[Tor-BSD] tor Ports 9050 and 9150

attila attila at stalphonsos.com
Sat Aug 1 11:07:36 EDT 2015


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA384


teor <teor2345 at gmail.com> writes:

> Hi attila,

Heya teor,

>
> I just read your post on porting Tor Browser to OpenBSD - thanks for the work you're putting into this.
> http://trac.haqistan.net/blog/adventures-ports-tor-browser
>

This post is somewhat outdated on my thinking about this and other
issues, although I can't blame you for that... I'm working on an
update now, having just finished getting the OpenBSD ports up to Tor
Browser 4.5.3.  If you're more curious about my travails in this
regard you can always read my notes:
    <https://github.com/torbsd/openbsd-ports/blob/master/notes.org>
but be warned: I am sometimes a little caustic...

> I wanted to explain why Tor Browser uses tor SOCKS port 9150, but the default system tor port is 9050.
>
> Tor Browser is designed to run its own instance of tor on 9150, and to not conflict with any existing system tor install on 9050. (This, of course, causes some confusion, and some tor clients look on 9050, and others on 9150.)
>
> If you want to use the system tor for both Tor Browser and other apps, why not just have it listen on both 9050 and 9150?

In fact we do exactly this.  After playing around with early builds of
the ports I came to the conclusion that the situation on OpenBSD was
actually fortuitous: the system-installed tor that runs from the
config in /etc/tor/torrc and whatever instance of tor that TB starts
were already pretty much disentangled by fiat because of 9050
vs. 9150.  Sadly there were other issues that kept this from working
out perfectly, most of which I only just fixed in the 4.5.3 update of
the ports.  Before then it was the case that TB could effectively
stomp on /etc/tor/torrc if the user that was running TB was able to
modify /etc/tor/torrc (say, because they were in wheel and it was
group-writable: it is not that way by default but it could be on any
given system *cough*mine*cough*).  Regardless of a SAVECONF from
tor-launcher possibly hosing down /etc/tor/torrc the issue still
remained that a missing torrc in ~/.tor-browser (where the OpenBSD TB
port stores profile and other data that the Linux bundle stuffs into
the unpacked bundle) could cause things to not work.  This has been
effectively dealt with in the latest upgrade by means of a script
(start-tor-browser) which (a) ensures that ~/.tor-browser is kosher
and (b) is hooked into the tor-browser.desktop file so that invoking
TB via the usual desktopery in Gnome or KDE should Just Work.

> There are security implications of using the same tor instance for multiple apps (mainly cache sharing, denial of service, and single-point-of-hack/failure). However, there are also advantages in combining all your tor traffic together, as it's (slightly) harder to analyse that way.

To my mind the main issue is more TB vs. other apps.  If I'm using
e.g. irssi over tor then I'm using the system tor for that (port
9050).  I'm not going to entangle my use of irssi with TB.  I don't
have a good feel for how much harder traffic analysis becomes when you
merge all your Tor traffic together, but my intuition is that it's not
necessarily a slam-dunk.

Beyond that there is also a matter of principle, or at least a
scruple: I don't think installing one (set of) packages(s) (TB) should
affect the normal functioning of another, totally separate package
(net/tor).  The TB port R-deps on net/tor and requires it to be
installed but that has nothing to do with whatever the user has done
in their /etc/tor/torrc.  Whatever configuration they have there
should be totally separate from anything TB requires IMHO, so for this
reason alone I should ensure that, at least by default, the two things
don't clash.  There should probably also be a more extensive README
with the tor-browser port that explains this issue and at least points
at a couple documents.

> A similar tradeoff exists for running a tor relay on the same instance as Tor Browser. (However, in the case of a hidden service, it's recommended that it's a separate instance, ideally on a separate machine.)

This I don't see much use for personally, but I guess someone might
want to... I guess I'm just too used to sitting in front of a laptop
to think such thoughts.  If you worked at e.g. a Tier-N ISP and had a
beefy desktop machine as your main axe I can see running a relay on it
along with Tor browser.  In a previous life I would've, but the idea
of running any kind of relay on the craptastic DSL I have is
laughable.

> Regards
>
> Tim
>
> Tim Wilson-Brown (teor)
>
> teor2345 at gmail dot com
> pgp ABFED1AC
> https://gist.github.com/teor2345/d033b8ce0a99adbc89c5
>
> teor at blah dot im
> OTR D5BE4EC2 255D7585 F3874930 DB130265 7C9EBBC7

Thanks much for the feedback.

Pax, -A
- --
http://trac.haqistan.net | attila at stalphonsos.com | 0xE6CC1EDB
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: Processed by Mailcrypt 3.5.9 <http://mailcrypt.sourceforge.net/>

iQIcBAEBCQAGBQJVvOCMAAoJEJZ30KbmzB7baDUQAJMO1zP7Vo+w5xGJ00ZBvS3c
KU8KtAr3U0uMuXPxFq2S54ZjGJ7dR2hdQmV2F0thaBKOTIY+dwk1PmwXA6dq+U7e
40yTZ20QsIx2zoMa7NysFZQKQgbh82SXG3nCHaohhS9X0K+ZEeYYUmqQ5mETEHMj
forspVz6QbfskrHVpdQHwk7g8fFQ4OWzkE1i+ZXHv7bogcKsLeAzWdNfJcHjtthU
9Vx1rokELJTM6Q4xkGVqid0WniSV+/9O5Dol/TJHO8EBNgtGOvB4RxOd+m3Rk7SO
TmIUe/N+XvZkYsxAOd/VJuaG4wsJ8uRZQqTMWRUl/BOEsNvgFb15Gqqq4PX8bGI4
sMBAdzZ5tj9HV49LVsWQExyuMLwotqtFNCvOWun1RUcpovyE9K1Xr3ykQJxhr0R2
Zosh5oGYGhmQwvNp5tYohjoXXreHCz/5KCGMQJ1bpX8tJSFEgWofcr3wHffN8Cg2
LQL3LU9Y9LQYeSPD4VULzj4PDVbS8IjNV/mnnv0yn0HeExrRa9dOLdp/UPAIYITM
cnZrh15XBGn0c7D+jaqXdaec/8biz2nzJ1xSPljREX9WgLvaKY6e3D7esGmces/C
isvZ80jkKlRdXXMky0VUHKnu9gsrUGVtyazW58QYKsKIDUpdRtO5GZODtj6EXVDH
AwseUOw/YYEozAhVe+ge
=bQ6v
-----END PGP SIGNATURE-----



More information about the Tor-BSD mailing list