[Freedombox-discuss] Privoxy via Tor, and APT via Privoxy?
diocles at debian.org
Wed Apr 16 14:16:26 UTC 2014
On Wed, 2014-04-16 at 14:14 +0200, Petter Reinholdtsen wrote:
> One thing mentioned by Jacob Appelbaum in his talk the other day, was
> the advantages of upgrading packages via Tor, to make it harder to
> target a given machine with fake packages.
> I suggest we implement this in the Freedombox, by asking Provixy to
> send all requests via Tor, and ask APT to fetch data via Privoxy.
> What do the rest of you think about doing this?
I think this idea is worth trying - even if secure apt prevents someone
putting fake packages onto your machine, this will stop people seeing
which software they need to find zero-day vulnerabilities in. :)
What's the best apt mirror to use with tor? Maybe http.debian.net?
It's probably important to preserve anonymity that everyone uses the
I'm surprised that apt doesn't support SOCKS proxies directly - random
people on the internet seem to think that it does, but there's no
mention in apt's source code.
> The following untested patch for freedombox-setup should implement the
> feature, redirection APT via privoxy through Tor. I've tested the
> configuration, but not a freedombox-setup package with these scripts
> in place to set up this change. We could also include the
> /etc/apt/apt.conf.d/10freedombox-setup-privoxy file as part of the
> package, but then APT on machines with the package installed but no
> configured provixy running will stop working. The privoxy setup do
> not handle IPv6. Not quite sure how to fix that.
> diff --git a/setup.d/91_privoxy b/setup.d/91_privoxy
> index d975a42..9fbfd5a 100755
> --- a/setup.d/91_privoxy
> +++ b/setup.d/91_privoxy
> @@ -4,3 +4,15 @@ apt-get install -y privoxy
> # Listen on all interfaces
> sed -i 's/listen-address localhost:8118/listen-address *:8118/' /etc/privoxy/config
> +# Send outgoing connections via Tor
> +if grep -q ^forward-socks5 ; then
> + :
> + cat >> /etc/privoxy/config <<EOF
> +forward-socks5 / 127.0.0.1:9050 .
> +forward 192.168.*.*/ .
> +forward 10.*.*.*/ .
> +forward 127.*.*.*/ .
> diff --git a/setup.d/92_privoxy_apt b/setup.d/92_privoxy_apt
> new file mode 100755
> index 0000000..818965d
> --- /dev/null
> +++ b/setup.d/92_privoxy_apt
> @@ -0,0 +1,12 @@
> +# Tell APT to use provixy.
> +# The pipeline change is to avoid <URL: https://bugs.debian.org/565555 >.
> +# Not sure if it affect privoxy.
> +cat > /etc/apt/apt.conf.d/10freedombox-setup-privoxy <<EOF
> +Acquire::http::Proxy "http://localhost:8118/";
> +Acquire::ftp::Proxy "http://localhost:8118/";
Privoxy cannot proxy ftp traffic, according to its FAQ. You might want
to add https, but I don't think anyone uses that?
> +Acquire::http::Pipeline-Depth 0;
Tim Retout <diocles at debian.org>
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 819 bytes
Desc: This is a digitally signed message part
More information about the Freedombox-discuss