[Freedombox-discuss] Privoxy via Tor, and APT via Privoxy?
Tim Retout
diocles at debian.org
Wed Apr 16 14:16:26 UTC 2014
On Wed, 2014-04-16 at 14:14 +0200, Petter Reinholdtsen wrote:
> One thing mentioned by Jacob Appelbaum in his talk the other day, was
> the advantages of upgrading packages via Tor, to make it harder to
> target a given machine with fake packages.
>
> I suggest we implement this in the Freedombox, by asking Provixy to
> send all requests via Tor, and ask APT to fetch data via Privoxy.
> What do the rest of you think about doing this?
I think this idea is worth trying - even if secure apt prevents someone
putting fake packages onto your machine, this will stop people seeing
which software they need to find zero-day vulnerabilities in. :)
What's the best apt mirror to use with tor? Maybe http.debian.net?
It's probably important to preserve anonymity that everyone uses the
same mirror.
I'm surprised that apt doesn't support SOCKS proxies directly - random
people on the internet seem to think that it does, but there's no
mention in apt's source code.
Comments below:
> The following untested patch for freedombox-setup should implement the
> feature, redirection APT via privoxy through Tor. I've tested the
> configuration, but not a freedombox-setup package with these scripts
> in place to set up this change. We could also include the
> /etc/apt/apt.conf.d/10freedombox-setup-privoxy file as part of the
> package, but then APT on machines with the package installed but no
> configured provixy running will stop working. The privoxy setup do
> not handle IPv6. Not quite sure how to fix that.
>
> diff --git a/setup.d/91_privoxy b/setup.d/91_privoxy
> index d975a42..9fbfd5a 100755
> --- a/setup.d/91_privoxy
> +++ b/setup.d/91_privoxy
> @@ -4,3 +4,15 @@ apt-get install -y privoxy
>
> # Listen on all interfaces
> sed -i 's/listen-address localhost:8118/listen-address *:8118/' /etc/privoxy/config
> +
> +# Send outgoing connections via Tor
> +if grep -q ^forward-socks5 ; then
> + :
> +else
> + cat >> /etc/privoxy/config <<EOF
> +forward-socks5 / 127.0.0.1:9050 .
> +forward 192.168.*.*/ .
> +forward 10.*.*.*/ .
> +forward 127.*.*.*/ .
> +EOF
> +fi
> diff --git a/setup.d/92_privoxy_apt b/setup.d/92_privoxy_apt
> new file mode 100755
> index 0000000..818965d
> --- /dev/null
> +++ b/setup.d/92_privoxy_apt
> @@ -0,0 +1,12 @@
> +#!/bin/sh
> +#
> +# Tell APT to use provixy.
s/provixy/privoxy/
> +#
> +# The pipeline change is to avoid <URL: https://bugs.debian.org/565555 >.
> +# Not sure if it affect privoxy.
> +
> +cat > /etc/apt/apt.conf.d/10freedombox-setup-privoxy <<EOF
> +Acquire::http::Proxy "http://localhost:8118/";
> +Acquire::ftp::Proxy "http://localhost:8118/";
Privoxy cannot proxy ftp traffic, according to its FAQ. You might want
to add https, but I don't think anyone uses that?
> +Acquire::http::Pipeline-Depth 0;
> +EOF
>
--
Tim Retout <diocles at debian.org>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: This is a digitally signed message part
URL: <http://lists.alioth.debian.org/pipermail/freedombox-discuss/attachments/20140416/41617fbd/attachment.sig>
More information about the Freedombox-discuss
mailing list