GNOME Bugzilla – Bug 689339
Integrate Tor into privacy settings
Last modified: 2021-06-09 16:00:12 UTC
During a recent marketing meeting, it was suggested that Tor [1] could be integrated into Settings as a part of a campaign around privacy. I'm filing this bug on behalf of the marketing team. Tor integration could make sense as a part of privacy settings, and can be conceptualised as "enhanced anonymity online". However, there are questions that need to be answered in order to determine whether Tor would be viable as a part of GNOME itself as well as to inform the design this feature. These are the questions I came up with (there might be more): * Does using Tor have an impact on network performance? * What is Tor's global availability? Are there any locales where it cannot be used? * How sustainable is Tor? GNOME releases can be supported for many years: can we guarantee that this feature will still be available in 2017? * How reliable is the Tor network? Is there ever any interruption in availability? Is it possible to lose your connection to the Tor network but still be online? Does the performance of the Tor network vary over time? * Does Tor have consequences for what websites can do? Does it mean that they won't be able to remember who you are or store information about what you have been doing on their site? * Is there any functional interaction between Tor and other "do not track" features? [1] https://www.torproject.org/
From marketing-list [1]: "The biggest 'disadvantage' to Tor as I understand it comes from the hit you take in overall network performance, which can be considerable, and is highly variable depending on the speeds you get through the nodes Tor chooses. If you get unlucky and hit a node run by somebody with a crappy connection like me, it can be considerable" This might well mean that building Tor integration into GNOME isn't appropriate. In terms of the UI, it's hard to communicate the vagaries involved (you might get network slowdown, network performance might vary over time). More than that, I don't think it would make GNOME look very good if we included a feature that has noticeable performance drawbacks. Another nagging question about this proposal: how would we explain Tor in relation to other do not track features? [1] https://mail.gnome.org/archives/marketing-list/2012-November/msg00120.html
I don't really think it's relevant what the network performance is, as the missing features for Tor are the same as the missing feature for other VPN types, namely: - It's not possible to disallow any traffic going anywhere but through the VPN - It's not possible to stop all networking when the VPN isn't enabled As for Tor support itself, it should be implemented as a VPN. Once all the above is done (please create the bugs against NetworkManager for that, though some might already exist), we can discuss making that particular VPN a first-class citizen. In the meanwhile, discussing integration is moot.
(In reply to comment #2) ... > As for Tor support itself, it should be implemented as a VPN. ... I agree - that makes a lot more sense.
I agree with filing feature requests at networkmanager for anything that would benefit all (or at least most) VPNs. There's a closed feature request for Tor integration in networkmanager (see the list of blockers) that is closed because there's noone even going to work on that. It got closed togeter with a bunch of other stale requests. As for packet security policy, this is implemented in kernel but unfortunately only for IPsec VPNs. Linux iptables firewall is currently not a viable place to do things like that. Can elaborate more if requested. So the only available option is the routing table. That means the link under VPN must not have default route set. Related bug report: https://bugzilla.gnome.org/show_bug.cgi?id=680955 Please also undestand that currently networkmanager is not a security tool at all. VPN plugins are regarded as connectivity plugins, not security plugins. This is a precisely opposite view than for example IPsec. And even if you don't need IPsec or don't want to use it, it's currently the only proper secure VPN architecture in Linux. It will be a tough task to make other tools security aware.
While I find this idea appealing in general, I don't think it's feasible. The user would have to be aware, that some malicious Tor exit nodes sniff unencrypted traffic and even try active attacks, such as SSL downgrade attacks (sslstrip). Activating the it was privacy feature could get some of the users online bank accounts blocked, because the list of Tor exit nodes is public knowledge for anyone and banks usually add them to the fraud suspected list and lock down the account until they know what's going on. Of course, you could use iptables to setup a Transparent Proxy [1], but implementing privacy is also more than "just route all traffic through Tor". While Tor does a good job at IP obfuscation, that's not even half of the things you have to do. Applications itself leak so many information, that this alone won't add any privacy. For example browsers suffer from likability issues due to evercookies and browser fingerprinting. That's why The Tor Project maintains the Tor Browser Bundle. Torifying your own browser is discouraged (you're free to do, but it won't add privacy). [2] Unless you are behind a Transparent Proxy Anonymizing Middlebox or Isolating Proxy [5], other applications such as Skype and Bittorrent [4] read the ISP IP from ifconfig and send them anywhere. If you want enhance privacy, you have to design the whole operating system with that idea in mind. You can't implement it in a single component. That's why Whonix [3] has been created. Feel free to create an alternative to privacy focused operating systems such as Whonix, Tails or Liberte Linux, but I think it would require some more thought on a more general ticket and network manager would only be a fraction of the solution. Full disclosure: Adrelanos, maintainer of Whonix. [1] https://trac.torproject.org/projects/tor/wiki/doc/TransparentProxy [2] https://trac.torproject.org/projects/tor/wiki/doc/TorifyHOWTO/WebBrowsers [3] http://whonix.sf.net/ [4] https://blog.torproject.org/blog/bittorrent-over-tor-isnt-good-idea [5] https://trac.torproject.org/projects/tor/wiki/doc/TorifyHOWTO/IsolatingProxy
So I guess it should be closed to clean up the bugtracker... :)
(In reply to comment #6) > So I guess it should be closed to clean up the bugtracker... :) It's still relevant I'm afraid.
IMO this is very relevant and bugs me for quite some time. Is there any progress in this whatsoever? If so, I can't find it. So there's been https://wiki.gnome.org/Foundation/PrivacyCampaign2013/#Tor_integration which says "hard to do really safely" and that's true. But I suspect that this stops people from just doing it. And I think that, if it does, that's wrong and unnecessary. I think it would bring an unthinkable amount of value to people when GNOME would offer one simple switch, just like "flight mode", for doing each and every commection over Tor, *as good as it can*. And I can still do a direct connection out if I want to, that will always be true. But that's ok and we can verify and watch it, and go on from there. Don't be hard on yourself when it comes to terminoligy. You don't have to call a Tor mode "secure" or "anonymous" or "safe" or whatever. Call it "enhanced" or just "Tor" or something even less strict. Tor Browser is the killer App using the Tor network. GNOME just could (easily?) become another, completely different user. Start *depending* on the Tor package (by a configure switch, at first disabled by default if necessary) and go from there. I just needed to put this out there and see if there's GNOME people who get the idea :)
GNOME is going to shut down bugzilla.gnome.org in favor of gitlab.gnome.org. As part of that, we are mass-closing older open tickets in bugzilla.gnome.org which have not seen updates for a longer time (resources are unfortunately quite limited so not every ticket can get handled). If you can still reproduce the situation described in this ticket in a recent and supported software version, then please follow https://wiki.gnome.org/GettingInTouch/BugReportingGuidelines and create a new enhancement request ticket at https://gitlab.gnome.org/GNOME/gnome-control-center/-/issues/ Thank you for your understanding and your help.