I2P_Developers/i2p.firefox
3
0
Fork 1
Code Issues 14 Pull Requests Actions 5 Packages Projects Releases Wiki Activity

Migrate to a different HTTP Proxy in order to isolate X-I2P-* headers from "Leaking" across sites? #22

New Issue
Open
opened 2025-04-21 14:31:10 -04:00 by idk · 3 comments
idk commented 2025-04-21 14:31:10 -04:00
Owner
Copy Link

People are pretty aware of the assumption that we make that HTTP Proxy~=Tunnel Pool~=Destination~=Pseudonym, and the implication of this is that the destination is seen by all the I2P sites which the user visits in the X-I2P-* headers. Many of them have regarded this as a problem. It's complicated, though, because the behavior of the HTTP Proxy is specific in the context of the hidden services manager(Where everything else currently works like HTTP Proxy~=Tunnel Pool~=Destination~=Pseudonym). It could be argued(probably successfully) that the modified behavior is only desirable when the HTTP user-agent is a browser that supports multiple tabs and meets a basic set of security requirements. Therefore, it may belong in i2p.firefox.

Discussion copied from IRC:

(04:13:52 PM) anonymousmaybe:  eyedeekay is not worth to work on Bote while I2P still not yet fixed its stream isolation issue
(04:14:26 PM) anonymousmaybe: i think i saw a github project called eeproxy which is great 
(04:14:52 PM) anonymousmaybe: but i think is also abandoned since 2 or more years
(04:15:40 PM) anonymousmaybe: I2P anonymity VS fingerprint is garbage
(04:44:37 PM) eyedeekay: eeproxy is my project, also httpproxy and multiproxy
(04:44:51 PM) eyedeekay: multiproxy is the most advanced/responsibly designed version
(04:45:05 PM) w8rabbit left the room (quit: Read error).
(04:46:01 PM) eyedeekay: It most closely emulates Tor's tactic for browsers but it's bad at encrypted leaseSets and it's written in Go, so it won't be straightforward to integrate with i2ptunnel, it would need a full rewrite in Java
(04:46:10 PM) eyedeekay: It's not **hard**
(04:46:30 PM) eyedeekay: But it might be a lot of work
(04:46:37 PM) eyedeekay: Just in terms of quantity
(04:55:20 PM) anonymousmaybe:  eyedeekay yeah but I2Pj or I2Pd should implement it by default 
(04:56:04 PM) eyedeekay: Also it doesn't work with HTTP authentication unless we put it into aggressive mode, which is probably not necessary and maybe counterproductive
(04:56:54 PM) eyedeekay: pseudonym-isolating HTTP proxies are only useful if you are very sure your user agent is going to be a browser, too, so it might break other things on 4444
(04:57:28 PM) eyedeekay: If such a thing were to be implemented on the HTTP proxy we use now
(04:58:15 PM) anonymousmaybe: HTTP tunnel for http asaik 
(05:00:42 PM) eyedeekay: The problem is that it works the same way Tor's SOCKS authentication based isolation works, except in our case repurposes the authentication header as a way to multiplex client tunnels
(05:01:09 PM) eyedeekay: In aggressive mode it's per-site
(05:01:42 PM) eyedeekay: In regular mode you get a "global" tunnel and a tunnel for every authentication header that you pass
(05:04:12 PM) eyedeekay: Aggressive mode breaks lots of things about the HTTP proxy that one might rely on. Regular mode only breaks two things, but one of them isn't fixable AFAICT
(05:04:39 PM) Zapek left the room (quit: Ping timeout: 320 seconds).
(05:05:04 PM) anonymousmaybe left the room (quit: Read error).
(05:06:11 PM) mode (+v anonymousmaybe) by ChanServ
(05:07:30 PM) anonymousmaybe: https://www.whonix.org/wiki/I2P#Post-Tor_I2P_Tunnel_Effects
(05:07:42 PM) anonymousmaybe: check Warning: No Stream-isolation Support 
(05:07:43 PM) R4SAS left the room (quit: Quit: ZNC - https://znc.in).
(05:08:22 PM) eyedeekay: I'm aware, I'm the one who explained that possibility to patrick
(05:08:45 PM) eyedeekay: I also implemented the actual attack
(05:09:06 PM) anonymousmaybe: cool then, but shouldnt this first fixed?
(05:10:39 PM) eyedeekay: Yeah but *how* is important. Is it a new tunnel type? An application launched by i2pbrowser.sh in i2p.firefox? How close to the user agent does this have to be to be effective and not break stuff
(05:12:11 PM) eyedeekay: Because right now strictly speaking the HTTP proxy is working as-intended, and major things exist on the HTTP proxy that are incompatible with this idea
(05:12:38 PM) eyedeekay: If it goes into I2PTunnel it's a new tunnel type IMO, it can't be an option on the existing tool
(05:14:35 PM) anonymousmaybe: An application launched by i2pbrowser.sh in i2p.firefox? <- whats the problem with this concept?
(05:15:02 PM) anonymousmaybe: TB-Tor doing it the same way no?
(05:15:48 PM) eyedeekay: Nothing that I know of, the operative part being "That I know of"
(05:16:11 PM) eyedeekay: Well, the encrypted leaseset support is absolutely lousy but I can fix that
(05:16:44 PM) eyedeekay: Oh also SAM
(05:16:50 PM) Romster left the room (quit: Read error).
(05:16:51 PM) eyedeekay: I need SAM to use multiproxy
(05:17:02 PM) anonymousmaybe: having lets say 50 http tunnel, can I2P handle that? (assuming each new website gonna have its own tunnel)
(05:17:02 PM) eyedeekay: But that's workaround-able
(05:17:59 PM) eyedeekay: It seems to handle it just fine
(05:18:06 PM) anonymousmaybe: yeah i read that SAM can handle multiproxy i think either by you or someone was in whonix forum was working on I2P inside whonix
(05:18:34 PM) eyedeekay: But that's for one client that's not actively browsing all 50 sites, I don't know how such a thing would affect the network if it were widespread
(05:19:30 PM) anonymousmaybe: i can test things if you like 
(05:20:01 PM) anonymousmaybe: but in my opinion this is way much important than Bote or susimail..etc
(05:21:12 PM) eyedeekay: I kind of agree, but I see why people wouldn't agree
(05:21:12 PM) eyedeekay: Right now we operate with a fairly simple assumption, one tunnel pool one destination
(05:21:12 PM) eyedeekay: for the purposes of treating it like an identity, tunnel pool, one destination, one pseudonym
(05:21:12 PM) eyedeekay: Hypothetically, it ought to be a relatively easy mental model to tolerate
(05:21:48 PM) eyedeekay: *one hidden service one tunnel pool one destination, really
(05:22:03 PM) anonymousmaybe: yeah i think that was good for the old times
(05:22:16 PM) anonymousmaybe: now things need multi instead of one
People are pretty aware of the assumption that we make that `HTTP Proxy~=Tunnel Pool~=Destination~=Pseudonym`, and the implication of this is that the destination is seen by all the I2P sites which the user visits in the X-I2P-* headers. Many of them have regarded this as a problem. It's complicated, though, because the behavior of the HTTP Proxy is specific in the context of the hidden services manager(Where everything else currently works like `HTTP Proxy~=Tunnel Pool~=Destination~=Pseudonym`). It could be argued(probably successfully) that the modified behavior is only desirable when the HTTP user-agent is a browser that supports multiple tabs and meets a basic set of security requirements. Therefore, it may belong in `i2p.firefox`. **Discussion copied from IRC:** ``` (04:13:52 PM) anonymousmaybe: eyedeekay is not worth to work on Bote while I2P still not yet fixed its stream isolation issue (04:14:26 PM) anonymousmaybe: i think i saw a github project called eeproxy which is great (04:14:52 PM) anonymousmaybe: but i think is also abandoned since 2 or more years (04:15:40 PM) anonymousmaybe: I2P anonymity VS fingerprint is garbage (04:44:37 PM) eyedeekay: eeproxy is my project, also httpproxy and multiproxy (04:44:51 PM) eyedeekay: multiproxy is the most advanced/responsibly designed version (04:45:05 PM) w8rabbit left the room (quit: Read error). (04:46:01 PM) eyedeekay: It most closely emulates Tor's tactic for browsers but it's bad at encrypted leaseSets and it's written in Go, so it won't be straightforward to integrate with i2ptunnel, it would need a full rewrite in Java (04:46:10 PM) eyedeekay: It's not **hard** (04:46:30 PM) eyedeekay: But it might be a lot of work (04:46:37 PM) eyedeekay: Just in terms of quantity (04:55:20 PM) anonymousmaybe: eyedeekay yeah but I2Pj or I2Pd should implement it by default (04:56:04 PM) eyedeekay: Also it doesn't work with HTTP authentication unless we put it into aggressive mode, which is probably not necessary and maybe counterproductive (04:56:54 PM) eyedeekay: pseudonym-isolating HTTP proxies are only useful if you are very sure your user agent is going to be a browser, too, so it might break other things on 4444 (04:57:28 PM) eyedeekay: If such a thing were to be implemented on the HTTP proxy we use now (04:58:15 PM) anonymousmaybe: HTTP tunnel for http asaik (05:00:42 PM) eyedeekay: The problem is that it works the same way Tor's SOCKS authentication based isolation works, except in our case repurposes the authentication header as a way to multiplex client tunnels (05:01:09 PM) eyedeekay: In aggressive mode it's per-site (05:01:42 PM) eyedeekay: In regular mode you get a "global" tunnel and a tunnel for every authentication header that you pass (05:04:12 PM) eyedeekay: Aggressive mode breaks lots of things about the HTTP proxy that one might rely on. Regular mode only breaks two things, but one of them isn't fixable AFAICT (05:04:39 PM) Zapek left the room (quit: Ping timeout: 320 seconds). (05:05:04 PM) anonymousmaybe left the room (quit: Read error). (05:06:11 PM) mode (+v anonymousmaybe) by ChanServ (05:07:30 PM) anonymousmaybe: https://www.whonix.org/wiki/I2P#Post-Tor_I2P_Tunnel_Effects (05:07:42 PM) anonymousmaybe: check Warning: No Stream-isolation Support (05:07:43 PM) R4SAS left the room (quit: Quit: ZNC - https://znc.in). (05:08:22 PM) eyedeekay: I'm aware, I'm the one who explained that possibility to patrick (05:08:45 PM) eyedeekay: I also implemented the actual attack (05:09:06 PM) anonymousmaybe: cool then, but shouldnt this first fixed? (05:10:39 PM) eyedeekay: Yeah but *how* is important. Is it a new tunnel type? An application launched by i2pbrowser.sh in i2p.firefox? How close to the user agent does this have to be to be effective and not break stuff (05:12:11 PM) eyedeekay: Because right now strictly speaking the HTTP proxy is working as-intended, and major things exist on the HTTP proxy that are incompatible with this idea (05:12:38 PM) eyedeekay: If it goes into I2PTunnel it's a new tunnel type IMO, it can't be an option on the existing tool (05:14:35 PM) anonymousmaybe: An application launched by i2pbrowser.sh in i2p.firefox? <- whats the problem with this concept? (05:15:02 PM) anonymousmaybe: TB-Tor doing it the same way no? (05:15:48 PM) eyedeekay: Nothing that I know of, the operative part being "That I know of" (05:16:11 PM) eyedeekay: Well, the encrypted leaseset support is absolutely lousy but I can fix that (05:16:44 PM) eyedeekay: Oh also SAM (05:16:50 PM) Romster left the room (quit: Read error). (05:16:51 PM) eyedeekay: I need SAM to use multiproxy (05:17:02 PM) anonymousmaybe: having lets say 50 http tunnel, can I2P handle that? (assuming each new website gonna have its own tunnel) (05:17:02 PM) eyedeekay: But that's workaround-able (05:17:59 PM) eyedeekay: It seems to handle it just fine (05:18:06 PM) anonymousmaybe: yeah i read that SAM can handle multiproxy i think either by you or someone was in whonix forum was working on I2P inside whonix (05:18:34 PM) eyedeekay: But that's for one client that's not actively browsing all 50 sites, I don't know how such a thing would affect the network if it were widespread (05:19:30 PM) anonymousmaybe: i can test things if you like (05:20:01 PM) anonymousmaybe: but in my opinion this is way much important than Bote or susimail..etc (05:21:12 PM) eyedeekay: I kind of agree, but I see why people wouldn't agree (05:21:12 PM) eyedeekay: Right now we operate with a fairly simple assumption, one tunnel pool one destination (05:21:12 PM) eyedeekay: for the purposes of treating it like an identity, tunnel pool, one destination, one pseudonym (05:21:12 PM) eyedeekay: Hypothetically, it ought to be a relatively easy mental model to tolerate (05:21:48 PM) eyedeekay: *one hidden service one tunnel pool one destination, really (05:22:03 PM) anonymousmaybe: yeah i think that was good for the old times (05:22:16 PM) anonymousmaybe: now things need multi instead of one ```
idk self-assigned this 2025-04-21 14:31:10 -04:00
idk commented 2025-04-21 14:31:10 -04:00
Author
Owner
Copy Link

Turned on tunnel rotation at sleep time for now.

Turned on tunnel rotation at sleep time for now.
idk commented 2025-04-21 14:31:10 -04:00
Author
Owner
Copy Link

Also this is more like a "Dirty Circuit" problem than it is a stream isolation problem if I'm understanding the terms correctly. We already isolate streams, what we don't do is match the isolation-by-contextual-identity expectations that Tor sometimes tries to meet and where Whonix fills in the gaps.

Also this is more like a "Dirty Circuit" problem than it is a stream isolation problem if I'm understanding the terms correctly. We already isolate streams, what we don't do is match the isolation-by-contextual-identity expectations that Tor sometimes tries to meet and where Whonix fills in the gaps.
idk commented 2025-04-21 14:31:11 -04:00
Author
Owner
Copy Link
- HTTP proxy solution(Best right now): https://github.com/eyedeekay/httptunnel - SOCKS-ish solution: https://github.com/eyedeekay/samsocks - Early solution, pretty inflexible but good at gathering info: https://github.com/eyedeekay/si-i2p-plugin - Implementation of the "Attack": https://github.com/eyedeekay/colluding_sites_attack
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
No items
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
echelon idk zzz
No Assignees idk
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: I2P_Developers/i2p.firefox#22
No description provided.
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?