sys-whonix / tor / thunderbird
Bernhard
one of the most useful features of tor-browser is Ctl-Shift-L to change
the tor-path (and so, with high proba, the exit node IP) : this way,
websites that block a specific exit node for a certain time can be still
loaded (of course some fascist websites block all tor-exits and so that
this measure does not help) .
I feel that the same feature would be useful in other applications (in
particular in thunderbird). How can this be done? Maybe a "forced
reconnect" of IMAP connections suffices, but apart totally restarting
thunderbird I don't see how this can be done. Any hints? Or is there
good reason not to torify mail-fetching? Or never via IMAP?
thank you, Bernhard
Yuraeitha
This might seem slightly off-topic at first, but bare with me, it gets increasingly on-topic.
What kind of e-mail are you trying to download over Tor though? Like in general, Tor hides who you are, but not necessarily what is send/received at exit/enter nodes. If any encryption, like SSL/https is poorly handled, i.e. by the server/website you visit, then it's not enough security through Tor exit/enter nodes. So for example, if your e-mail has at any point, whatsoever, in any way, been leaked with information linking it to you, or giving any clues that a detective can use to identify you, then it's game-over for that e-mail address, and you need to make a new address.
Though it depends on your needs of course, for example if you don't care about governments, large corporations, or resourceful hacker groups, but only want to hide from the regular typical everyday hacker and businesses, mass surveillance, etc. then the e-mail is not compromised and can still be used on Tor.
Aight, so the point, what exactly do you want to hide your e-mail from? In my experience, there are different approaches to different scenarios, which includes e-mails too.
More specially towards the question at hand, I think it's tricky to do something like that in Thunderbird, but I'm not a programmer, so I wouldn't know for sure. However, if you think about how it works in Qubes/Whonix/Tor, then the Tor browser appears to be tunneling Tor-Browser within Tor(Sys-whonix), basically doubling the onion layers compared to a regular Tor browser. I'm not entirely sure if this is the case, it's just something I figured must be the case.
In other words, when you do this exit node change in your Tor browser, this does change your exit from your Browser, but not the exit node from your sys-whonix Tor network. Basically, the middle link between the two onion Tor layers, remains the same until it changes on its own automatically like usual.
In other words, the Tor Browser can do this, because it itself is tied directly tor the Tor network. But for applications, like Thunderbird, it has no means to communicate with the Tor network, and it seems unlikely something the whonix developers, or the Tor developers, would want to implement given the extra overhead or potential issues introduced through further complexity (but I wouldn't know, I'm guessing towards that).
Also this is probably a better question asked on either the Whonix or Tor forums, probably most fitting for the whonix forums. The people over there know waaaaaay more, unless if lucky and one of them happens to drop by here.
entr0py
>> Hello,
>>
>> one of the most useful features of tor-browser is Ctl-Shift-L to change
>> the tor-path (and so, with high proba, the exit node IP) : this way,
>> websites that block a specific exit node for a certain time can be still
>> loaded (of course some fascist websites block all tor-exits and so that
>> this measure does not help) .
>>
>> I feel that the same feature would be useful in other applications (in
>> particular in thunderbird). How can this be done? Maybe a "forced
>> reconnect" of IMAP connections suffices, but apart totally restarting
>> thunderbird I don't see how this can be done. Any hints? Or is there
>> good reason not to torify mail-fetching? Or never via IMAP?
>>
>> thank you, Bernhard
Thunderbird is torrified by an extension called TorBirdy. Your requested feature has been tracked for quite some time (5 years) but appears nearing implementation now that Thunderbird-related roadblocks have been cleared. (https://trac.torproject.org/projects/tor/ticket/6359) Also, the main reason for that ticket is not circuit swapping but stream isolation. At present (Whonix bonus), each different email server you connect to is given a different circuit. With #6359, multiple accounts at the same email provider can also be isolated by circuit.
Currently, you can generate new circuits for all future Tor requests by using the "New Identity" feature via one of the following equivalent options:
1. From anon-whonix, use "New Identity" in Tor Browser. (applies to all Tor connections, not just the browser.)
2. From sys-whonix, use arm/nyx (monitoring tool) to send New Identity request
3. From sys-whonix, send SIGNAL NEWNYM via telnet to 127.0.0.1:9051
> More specially towards the question at hand, I think it's tricky to do something like that in Thunderbird, but I'm not a programmer, so I wouldn't know for sure. However, if you think about how it works in Qubes/Whonix/Tor, then the Tor browser appears to be tunneling Tor-Browser within Tor(Sys-whonix), basically doubling the onion layers compared to a regular Tor browser. I'm not entirely sure if this is the case, it's just something I figured must be the case.
[1] https://trac.torproject.org/projects/tor/wiki/doc/TorifyHOWTO#ToroverTor
[2] https://trac.torproject.org/projects/tor/ticket/2667
[3] https://www.whonix.org/wiki/DoNot#Prevent_Tor_over_Tor_Scenarios
[4] https://www.whonix.org/wiki/Dev/anon-ws-disable-stacked-tor
haaber
> Yuraeitha:
>> On Friday, November 24, 2017 at 9:01:24 AM UTC, Bernhard wrote:
>>> Hello,
>>>
>>> one of the most useful features of tor-browser is Ctl-Shift-L to change
>>> the tor-path (and so, with high proba, the exit node IP) : this way,
>>> websites that block a specific exit node for a certain time can be still
>>> loaded (of course some fascist websites block all tor-exits and so that
>>> this measure does not help) .
>>>
>>> I feel that the same feature would be useful in other applications (in
>>> particular in thunderbird). How can this be done? Maybe a "forced
>>> reconnect" of IMAP connections suffices, but apart totally restarting
>>> thunderbird I don't see how this can be done. Any hints? Or is there
>>> good reason not to torify mail-fetching? Or never via IMAP?
>>>
>>> thank you, Bernhard
>
> Each request to your Tor client (in sys-whonix) via SocksPort is accompanied by a SOCKS username and password. By clicking "New Tor Circuit for this Site" in Tor Browser, you are changing the password component, which causes the Tor client to generate a new circuit for the same first-person domain when a request is received.
>
> Thunderbird is torrified by an extension called TorBirdy. Your requested feature has been tracked for quite some time (5 years) but appears nearing implementation now that Thunderbird-related roadblocks have been cleared. (https://trac.torproject.org/projects/tor/ticket/6359) Also, the main reason for that ticket is not circuit swapping but stream isolation. At present (Whonix bonus), each different email server you connect to is given a different circuit. With #6359, multiple accounts at the same email provider can also be isolated by circuit.
>
> Currently, you can generate new circuits for all future Tor requests by using the "New Identity" feature via one of the following equivalent options:
> 1. From anon-whonix, use "New Identity" in Tor Browser. (applies to all Tor connections, not just the browser.)
> 2. From sys-whonix, use arm/nyx (monitoring tool) to send New Identity request
> 3. From sys-whonix, send SIGNAL NEWNYM via telnet to 127.0.0.1:9051
that socks was the problem & should be fine now. I wanted to copy the
"network-connections" config form tor-browser into a thunderbird, but I
do not understand anything there. It uses
file:///var/run/anon-ws-disable-stacked-tor/127.0.0.1_9150.sock
This folder contains a lot of 0-byte special files that are past my
understanding. Link [4] Did not help me :(
Or should I better run thunderbird inside anon-whonix? Or clone
anon-whonix and run it there?
Thanks, Bernhard
Desobediente
You could clone whonix-ws and install needed software in the cloned template as well.
entr0py
Do you need help torrifying Thunderbird? If you are using Thunderbird in a non-whonix-workstation VM, you can install the TorBirdy extension and point it to your sys-whonix IP and Port 9102.
Thunderbird is installed and torrified by default in anon-whonix already. You can use anon-whonix, clone it, make a new appVM based on whonix-ws, whatever fits your needs.
entr0py
https://stem.torproject.org/faq.html#how-do-i-request-a-new-identity-from-tor
https://www.torproject.org/projects/torbrowser/design/#new-identity
Desobediente
Not sure what you mean by "AppVM level" but "New Identity" marks ALL circuits dirty regardless of where it's invoked. So using "New Identity" in anon-whonix-6 is the same as using it in sys-whonix for purposes of generating new circuits for Thunderbird. TorButton (in Tor Browser) performs a few additional tasks as described in link below compared to arm, but as it relates to circuits, they both send SIGNAL NEWNYM.
https://stem.torproject.org/faq.html#how-do-i-request-a-new-identity-from-tor
https://www.torproject.org/projects/torbrowser/design/#new-identity
Yuraeitha
ah, good I made a disclaimer :')
Though, it does seem rather unsafe to run multiple of qubes over the same exit nodes in the Tor network.
The most dangerous security issue out there, imho at least, is the assumption you are safe, when you are not. If what you're saying is true, and I'm confident it is given your background, then this might cause some dangerous user habits on Qubes in particular, beyond that what is a concern by using just Whonix/Tor? Similar issue probably exits between Whonix and Tor, but to a lesser extent as Qubes does not have any warnings about this, which is particular a concern when it's easier to mess up in Qubes, and run the same applications over the same exit nodes, at the same time.
I did hear the warning of not running Tor over Tor before, though it was so long back that only the Tor browser was around back then. I had assumed it'd been fixed by now on Whonix and in particular Qubes. Especially considering the dangerous trap Whonix and in particular Qubes creates when running more on the same exit node.
Unman
It's not that qubes run over the same EXIT NODES, as you say.
Because of stream isolation they may run over the same entry node, but have
different circuits, so will probably exit Tor over different exit nodes.
There is nothing to "fix" in Tor over Tor - you can do this if you wish,
(except in Whonix), but the behaviour carries risks.
If you are concered about running qubes over the same ENTRY node then
you can use different TorVMs or Whonix-gws as proxies for different sets
of qubes, so ensuring complete isolation of the Tor circuits between the
qubes you wish to keep separate. Qubes and Whonix make this simple.
unman
Yuraeitha
ohh, I see, so that's what is meant by "circuits". It does give the word an interesting meaning, albeit it might common to understand it correctly in an institutional context within the Tor community. But the essence of the word does make sense too in this context after explained.
Thanks for the clarification, as you probably know it would, it changes how I perceived the Tor network quite fundamentally.
I apologize for my wrong assumption that I thought the Tor network as a single channel at any given time. It never occurred to me that it could have parallel channels in a different circuit kind of way.