path: root/wiki/src/contribute/design.mdwn
diff options
authorsajolida <>2017-02-13 17:37:49 +0000
committersajolida <>2017-02-13 17:37:49 +0000
commitabdc21bcdef6516188bff48f1e2e9fb3e2677426 (patch)
tree675fe5d91ffbdf2f500ac6c01ff4f004a9e2b382 /wiki/src/contribute/design.mdwn
parent67ea32c792ebeb3e78feab38392d7e8483186ef9 (diff)
parent87dec938f24a76208b3ae248b3f9a0c3e03f23e5 (diff)
Merge remote-tracking branch 'origin/master' into web/11709-close-tails-support
Diffstat (limited to 'wiki/src/contribute/design.mdwn')
1 files changed, 22 insertions, 17 deletions
diff --git a/wiki/src/contribute/design.mdwn b/wiki/src/contribute/design.mdwn
index 9e66a6e..8b64b92 100644
--- a/wiki/src/contribute/design.mdwn
+++ b/wiki/src/contribute/design.mdwn
@@ -822,10 +822,10 @@ those are mainly for usability issues and similar.
### 3.6.1 The Torâ„¢ software
The Tor software is currently configured as a client only (onion
-proxy). The client listens on a control port 9051
-(using cookie authentication), as a transparent proxy on port 9040
-(only used for remapped hidden services) and as a DNS server on port
+proxy). The client listens for control connections on port 9052 (using
+cookie authentication) which is non-standard (see about the "control
+port filter" below), as a transparent proxy on port 9040 (only used
+for remapped hidden services) and as a DNS server on port 8853.
The client listens on a few SOCKS ports (the rationale being detailed
on the [[Tor stream isolation design
@@ -841,11 +841,17 @@ If a compromised software had access to the Tor control port,
an attacker who controls it could simply ask Tor the public
IP through the `GETINFO address` command.
To prevent this, access to the Tor control port is only
-granted to the `root` and `tor-launcher` users, as well as to the
-members of the `debian-tor` group, such as the `onioncircuits` user
-(that is used to run Onion Circuits).
-A filtering proxy to the control port exists, so
-Torbutton still can perform safe commands like `SIGNAL NEWNYM`.
+granted to the `root` user, as well as to the
+members of the `debian-tor` group (via the control socket).
+A filtering proxy to the control port runs on port 9051 (i.e. the default
+Tor ControlPort), so for instance
+Torbutton still can perform safe commands like `SIGNAL NEWNYM`. It
+allows defining fine-grained access whitelists of commands (and their
+argunents) and events on a per-application basis, which can enforce
+rules like "this `$user` (e.g. `amnesia`) when running this
+`$application` (e.g. `/usr/bin/onionshare`) can only run these commands
+(`ADD_ONION` etc.) and listen to these events (e.g. `HS_DESC`, which is
+expected after a successfull use of `ADD_ONION`)".
We disabled the default warning messages of Tor (`WarnPlaintextPorts`)
when connecting to ports 110 (POP3) and 143 (IMAP). These ports are used
@@ -854,7 +860,7 @@ providers recommend and even enforce StartTLS on these ports, the effect
of these warnings were most of the time counterproductive as people had
to click through needlessly scary security warnings.
-- [[!tails_gitweb config/chroot_local-hooks/06-adduser_onioncircuits]]
+- [[!tails_gitweb_dir config/chroot_local-includes/etc/tor-controlport-filter.d/]]
- [[!tails_gitweb config/chroot_local-includes/lib/systemd/system/tor-controlport-filter.service]]
- [[!tails_gitweb config/chroot_local-includes/usr/local/lib/tor-controlport-filter]]
- [[!tails_gitweb config/chroot_local-includes/etc/tor/torrc]]
@@ -865,13 +871,12 @@ Status extension provides a permanent visual indication of whether Tor
has bootstrapped already.
- [[!tails_gitweb_dir config/chroot_local-includes/usr/share/gnome-shell/extensions/]]
-- [[!tails_gitweb config/chroot_local-includes/usr/local/bin/onioncircuits]]
<a id="dns"></a>
### 3.6.3 DNS
-[[!inline pages="contribute/design/Tor_enforcement/DNS" raw=yes]]
+[[!inline pages="contribute/design/Tor_enforcement/DNS" raw=yes sort="age"]]
### 3.6.4 HTTP Proxy
@@ -888,7 +893,7 @@ configured for completeness.
### 3.6.6 Network Filter
-[[!inline pages="contribute/design/Tor_enforcement/Network_filter" raw=yes]]
+[[!inline pages="contribute/design/Tor_enforcement/Network_filter" raw=yes sort="age"]]
### 3.6.7 MAC address spoofing
@@ -905,7 +910,7 @@ live-boot's `swapon` option is not set.
### 3.6.9 Host system RAM
-[[!inline pages="contribute/design/memory_erasure" raw=yes]]
+[[!inline pages="contribute/design/memory_erasure" raw=yes sort="age"]]
### 3.6.10 Host system disks and partitions
@@ -978,7 +983,7 @@ The default profile is split from the binaries and application data:
As for extensions we have the following differences:
* Tails also installs the
- [Adblock plus](
+ [uBlock Origin](
extension to protect against many tracking possibilities by removing
most ads.
@@ -1276,7 +1281,7 @@ preferences and the cached Bitcoin blockchain.
### 3.6.29 Kernel hardening
-[[!inline pages="contribute/design/kernel_hardening" raw=yes]]
+[[!inline pages="contribute/design/kernel_hardening" raw=yes sort="age"]]
## 3.7 Running Tails in virtual machines
@@ -1418,7 +1423,7 @@ issues|support/known_issues]] page.
However the fact that different browser extensions are installed in Tails and in
the TBB surely allows more sophisticated attacks that usual fingerprint
as returned by tools such as <> and
-<>. For example, the fact that Adblock is removing
+<>. For example, the fact that uBlock Origin is removing
ads could be analysed.
From the point of view of the local network administrator, Tails is