Migrate to a different HTTP Proxy in order to isolate X-I2P-* headers from "Leaking" across sites?
People are pretty aware of the assumption that we make that HTTP Proxy~=Tunnel Pool~=Destination~=Pseudonym
, and the implication of this is that the destination is seen by all the I2P sites which the user visits in the X-I2P-* headers. Many of them have regarded this as a problem. It's complicated, though, because the behavior of the HTTP Proxy is specific in the context of the hidden services manager(Where everything else currently works like HTTP Proxy~=Tunnel Pool~=Destination~=Pseudonym
). It could be argued(probably successfully) that the modified behavior is only desirable when the HTTP user-agent is a browser that supports multiple tabs and meets a basic set of security requirements. Therefore, it may belong in i2p.firefox
.
Discussion copied from IRC:
(04:13:52 PM) anonymousmaybe: eyedeekay is not worth to work on Bote while I2P still not yet fixed its stream isolation issue
(04:14:26 PM) anonymousmaybe: i think i saw a github project called eeproxy which is great
(04:14:52 PM) anonymousmaybe: but i think is also abandoned since 2 or more years
(04:15:40 PM) anonymousmaybe: I2P anonymity VS fingerprint is garbage
(04:44:37 PM) eyedeekay: eeproxy is my project, also httpproxy and multiproxy
(04:44:51 PM) eyedeekay: multiproxy is the most advanced/responsibly designed version
(04:45:05 PM) w8rabbit left the room (quit: Read error).
(04:46:01 PM) eyedeekay: It most closely emulates Tor's tactic for browsers but it's bad at encrypted leaseSets and it's written in Go, so it won't be straightforward to integrate with i2ptunnel, it would need a full rewrite in Java
(04:46:10 PM) eyedeekay: It's not **hard**
(04:46:30 PM) eyedeekay: But it might be a lot of work
(04:46:37 PM) eyedeekay: Just in terms of quantity
(04:55:20 PM) anonymousmaybe: eyedeekay yeah but I2Pj or I2Pd should implement it by default
(04:56:04 PM) eyedeekay: Also it doesn't work with HTTP authentication unless we put it into aggressive mode, which is probably not necessary and maybe counterproductive
(04:56:54 PM) eyedeekay: pseudonym-isolating HTTP proxies are only useful if you are very sure your user agent is going to be a browser, too, so it might break other things on 4444
(04:57:28 PM) eyedeekay: If such a thing were to be implemented on the HTTP proxy we use now
(04:58:15 PM) anonymousmaybe: HTTP tunnel for http asaik
(05:00:42 PM) eyedeekay: The problem is that it works the same way Tor's SOCKS authentication based isolation works, except in our case repurposes the authentication header as a way to multiplex client tunnels
(05:01:09 PM) eyedeekay: In aggressive mode it's per-site
(05:01:42 PM) eyedeekay: In regular mode you get a "global" tunnel and a tunnel for every authentication header that you pass
(05:04:12 PM) eyedeekay: Aggressive mode breaks lots of things about the HTTP proxy that one might rely on. Regular mode only breaks two things, but one of them isn't fixable AFAICT
(05:04:39 PM) Zapek left the room (quit: Ping timeout: 320 seconds).
(05:05:04 PM) anonymousmaybe left the room (quit: Read error).
(05:06:11 PM) mode (+v anonymousmaybe) by ChanServ
(05:07:30 PM) anonymousmaybe: https://www.whonix.org/wiki/I2P#Post-Tor_I2P_Tunnel_Effects
(05:07:42 PM) anonymousmaybe: check Warning: No Stream-isolation Support
(05:07:43 PM) R4SAS left the room (quit: Quit: ZNC - https://znc.in).
(05:08:22 PM) eyedeekay: I'm aware, I'm the one who explained that possibility to patrick
(05:08:45 PM) eyedeekay: I also implemented the actual attack
(05:09:06 PM) anonymousmaybe: cool then, but shouldnt this first fixed?
(05:10:39 PM) eyedeekay: Yeah but *how* is important. Is it a new tunnel type? An application launched by i2pbrowser.sh in i2p.firefox? How close to the user agent does this have to be to be effective and not break stuff
(05:12:11 PM) eyedeekay: Because right now strictly speaking the HTTP proxy is working as-intended, and major things exist on the HTTP proxy that are incompatible with this idea
(05:12:38 PM) eyedeekay: If it goes into I2PTunnel it's a new tunnel type IMO, it can't be an option on the existing tool
(05:14:35 PM) anonymousmaybe: An application launched by i2pbrowser.sh in i2p.firefox? <- whats the problem with this concept?
(05:15:02 PM) anonymousmaybe: TB-Tor doing it the same way no?
(05:15:48 PM) eyedeekay: Nothing that I know of, the operative part being "That I know of"
(05:16:11 PM) eyedeekay: Well, the encrypted leaseset support is absolutely lousy but I can fix that
(05:16:44 PM) eyedeekay: Oh also SAM
(05:16:50 PM) Romster left the room (quit: Read error).
(05:16:51 PM) eyedeekay: I need SAM to use multiproxy
(05:17:02 PM) anonymousmaybe: having lets say 50 http tunnel, can I2P handle that? (assuming each new website gonna have its own tunnel)
(05:17:02 PM) eyedeekay: But that's workaround-able
(05:17:59 PM) eyedeekay: It seems to handle it just fine
(05:18:06 PM) anonymousmaybe: yeah i read that SAM can handle multiproxy i think either by you or someone was in whonix forum was working on I2P inside whonix
(05:18:34 PM) eyedeekay: But that's for one client that's not actively browsing all 50 sites, I don't know how such a thing would affect the network if it were widespread
(05:19:30 PM) anonymousmaybe: i can test things if you like
(05:20:01 PM) anonymousmaybe: but in my opinion this is way much important than Bote or susimail..etc
(05:21:12 PM) eyedeekay: I kind of agree, but I see why people wouldn't agree
(05:21:12 PM) eyedeekay: Right now we operate with a fairly simple assumption, one tunnel pool one destination
(05:21:12 PM) eyedeekay: for the purposes of treating it like an identity, tunnel pool, one destination, one pseudonym
(05:21:12 PM) eyedeekay: Hypothetically, it ought to be a relatively easy mental model to tolerate
(05:21:48 PM) eyedeekay: *one hidden service one tunnel pool one destination, really
(05:22:03 PM) anonymousmaybe: yeah i think that was good for the old times
(05:22:16 PM) anonymousmaybe: now things need multi instead of one