvisiblethings.blogspot.nl/2011/09/playing-with-qubes-networ
king-for-fun.html
[2] https://www.whonix.org/wiki/About
[3] http://www.bravenewsoftware.org/
[4] https://www.getlantern.org/faq/index.html
[5] http://www.reuters.com/article/us-china-internet-idUSKBN0L713L201502
03
[6]
https://www.forbes.com/sites/kenrapoza/2014/04/28/by-2016-china-internet
- -users-to-double-entire-u-s-population/#3ae2cd5c7e46
[7] https://en.wikipedia.org/wiki/Great_Firewall_of_China
[8] https://blog.torproject.org/blog/tor-partially-blocked-china
[9]
https://www.petsymposium.org/2015/papers/fifield-tor-censorship-usabilit
y-hotpets2015.pdf
[10] https://blog.torproject.org/blog/knock-knock-knockin-bridges-doors
[11] https://www.torproject.org/docs/pluggable-transports
[12] https://phabricator.whonix.org/T386
[13] https://trac.torproject.org/projects/tor/wiki/doc/meek
[14]
https://www.forbes.com/sites/gordonchang/2015/01/25/china-attacks-vpns-c
utting-business-off-from-internet/
[15] http://www.vpngate.net/en/about_overview.aspx
[16] https://www.psiphon3.com/en/download.html
[17] https://github.com/Long-live-shadowsocks
[18] https://forums.whonix.org/t/i2p-running-on-whonix-gateway/2163
[19] https://www.qubes-os.org/
[20] https://github.com/getlantern/lantern/issues/659
[21] https://github.com/getlantern/lantern
[22] https://citizenlab.org/2014/03/maliciously-repackaged-psiphon/
[23] https://blog.torproject.org/blog/tor-browser-numbers
[24] https://www.whonix.org/wiki/Lantern
[25] https://www.whonix.org/wiki/Dev/Fedora
[26] https://www.qubes-os.org/doc/templates/fedora-minimal/
[27] https://github.com/Whonix/tb-updater
[28] https://github.com/Whonix/whonix-setup-wizard
[29] https://www.whonix.org/wiki/Whonixcheck
-----BEGIN PGP SIGNATURE-----
iQIcBAEBCgAGBQJYxa5yAAoJEKFLTbxtzdU8xy0P/jPtIg752w0w918LKTY76Nik
VPmczqgSQtIKzeahTmIbItCXKqBOHOe5i3IsWsRn9PBk4t65dMnk3D1Njcpdie9y
w/Ut1mG8ebycArllitnOLH+2+GhRqSfGluGWX+w5TjLUkYLBMKtd+OxLVJcu/oFq
emDteiYUVaz5nTXbYpf6KKxGZYb9HcCNyOkOvjWS3VTgurw8ZA703Ef+mIw7QSj+
LR/EAg81/tjsf5yJ7tkJshQzXelz4uhKzPTHAgKxgj/jMO+ERSve4DZ6l22iRimc
MtrdabB7vfj3ppgsOybUsmWoVBJaZPPDO7d6t6e2sXp98FHWU7dt0URLK66VJhsn
EMnPZNh9Ekwcf4NC/d6Yrg1+dhwKIy8Zjtch9WKjxDmnmKSOLSAUqaPYH2Qadw3q
2rJlO5sprQckq7i2VgN7dyuk0pAYYsFxZF63uIy3R6SdW6nHkPo47Jl5NM32pB+0
F5lZtBKwpjEOdKZs6dLh+Desjwk7P9cH0A7Lde1FOxihG+7nd54IIY7UCe7xcRUe
/teeCxk3Ju5xMQ3N77Xc3pWSeBQbRzls5atheAi1TFU67LRhGuYyqvw4WK8jy0h5
Mjm/x7GgRjf5bmA+bo18BRA32IqetoULeV/hYgoNaWOgR/u61WWbx/ENOAB5ul+L
rtk1Kzwq/D/Ko5AiI4pZ
=A6Tj
-----END PGP SIGNATURE-----
Hash: SHA512
Jean-Philippe Ouellet:
Thank you very much for your suggestions! The following is my inline
proposal. I also reattached a .odt file for those who would like to see
it in a more organized form. Thank you very much for remind me my misuse
of the file format. I appologize for my mistakes.
The Lantern-Gateway
A censorship circumvention proxy qube
Abstract
This document is a proposal that may be accepted as one of the Qubes
OS’s 2017 Google Summer Code projects. I state the situation where
Lantern is one of a few censorship circumvention tools that works
effectively under heavy censorship circumstance. I argue that using a
Lantern-Gateway will bring a large number of advantages over using
Lantern in an AppVM in many aspects which includes security, privacy,
usability, compatibility and extensibility. I also discuss some brief
details about the implementation and point out that Whonix can serves as
a useful guideline to the development of the Lantern-Gateway. I also
review the previous work related to the topic in a hope to develop the
Lantern-Gateway on a solid and beneficial base stone. I conclude with an
argument that Lantern-Gateway can be a promising anti-censorship tool
that helps people in censored area enjoy their Internet freedom.
KeywordsLantern software; Qubes; Whonix; censorship circumvention;
I. Introduction
The Lantern-Gateway is a VM (virtual machine) which runs as a proxy qube
in Qubes OS (Operating System) [1]. Similar to Whonix-Gateway which has
a Tor client as a core component that routes all the coming traffic
through the Tor network [2], a Lantern-Gateway handles all the coming
traffic through a built-in Lantern client. Lantern is a free (as in
freedom) Internet censorship circumvention software developed by the
brave new software organization [3] which effectively helps its users
bypass the Internet censorship by proxying its encrypted traffic through
one of a set of uncensored web severs called Lantern server instead of
letting users try to access their target web sites directly [4].
II. Background
One may well ask why we should choose Lantern as the core censorship
circumvention tool in Lantern-Gateway. The simply and short answer is
that we could use any other censorship circumvention tool as a
replacement or substitution to Lantern, however, under some severe
censorship circumstance, Lantern may be the most reasonable choice among
all the other known censorship circumvention tools.
A. Assumption of Internet environment
To clarify, the “severe censorship circumstance” mentioned in this
report implicitly refers to the China mainland Internet environment.
Such an assumption has been made because of two reasons. Firstly, China
has the largest online population [5] and the population has been
growing fast [6], which means a solution to censorship circumvention
will potentially benefit more population. In addition, China has the
most sophisticated Internet censorship mechanism which includes the
infamous filtering system Great Fire Wall [7]. Therefore, a solution to
circumvent the Internet censorship in China is very likely to be a
useful way to circumvent the censorship under other systems, too.
B. Required operating system environment
Although the detailed discussion about the specific operating system on
which Lantern-Gateway will be based will be discussed in detail later in
this report, one simple agreement can be made that the Lantern-Gateway
should run in a Unix-like operating system because of the tremendous
benefits it offers, including the less difficulty in development and
maintenance and the mitigation on security and privacy concern.
III. Alternative Choices of Lantern
The following sub-paragraphs in this section will be several comparisons
between Lantern and other Internet censorship circumvention tools which
helps to support the argument that Lantern is currently one of the best
choices under the circumstance mentioned in the previous section due to
the lack of other effective censorship circumvention tools.
A. Tor
The direct connection to the Tor network in China has been blocked since
2009 [8]. This fact also means there is no way to connect to the Tor
network directly in other Tor-relied software, including Whonix-Gateway
and Tails. Besides, the problem also reflects another fact that the
Chinese users can not use Whonix or Tails without doing a certain amount
of configuration.
B. Tor Bridges
Tor “[b]ridges are unlisted Tor relays that make it possible for a user
to connect to the Tor network even if a censor blocks all publicly
listed Tor relays”[9]. However, Tor Bridges have also been blocked by
the Chinese authority [10].
C. Pluggable transports
Pluggable transports helps to “obfuscate Tor’s network protocol”[9],
making it hard for censors to detect the Tor traffic in order to prevent
the Tor network from being blocked. However, among all the possible
choices offered by the most recent Tor Browser Bundle (version 6.5.1),
including fte, meek-amazon, meek-azure, obfs3, obfs4, only the
meek-amazon option can sometimes be useful to circumvent the Internet
censorship in China [11]. Besides, meek-amazon is not an available
option in Whonix currently [12]. A worth noting fact is that both
Lantern and meek-amazon use the meek-like technology to bypass the
censorship [13].
D. Virtual Private Network (VPN)
Although VPN is one of the most common ways to bypass the censorship, it
may not be a very reasonable choice to be a default option used by the
Censorship-Circumvention-Gateway. Specifically, we doubt that the reason
why VPN can be widely-used by Chinese users is not because the
authority is not able to block it, instead, it may because almost all
the VPN providers available to Chinese citizens are under the strict
control of the Chinese authority [14]. Therefore, a free (as in price),
trusted and blocking-resistant VPN provider is comparatively rare. A
VPN-Gate “is an online service as an academic research at Graduate
School of University of Tsukuba, Japan” [15]. Although it has not failed
the requirements, the software it developed support Windows platform
only right now.
E. Psiphon3
Psiphon3 is an effective censorship circumvention tool. It adopts the
meek technology that is also used by Lantern and meek-amazon. However,
Linux is not the supported platform currently [16]. Several attempts to
run Psiphon3 under WineHQ in Unix-like operating system have been
failed, which can be an interesting topic for future development.
F. Free-gate and UltraSurf
Both Free-gate and UltraSurf are developed by companies which are
sponsored by FaLunGong. Since both of them are not open-source and can
only run on Windows, they are not the suitable choices to the
Lantern-Gateway.
G. Shadowsocks
Shadowsocks or other shadowsocks-like software including SSR, rely on an
individual web server to proxy their traffic [17], which means users
have to setup the proxy server themselves or purchase pre-configured
server from some trusted third parties. Also, the clients of
Shadowscocks-like softwares can only run on Windows Operating System.
H. I2P
I2P is a distributed network which is similar to Tor network from many
aspects. However, due to its unbearable small bandwidth and high delay,
I2P should be an alternative but not default choice in Lantern-Gateway.
Fortunately a large amount of related discussion and work has been done
[18], making the future implementation easier.
I. John-Do
John-Do network is also similar to the Tor network, which may be an
available choice to censorship circumvention tools in Lantern-Gateway.
IV. Advantages Of Lantern-Gateway
Although Lantern as a censorship circumvention software has many
advantages over other censorship circumvention tools, the benefits of
putting it in a standalone qube needs further discussion. The following
paragraphs will be a brief overview stating the advantage of using a
Lantern-Gateway instead of install it in any other AppVM solely.
A. Security
Since Qubes is a security-oriented operating system [19], it is safe to
assume its users have a higher expectation in terms of security than
average computer users. Therefore, a better security implementation can
be significantly essential. The following discussion indicates that it
can be very reasonable to isolate Lantern into a qube instead of letting
Lantern run in any AppVM.
1) Lantern software
Although Lantern has a high performance in bypassing the censorship, it
does not necessarily mean Lantern is very secure as well. Actually, as a
censorship circumvention tool, the ability to circumvent censorship is
the key factor that determines if it will be used by users, rather than
its security level. Therefore, it is reasonable for us to seek more
details and evidences before simplify assuming it is secure.
a) Lantern community
As we know, a thrive community behind a software is vital to a software
in many aspects which include security. This is partly because a thrive
community will be more likely to find a security flaw and fix the bug as
soon as possible. Considering some facts about the current Lantern
community, security is not their first priority.
b) security audit
As far as I know, no internal or external security audit has been done
for Lantern [20], which means it can be hard to tell if Lantern software
is secure enough or not.
2) Human Factors
The users of Qubes operating system may have a higher expectation in
terms of security, however, it does not mean that every Qubes user has
already been a security expert. We can still assume that users may
expect the Lantern-Gateway has a set of mechanism that reduces the
possibility of shooting their own feet. Similar to the mechanism offered
by Tor Browser Downloader in Whonix, a Lantern Downloader should be
offered in order to simplify and secure the downloading process when
users are trying to get the latest version of Lantern.
a) Download sources
The download process for Lantern is not as easy as one may expect,
especially for users in censored area. The official website of Lantern
has been blocked by at least Chinese authority, making it hard for one
without any other usable censorship circumvention tools to get a Lantern
.
Another trusted sources to download a binary Lantern software without
the help of any other censorship circumvention tools is its Github
download sources [21]. However, this is not widely-known by people,
especially for the first-time users since there is instruction for them
to know about it.
Considering the facts above, people who want to get a Lantern software
themselves may accidentally download it from untrusted sources and
install it without doing any verification, which may lead to a
compromise of the entire system. Given that there has already been some
malwares that pretend to being legal censorship circumvention tools
which secretly infect the victims’ computers [22], it is vital important
to download it from trusted sources.
b) Verification
It is reasonable to assume that most users will not do the verification
themselves. This can be shown in a current report. Tor Browser is a
privacy-oriented software, its users are expected to have a higher
awareness of security. However, there are still one out third users who
do not download the signature of it [23]. Therefore, we should provide a
mechanism that automatically do the verification rather than expect
users do it themselves.
c) Configuration
An improper configuration of a Lantern-Gateway may lead to unwanted
risk. Therefore, the configuration should be handle in a secure
mechanism offered by the developers instead of letting users do it
manually.
B. Privacy
The Lantern software is developed by a business company called brave new
software [3]. A business company should not be given as much trust as we
give to non-profits organization especially in terms of user privacy.
However, the good part is that we do not have to trust it. By placing
Lantern in an independent qube, it will not be able to collect the local
user behaviors that happen in other qubes. Additionally, a
whonix-gateway can be set up between Lantern-Gateway and an AppVM,
making all the traffic through the Lantern client encrypted by Tor
client already.
C. Usability
Apart from the reason that user may mess the qube up when downloading
and configuring Lantern-Gateway manually themselves, another important
reason that the Lantern-Gateway should handle the downloading and
configuration process automatically is because it will greatly improve
the usability of Lantern-Gateway. Regardless of the fact that the user
may not be acknowledge enough to follow an instruction to configure a
Lantern-Gateway, helping users to do the tasks mentioned above
automatically will also save a large amount of time for users. This
feature can be especially useful when users would like to set up several
Lantern-Gateways quickly.
According to the document of Lantern on Whonix wiki: “From the
beginning of version 3.0, Lantern implemented a bandwidth limitation of
800 MB/ month. When the bandwidth limit is reached, the connection is
slowed down and Free users are prompted to upgrade to Lantern Pro.
Specifically, the connection will be slowed down to approximately
20KB/s, making Lantern kind of unusable. On the other hand, considering
the payment methods Lantern company offers, it is merely impossible for
one to pay for Lantern Pro without damaging his/her privacy or/and
anonymity. An easy way to circumvent the problem describing above is to
set up a new VM and install a new Lantern application in it” [24]. That
is to say, it is predictable that a Lantern-Gateway user will have to
reinstall the Lantern-Gateway after a period of time. Therefore, it is
of importance to make the installation process as quick and simple as
possible.
D. Compatibility
Another benefit of using Lantern from a Lantern-Gateway over using it in
an AppVM is its better compatibility. That is to say, users do not have
to worry about if they can successfully install Lantern on their AppVMs.
Pratically, the AppVMs’ environment can be very different from one to
another, which means that the operating system of the AppVMs or the
software or dependency the AppVMs have installed may be very different
from one to another, making it hard to predict if Lantern will run
properly in it. Besides, the only Unix-like operating system officially
supported by Lantern is Ubuntu, which means one may have to compile the
sources code himself/herself when trying to run Lantern on an
unsupported distribution or operating system.
By using lantern through Lantern-Gateway, one can simply configure the
NetVM of their AppVM to be Lantern-Gateway. This implementation will
greatly improve the compatibility of the Lantern software, making it
possible for different qubes to proxy their traffic through Lantern
network.
E. Extensiblity
Although it is called Lantern-Gateway, it just means that the qube uses
Lantern as the default censorship circumvention tool. It is not hard to
imagine using other alternative censorship circumvention tools which are
also contained in it. This feature provides great extensibility to the
Lantern-Gateway because it not only offers user multiple options to
choose the most suitable censorship circumvention tools for themselves,
but also mitigates the potential negative influence caused by the
termination of the Lantern Project in the future. Notice that although
there is no evidence that Lantern will be ended in the future, however,
we should still take the possibility seriously since the ending of a
censorship circumvention tool also depends on the technology used by
censors. Once the Lantern was not able to circumvent the censorship, its
life will come to an end.
V. Implementation
The following paragraphs are a brief discussion about essential
implementation of the Lantern-Gateway. Since the Lantern-Gateway is very
similar to Whonix-Gateway, several features that have been
implementation in Whonix-Gateway can serve as good references which
guide the development of the Lantern-Gateway.
A. Operating System Choices
a) Fedora or Debian
According to the document about operating system on Whonix wiki, both
Debian and Fedora can be a reasonable choice for the distribution on
which Lantern-Gateway will be based [25]. According to some simple tests
which has been done by myself, both Debian and Fedora can be manually
configured into a Lantern-Gateway. A slight difference is that the
Lantern software has to be complied from sources code on Fedora OS
because no binary installation file for Fedora OS has been supported by
the Lantern community.
Considering the Lantern-Gateway as a potential project which may be
mentored by a Whonix developer, Debian will be a more realistic choice
since a large number of potential issues have been solved or
acknowledged by Whonix developers.
b) Fedora-minimal
Qubes OS has shipped a template called Fedora-minimal which “only
weighs about 300 MB and has only the most vital packages installed,
including a minimal X and xterm installation” [26]. A reduce of
unnecessary installation will lead to a smaller attacking surface which
may be very useful to mitigate potential security risk.
B. Major components
a) Installation Script
Similar to the Tor Browser Downloader in Whonix [27], a program that
downloads, verifies and configures the Lantern and other censorship
circumvention toos is needed in Lantern-Gateway. A simple shell script
can be written to implement those functions basing on the current
documentations [21]. If time permits, a GUI application will be
developed to increase the usability.
b) Lantern-Gateway-Setup
Sharing the similar function with the Whonix-Setup in Whonix[28], a
Lantern-Gateway-Setup can be used to let users choose which censorship
circumvention tools they would like to enable or disable.
c) Lantern-Gateway-Check
Similar to the WhonixCheck in Whonix [29], a Lantern-Gateway-Check can
be used to detect whether the censorship circumvention tools are out of
date and whether the Lantern-Gateway can effectively bypass the Internet
censorship.
VI. Conclusion
In conclusion, the Lantern-Gateway can be a very promising
anti-censorship tool. It will be very helpful for Qubes users to
circumvent the Internet censorship effectively and enjoy the free
Internet. The implementation of Lantern-Gateway will also benefit other
projects available on Qubes OS. Qubes/Whonix will benefit from it
because it will change the situation where currently available
censorship circumvention tool may not be effective enough to help Whonix
users connect to the Tor network. We can also expect that the
implementation of the Lantern-Gateway will attract more and more people
in censored area considering to adopt Qubes as their daily operating
system.
VII. Previous Work
Apart from the previous works that have been mentioned in the previous
discussion, the following resources will also be helpful:
1. A document on how to make a VPN Gateway manually:
https://www.qubes-os.org/doc/vpn/
2. A working repository related to I2P Gateway:
https://github.com/cle4r/var
3. A document on how to make a Lantern Gateway manually:
https://www.whonix.org/wiki/Lantern
References
[1]
https://theinvisiblethings.blogspot.nl/2011/09/playing-with-qubes-networ
king-for-fun.html
[2] https://www.whonix.org/wiki/About
[3] http://www.bravenewsoftware.org/
[4] https://www.getlantern.org/faq/index.html
[5] http://www.reuters.com/article/us-china-internet-idUSKBN0L713L201502
03
[6]
https://www.forbes.com/sites/kenrapoza/2014/04/28/by-2016-china-internet
- -users-to-double-entire-u-s-population/#3ae2cd5c7e46
[7] https://en.wikipedia.org/wiki/Great_Firewall_of_China
[8] https://blog.torproject.org/blog/tor-partially-blocked-china
[9]
https://www.petsymposium.org/2015/papers/fifield-tor-censorship-usabilit
y-hotpets2015.pdf
[10] https://blog.torproject.org/blog/knock-knock-knockin-bridges-doors
[11] https://www.torproject.org/docs/pluggable-transports
[12] https://phabricator.whonix.org/T386
[13] https://trac.torproject.org/projects/tor/wiki/doc/meek
[14]
https://www.forbes.com/sites/gordonchang/2015/01/25/china-attacks-vpns-c
utting-business-off-from-internet/
[15] http://www.vpngate.net/en/about_overview.aspx
[16] https://www.psiphon3.com/en/download.html
[17] https://github.com/Long-live-shadowsocks
[18] https://forums.whonix.org/t/i2p-running-on-whonix-gateway/2163
[19] https://www.qubes-os.org/
[20] https://github.com/getlantern/lantern/issues/659
[21] https://github.com/getlantern/lantern
[22] https://citizenlab.org/2014/03/maliciously-repackaged-psiphon/
[23] https://blog.torproject.org/blog/tor-browser-numbers
[24] https://www.whonix.org/wiki/Lantern
[25] https://www.whonix.org/wiki/Dev/Fedora
[26] https://www.qubes-os.org/doc/templates/fedora-minimal/
[27] https://github.com/Whonix/tb-updater
[28] https://github.com/Whonix/whonix-setup-wizard
[29] https://www.whonix.org/wiki/Whonixcheck
-----BEGIN PGP SIGNATURE-----
iQIcBAEBCgAGBQJYxa5yAAoJEKFLTbxtzdU8xy0P/jPtIg752w0w918LKTY76Nik
VPmczqgSQtIKzeahTmIbItCXKqBOHOe5i3IsWsRn9PBk4t65dMnk3D1Njcpdie9y
w/Ut1mG8ebycArllitnOLH+2+GhRqSfGluGWX+w5TjLUkYLBMKtd+OxLVJcu/oFq
emDteiYUVaz5nTXbYpf6KKxGZYb9HcCNyOkOvjWS3VTgurw8ZA703Ef+mIw7QSj+
LR/EAg81/tjsf5yJ7tkJshQzXelz4uhKzPTHAgKxgj/jMO+ERSve4DZ6l22iRimc
MtrdabB7vfj3ppgsOybUsmWoVBJaZPPDO7d6t6e2sXp98FHWU7dt0URLK66VJhsn
EMnPZNh9Ekwcf4NC/d6Yrg1+dhwKIy8Zjtch9WKjxDmnmKSOLSAUqaPYH2Qadw3q
2rJlO5sprQckq7i2VgN7dyuk0pAYYsFxZF63uIy3R6SdW6nHkPo47Jl5NM32pB+0
F5lZtBKwpjEOdKZs6dLh+Desjwk7P9cH0A7Lde1FOxihG+7nd54IIY7UCe7xcRUe
/teeCxk3Ju5xMQ3N77Xc3pWSeBQbRzls5atheAi1TFU67LRhGuYyqvw4WK8jy0h5
Mjm/x7GgRjf5bmA+bo18BRA32IqetoULeV/hYgoNaWOgR/u61WWbx/ENOAB5ul+L
rtk1Kzwq/D/Ko5AiI4pZ
=A6Tj
-----END PGP SIGNATURE-----
Jean-Philippe Ouellet
Mar 12, 2017, 8:24:56 PM3/12/17
to iry, qubes-devel
First of all, congratulations on a through proposal!
A few comments inline.
The same problems would still apply, but would instead apply to
obtaining and bootstrapping trust in your copy of Qubes. If this is a
problem you really wish to solve, simply providing trust via signed
qubes templates is not sufficient.
> B. Privacy
> ...
enforce that the traffic within is somehow also protected
independently.
Running the server-side infrastructure to forward traffic has
associated costs, and perhaps those running them somehow rely on
income from Lantern Pro in order to cover those costs? I think it
would be wise to at least start a discussion with them about this
rather than taking an adversarial approach towards Brave New Software
right from the start.
Finally, (making the assumption that Iry Koon may not be your IRL identity)
in order to pay you, and possibly also for
transparency/legal/tax/whatever reasons. If this is a concern, I would
strongly suggest discussing this with the GSoC administrative staff
well in advance of the relevant deadlines.
Regards,
Jean-Philippe
A few comments inline.
obtaining and bootstrapping trust in your copy of Qubes. If this is a
problem you really wish to solve, simply providing trust via signed
qubes templates is not sufficient.
> B. Privacy
> ...
> By placing
> Lantern in an independent qube, it will not be able to collect the local
> user behaviors that happen in other qubes.
I think claiming this is somewhat misleading unless you also also
> Lantern in an independent qube, it will not be able to collect the local
> user behaviors that happen in other qubes.
enforce that the traffic within is somehow also protected
independently.
associated costs, and perhaps those running them somehow rely on
income from Lantern Pro in order to cover those costs? I think it
would be wise to at least start a discussion with them about this
rather than taking an adversarial approach towards Brave New Software
right from the start.
Finally, (making the assumption that Iry Koon may not be your IRL identity)
> Hi everyone!
>
> I am Iry.
Be aware that Google will likely want to de-pseudonymize you at least
>
> I am Iry.
in order to pay you, and possibly also for
transparency/legal/tax/whatever reasons. If this is a concern, I would
strongly suggest discussing this with the GSoC administrative staff
well in advance of the relevant deadlines.
Regards,
Jean-Philippe
Patrick Schleizer
Mar 13, 2017, 10:08:24 AM3/13/17
to iry, qubes...@googlegroups.com, Whonix-devel
Overall a great proposal!
And can only agree with the comments by Jean-Philippe.
A lantern downloader would be required indeed. Not sure you already had
that in mind, but I'd also suggest to additionally pre-install lantern.
Not a blocker, but please consider to rename to "censor circumvention
gateway" or so. It could use another good product name that has yet to
be invented. That way you could swap out lantern with another tool in
future should this be required. Then the overhead of changing the
template name would not be required.
I like the idea. You mentioned reasons why lantern should not be
preinstalled in Whonix-Gateway. In essence for security reasons in
Whonix only software from packages.debian.org and The Tor Project get
installed default, third party sources are not as trusted. Yet, easily
accessible and usable circumvention technologies are not available from
these sources in Whonix.
By having a more narrowly focused, separate censorship circumvention
gateway, the security requirements could be relaxed without compromising
on the security of the anonymizing gateway.
Cheers,
Patrick
And can only agree with the comments by Jean-Philippe.
A lantern downloader would be required indeed. Not sure you already had
that in mind, but I'd also suggest to additionally pre-install lantern.
Not a blocker, but please consider to rename to "censor circumvention
gateway" or so. It could use another good product name that has yet to
be invented. That way you could swap out lantern with another tool in
future should this be required. Then the overhead of changing the
template name would not be required.
I like the idea. You mentioned reasons why lantern should not be
preinstalled in Whonix-Gateway. In essence for security reasons in
Whonix only software from packages.debian.org and The Tor Project get
installed default, third party sources are not as trusted. Yet, easily
accessible and usable circumvention technologies are not available from
these sources in Whonix.
By having a more narrowly focused, separate censorship circumvention
gateway, the security requirements could be relaxed without compromising
on the security of the anonymizing gateway.
Cheers,
Patrick
iry
Mar 20, 2017, 12:05:22 AM3/20/17
to qubes...@googlegroups.com
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Thank you very much Jean! I really appreciate your feedback!
Hash: SHA512
I am sorry for the delay of my reply.
Jean-Philippe Ouellet:
> The same problems would still apply, but would instead apply to
> obtaining and bootstrapping trust in your copy of Qubes. If this is
> a problem you really wish to solve, simply providing trust via
> signed qubes templates is not sufficient.
I am not sure why "simply providing trust via signed qubes templates
> obtaining and bootstrapping trust in your copy of Qubes. If this is
> a problem you really wish to solve, simply providing trust via
> signed qubes templates is not sufficient.
is not sufficient". Do you mean if one do no verify the Lantern
software, he/she will probably not do verify for Qubes OS installation
file neither? Could you please explain more about this to me? Thank
you very much!
>
>> B. Privacy ... By placing Lantern in an independent qube, it will
>> not be able to collect the local user behaviors that happen in
>> other qubes.
>
> I think claiming this is somewhat misleading unless you also also
> enforce that the traffic within is somehow also protected
> independently.
is my correction to the previous statement. How do you like this one?
By placing Lantern in an independent qube, it will not be able to
Additionally, a whonix-gateway can be set up between Lantern-Gateway
and an AppVM, making all the traffic through the Lantern client
encrypted by Tor client already.
> Running the server-side infrastructure to forward traffic has
> associated costs, and perhaps those running them somehow rely on
> income from Lantern Pro in order to cover those costs? I think it
> would be wise to at least start a discussion with them about this
> rather than taking an adversarial approach towards Brave New
> Software right from the start.
Thank you very much for your advice! I agree with you that I should
> associated costs, and perhaps those running them somehow rely on
> income from Lantern Pro in order to cover those costs? I think it
> would be wise to at least start a discussion with them about this
> rather than taking an adversarial approach towards Brave New
> Software right from the start.
start a discussion with the Lantern community. I did not even realize
this can be a problem. Your advice let me realize that there is a
difference between being a DIY user and being a responsible developer.
I will start a discussion with them soon! And I will report the result
to the mail-list.
>
> Finally, (making the assumption that Iry Koon may not be your IRL
> identity)
>
> On Sun, Mar 12, 2017 at 2:12 PM, iry
> <iry...@gmail.com> wrote:
>> Hi everyone!
>>
>> I am Iry.
>
> Be aware that Google will likely want to de-pseudonymize you at
> least in order to pay you, and possibly also for
> transparency/legal/tax/whatever reasons. If this is a concern, I
> would strongly suggest discussing this with the GSoC administrative
> staff well in advance of the relevant deadlines.
>
have taken care of the identity issue
> Regards, Jean-Philippe
Please let me say thank you again for your feedback, Jean!
Best,
Iry
-----BEGIN PGP SIGNATURE-----
iQIcBAEBCgAGBQJYz1RBAAoJEKFLTbxtzdU89/MP/iix9UWM7+2TRlqmy16+0XTU
NoP3ZpFB0XiF75cNU4bDyK4mUk9SqNGrEY9BG/Jl0BgPN60trQO4pLpri9ICMdx/
aZ3WPjqkwGYxNdRKROB5rxi3n1VuK59eV/p91Rnu6854SaKP7Xei7XNAO8QxkE4j
BIsRe0IixcSRnzTh14mIrUDOSZp+APrzvoXZAB76a6XdnHR1zh0QN92Fba/rMXvb
jxItzXAXPLC0vwVFjeemacBl67lhHkqv6pxw7GyMBnqH7R0mhFYrdSkwwBwof/O5
/y0qBpYsEZbsLQe/JHC19DgsxKwmaFdKl91pN3WmC77kIESCrW6DjpsafS7BNhDD
dt/+oxGkSYQwQmCMn83oy44AyNXQJi412lompBB2TA5nJ4MRbWk5K74/FMQnFVuy
pbRiQ7BREE1zYXKDDBswn8H6RJFbGdd2mjnqI/jWpkk+mggHLb5DitiY/vWRbIoP
iqNJ0jWnvvScYnZMjWq1/mr+3SX+cvYK+6bkJrvdIWDr1EBlx1EZF2ecBcEOIfqK
2sDZRaTaHtToyVWMOcljWmDCS5c5S30TyoOb1Ef1m1TZrjGDZMCtWw43VzBlfHqu
vsZ3D1iFQPSb/zTWaPuSbUwpQB3x6Qqzipkrxe2m6/mTj4V9bIXSNHqOxquRRoLr
mH6xCjhkhAqIPdH9j8bP
=cn8Z
-----END PGP SIGNATURE-----
Jean-Philippe Ouellet
Mar 20, 2017, 2:13:33 AM3/20/17
to iry, qubes-devel
On Mon, Mar 20, 2017 at 12:00 AM, iry <iry...@gmail.com> wrote:
> Jean-Philippe Ouellet:
>> The same problems would still apply, but would instead apply to
>> obtaining and bootstrapping trust in your copy of Qubes. If this is
>> a problem you really wish to solve, simply providing trust via
>> signed qubes templates is not sufficient.
>
> I am not sure why "simply providing trust via signed qubes templates
> is not sufficient". Do you mean if one do no verify the Lantern
> software, he/she will probably not do verify for Qubes OS installation
> file neither? Could you please explain more about this to me? Thank
> you very much!
Yes, this is what I mean. Bootstrapping guarantees of authenticity and
> Jean-Philippe Ouellet:
>> The same problems would still apply, but would instead apply to
>> obtaining and bootstrapping trust in your copy of Qubes. If this is
>> a problem you really wish to solve, simply providing trust via
>> signed qubes templates is not sufficient.
>
> I am not sure why "simply providing trust via signed qubes templates
> is not sufficient". Do you mean if one do no verify the Lantern
> software, he/she will probably not do verify for Qubes OS installation
> file neither? Could you please explain more about this to me? Thank
> you very much!
integrity is not solved by simply wrapping the intended payload
(Lantern) in another thing (Qubes) which must itself also be
bootstrapped, unless that thing (Qubes) is already somehow trusted. In
this case, I sincerely doubt the intended users already have a trusted
copy of Qubes.
Rather, the net effect of such wrapping is that an adversary who
wishes to subvert the delivery of Lantern may instead target Qubes.
I'm not saying don't do it, only pointing out (as I think you already
understand) that meaningful secure delivery is not solved simply by
signing a template with a key distributed with Qubes, and as such the
download sources & verification section of your proposal was IMO
perhaps somewhat misleading.
>>> B. Privacy ... By placing Lantern in an independent qube, it will
>>> not be able to collect the local user behaviors that happen in
>>> other qubes.
>>
>> I think claiming this is somewhat misleading unless you also also
>> enforce that the traffic within is somehow also protected
>> independently.
> Thank you for your feedback! I did find it misleading. The following
> is my correction to the previous statement. How do you like this one?
>
> By placing Lantern in an independent qube, it will not be able to
> collect the user behaviors that happen in other qubes.
it could do even on networks which might otherwise not be attacker
controlled.
> Additionally, a whonix-gateway can be set up between Lantern-Gateway
> and an AppVM, making all the traffic through the Lantern client
> encrypted by Tor client already.
your above statement may not hold true.
I view your proposed ProxyVM as providing only availability,
potentially at degraded integrity and confidentiality (in the event
that the circumvention tool is somehow vulnerable, which you indeed
recognize may be the case). Someone wanting all three properties may
need to take additional measures besides just using a given
censorship-circumvention tool, and should be well informed that that
is the case.
This is a minor detail though which can be addressed in documentation
much later on. Don't worry about it, your proposal is still very
strong IMO.
>> Running the server-side infrastructure to forward traffic has
>> associated costs, and perhaps those running them somehow rely on
>> income from Lantern Pro in order to cover those costs? I think it
>> would be wise to at least start a discussion with them about this
>> rather than taking an adversarial approach towards Brave New
>> Software right from the start.
>
> Thank you very much for your advice! I agree with you that I should
> start a discussion with the Lantern community. I did not even realize
> this can be a problem. Your advice let me realize that there is a
> difference between being a DIY user and being a responsible developer.
There's a difference between privately using a cheat you wrote, and
distributing it and ruining the game for everyone...
> I will start a discussion with them soon! And I will report the result
> to the mail-list.
> Please let me say thank you again for your feedback, Jean!
is a model to all GSoC applicants :)
Reply all
Reply to author
Forward
0 new messages