Hacker News new | past | comments | ask | show | jobs | submit login

I wonder how hard it would be to ship tor as a bundle with qemu and a very thin Linux image that provided just enough functionality to run it, then when you click on the start icon, it opens the emulator, which opens up the browser in a environment that's thin enough you don't even really need to pay attention to it because you've just got a window containing window containing your browser. With the right wm inside, you wouldn't even need that; it just happens that this browser window is actually running inside of the VM that shows up on your physical system.



I've been doing similar things, just in docker instead of a VM (and doing X11 forwarding via xpra). Not entirely happy with the setup yet; I still need to figure out how to do that with two containers so that the browser doesn't get accidental internet access. Not quite as good as a VM, but better than nothing and easier for me to maintain.


Why do you say "easier for me to maintain"? Are you talking about keeping them updated? That does get to be a pain.


Yep, keeping things updated. Right now I have it set to scrape the torproject web site to extract the location of the latest release, so that `make build` can get me an updated browser.


Check out tails: https://tails.boum.org/about/index.en.html

Pretty much that. Forward some X11?


Tails isn't a VM. It's a LiveCD.


That'd be cool. As long as the network isolation was solid. And easier than getting people to install VBox and Whonix.


shameless plug: https://github.com/r-a-w/TorProxy

This will ensure all outgoing traffic is headed for the Tor network. This would prevent this vuln from being effective as it would drop the outbound packets.


It might be irrational, but I have this vague notion that it's somehow less secure than Tor on a router. Breaking out of virtualization is certainly not easy, but it seems easier than hacking a locked down router.


I agree that a physically separate router (fully secured and patched itself!) forcing traffic through TOR is better still, but I see virtualization as a superior alternate to plain binaries with no extra layers, which is what's used today. It's also easier to use for the end user.


Yes, it's almost certainly less secure than running Tor on a router. But I sometimes use multiple Whonix instances, for different personas, and they hit Tor through different nested VPN chains. And using hardware for that would be too tedious.


You can always start two VMs with very thin OSs on them. The Tor proxy could even be a unikernel with no functionality beyond being a Tor proxy.


I've played some with that. Whonix uses a full Debian install for the gateway, and that uses lots of disk. I used OpenWRT VMs for a while, but Tor releases in their repo got way out of data, and I never managed a build.

If someone can point to a distro that works for this, many of us would be very happy.


I have some nice experiences running Alpine within VMs. Very small too, but I did so in order to test things for deployment in containers, not Tor services.


This sounds like the right approach.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: