Torrified Squid?

Networking Web Proxy
#1

I have followed the lively discussions in
Feature Request: Easy Way to Add VPN Service with interest. I understand the position of the IPFire stakeholders: no support to install VPN Client configuration (other than to another IPFire Gateway) from the WUI.
How about supporting to torrify the squid proxy? Use case is to protect my privacy for all these “iOT like devices” that have to reach out to the Internet for SW updates, etc. For this case it is mostly not possible to configure the devices on my network to use SOCKS to connect to TOR. Therefore the transparent proxy in combination with TOR for selected sources would be a great feature.

Any concerns from a security/privacy perspective I may have missed?

#2

Hi,

yes, that discussion has been rather heated sometimes, but I am glad its helpful for other people than the participants.

I think the common term is “core developers” rather than “stakeholders” here… :wink:

And yes, we do not plan to introduce this feature.

Afraid yes: As mentioned here, this is a bad idea as most applications are not prepared or designed to have their traffic transparently routed through Tor, especially when it comes to information leaks.

For example, the (now widely defunct) Flash add-on leaked the public IP address of a Tor user, which is why the Tor developers dropped that add-on from the very beginning.

Their thoughts on torrifying things can be found here and here.

I tried to build such a setup (Squid + Tor) once, but eventually came to a point where it was practically impossible to prevent traffic anomalies (large number of users sharing the same Guard, same route for every destination, etc.) sticking out like a sore thumb to adversaries.

Unless I missed something back then, using a transparent combination of Squid and Tor is neither practical nor secure (in terms of anonymity) at the moment.

Thanks, and best regards,
Peter Müller