summaryrefslogtreecommitdiffstats
path: root/wiki/src/contribute/design.mdwn
diff options
context:
space:
mode:
authorsajolida <sajolida@pimienta.org>2016-09-21 16:11:19 +0000
committersajolida <sajolida@pimienta.org>2016-09-21 16:11:19 +0000
commit15fe0853cac07b51cf0cde623fa1fd33e65813fe (patch)
tree0dd7da52baeedf316dd77e247f10fa663f0ec8d7 /wiki/src/contribute/design.mdwn
parent0d0404baeb02940a677647c7181048ec9c0b1a66 (diff)
parent33dd220113fd8b4f2d8a1d6c5cb5b35049d4c974 (diff)
Merge remote-tracking branch 'origin/master' into web/10640-assistant-design-doc
Conflicts: wiki/src/blueprint/bootstrapping/verification.mdwn
Diffstat (limited to 'wiki/src/contribute/design.mdwn')
-rw-r--r--wiki/src/contribute/design.mdwn55
1 files changed, 39 insertions, 16 deletions
diff --git a/wiki/src/contribute/design.mdwn b/wiki/src/contribute/design.mdwn
index a2d1b86..4541871 100644
--- a/wiki/src/contribute/design.mdwn
+++ b/wiki/src/contribute/design.mdwn
@@ -562,6 +562,8 @@ that might de-anonymize or facilitate recording of a user, such as
hardware [keyloggers](http://en.wikipedia.org/wiki/Keylogger). Thus a
virtual keyboard (usable with the mouse) MUST be available.
+<a id="spec-entropy"></a>
+
#### 2.6.3.8 Entropy
Some crucial applications of the PELD, such as the Tor client, make
@@ -706,7 +708,7 @@ directory](/torrents/files/) (look for files with the `.packages`
extension).
### 3.2.1 Core software
-
+
- [Debian GNU/Linux](https://www.debian.org/): the base operating
system, provides hardware detection, infrastructure. Please note
that the Debian distribution does not provide or endorse Tails.
@@ -1012,10 +1014,8 @@ the Internet:
The remaining configuration differences can be found in:
- [[!tails_gitweb_dir config/chroot_local-includes/etc/tor-browser/preferences/0000tails.js]]
-- [[!tails_gitweb config/chroot_local-hooks/12-install_browser_searchplugins]]
-- [[!tails_gitweb config/chroot_local-hooks/12-remove_unwanted_browser_searchplugins]]
+- [[!tails_gitweb config/chroot_local-hooks/11-localize_browser]]
- [[!tails_gitweb config/chroot_local-hooks/13-override-tbb-branding]]
-- [[!tails_gitweb config/chroot_local-hooks/14-add_localized_browser_searchplugins]]
- [[!tails_gitweb config/chroot_local-hooks/14-generate-tor-browser-profile]]
- [[!tails_gitweb config/chroot_local-hooks/15-symlink-places.sqlite]]
@@ -1026,11 +1026,13 @@ configurations.
### 3.6.14 Icedove
-Icedove, in combination with Torbirdy, sends email through Tor.
+Icedove, in combination with TorBirdy, sends email through Tor.
Icedove itself leaks a lot of data and makes DNS requests, for example by
-retrieving mail server configurations from a remote server over an insecure
-channel. This is prevented by the Torbirdy extension.
+retrieving mail server configurations from a remote server over an insecure
+channel. This is prevented by the TorBirdy extension as well as by custom
+patches for Icedove in Tails, which we are currently in the process of
+upstreaming ([[!tails_ticket 11215]]).
Icedove generates `Message-ID` headers using the hostname part of
the sender's email address, which does not leak usage of the PELD nor
@@ -1042,12 +1044,32 @@ disclosing the real IP address and hostname.
Torbirdy disables HTML email and inline attachments
in order to get rid of a whole class of privacy concerns.
Furthermore, when setting up an IMAP account, the drafts folder, instead
-of being remote, is set to "~$HOME/.icedove/Local Folders".
+of being remote, is set to `~$HOME/.icedove/Local Folders`.
+
+The original TorBirdy extension disables automatic email configuration
+through Icedove's email configuration wizard. This wizard is enabled in
+Tails. This is possible because our patches allow using only secure protocols
+for the domain and ISPDB lookups as well as for the actual mail account
+configuration. In detail this means:
+
+1. we prevent all testing of plaintext protocols when guessing configurations.
+2. we make autoconfiguration skip database lookups if `mailnews.auto_config_url`
+ isn't HTTPS.
+3. we make ISP autoconfiguration lookups first try https, then http, but only
+ if we allow insecure protocols.
+4. we discard any configurations using plaintext protocols.
+
+In addition, even when plaintext protocols are allowed, the patches make
+us prefer secure options if available.
+This setting can be disabled (opt-out by the user). This also applies to
+manual configuration.
OpenPGP support is provided by the Enigmail addon.
- [[!tails_gitweb config/chroot_local-includes/etc/icedove/pref/icedove.js]]
-- [[!tails_gitweb config/chroot_local-patches/torbirdy-adjust-defaults.diff]]
+- [[!tails_gitweb config/chroot_local-patches/torbirdy-0001-secure-autoconfig-compat.diff]]
+- [[!tails_gitweb config/chroot_local-patches/torbirdy-0001-secure-autoconfig-compat.diff]]
+- [[!tails_gitweb config/chroot_local-patches/torbirdy-0002-secure-autoconfig-POP-defaults.diff]]
- [[!tails_gitweb_dir config/chroot_local-includes/etc/skel/.icedove]] is copied to
the user's `$HOME` at boot time
- [[!tails_gitweb config/chroot_local-includes/usr/local/bin/icedove]]
@@ -1121,8 +1143,7 @@ soft-blocks all other kinds of wireless devices (e.g. UWB, GPS, FM).
### 3.6.20 OpenSSH
-The OpenSSH client is configured to use the Tor SOCKS proxy, and to
-prefer strong ciphers and MACs..
+The OpenSSH client is configured to use the Tor SOCKS proxy.
- [[!tails_gitweb config/chroot_local-includes/etc/ssh/ssh_config]]
- [[!tails_gitweb config/chroot_local-includes/usr/local/lib/connect-socks]]
@@ -1145,11 +1166,9 @@ restart actions, as well as screen locking.
- [[!tails_gitweb_dir config/chroot_local-includes/usr/share/gnome-shell/extensions/shutdown-helper@tails.boum.org]]
-The Tails OpenPGP applet allows to symmetrically and asymmetrically
+The Tails [[!debpts openpgp-applet desc="OpenPGP applet"]] allows to symmetrically and asymmetrically
encrypt and decrypt text, and to verify OpenPGP signatures.
-- [[!tails_gitweb config/chroot_local-includes/usr/local/bin/gpgApplet]]
-
### 3.6.23 DHCP hostname leaks
Tails prevents dhclient from sending the hostname over the network.
@@ -1171,8 +1190,8 @@ send the hostname over DHCP by default. Likely this can be overridden
on a per-connection basis if one really needs to change this.
Third, dhclient itself is told not to send the hostname. This is
-needed because on Wheezy, NetworkManager runs dhclient with the `-cf
-/var/run/nm-dhclient-eth0.conf` option, and generates that file by
+needed because on Jessie, NetworkManager runs dhclient with the `-cf
+/var/lib/NetworkManager/dhclient-eth0.conf` option, and generates that file by
concatenating `/etc/dhcp/dhclient.conf` with its own settings.
Fourth, dhclient is told to override any hostname provided by the DHCP
@@ -1255,6 +1274,10 @@ preferences and the cached Bitcoin blockchain.
- [[!tails_gitweb_dir config/chroot_local-includes/etc/skel/.electrum]]
+### 3.6.29 Kernel hardening
+
+[[!inline pages="contribute/design/kernel_hardening" raw=yes]]
+
## 3.7 Running Tails in virtual machines
### 3.7.1 Current support