I am looking for guidance on how to effectively isolate the Tor process through hardware isolation to enhance security against sophisticated attacks, including those at the hardware and firmware levels.
As we know, the Tor Browser has vulnerabilities inherited from Firefox, which hackers can exploit to reveal a user’s real IP address. While Whonix provides a solution by isolating the Tor process using virtual machine technology, advanced attackers can still exploit vulnerabilities in virtualizers, firmware, and hardware.
To mitigate these risks, I propose a setup involving three separate laptops:
Computer I: Connected to the Internet and computers E and W.
Computer E: Serves as a Tor process (onion encryption)
Computer W: Dedicated solely to running the Tor Browser and accessing the web.
These computers would be interconnected in a way that ensures secure communication (e.g., E ↔ I → W; ↔: bidirectional but limited to onion-encryption key installation and onion-encrypted ciphertext upload to Computer I,→: unidirectional by data diode).
The system is an analogy of Tinfoil Chat, which allows secure PGP encryption with hardware isolation.
However, I am concerned about the use of a data diode for unidirectional data transfer, since Tor uses the TCP protocol.
I would appreciate any insights or suggestions on how to effectively implement hardware isolation in this context, particularly in ways that can prevent IP addresses from leaking to sophisticated attackers, including those at the hardware and firmware levels(like Spectre CPU vulnerabilities or firmware rootkits). Thank you!
What you are trying to achieve, is not worth the effort in my opinion.
I recommend to use one system where you install Debian (simple to install) or another Linux distro of your choice. Configure the firewall to deny all incoming and reject all outgoing connections by default. Add rules that only allow to connect out to the Tor Network. This way Firefox and any other software won’t be able to connect if they tried to bypass the Tor Network (the connection would be rejected by the firewall).
To avoid adding allowing rules for all the available guard relays to the firewall, use 2 working WebTunnel bridges instead and allow outgoing connections to them only.
A hacker would have to get access to the root account for being able to change the firewall configuration.
You should not run Firefox etc. as root of course.
Thank you very much for your advice. However, I’m having trouble understanding how your method is superior to Whonix. Whonix effectively prevents IP leaks, even if a hacker gains root access to change the firewall settings. Is your method robust enough to compete with authoritarian government agencies? (I want to clarify that I do not intend to violate any laws)
This method is safe, because else many servers running Linux out there would be unsafe.
This method is even more safe, because it doesn’t allow incoming connections at all (servers must allow connections at specific ports).
In Linux the firewall is part of the kernel, so cannot be bypassed easily if enabled.
Choose long enough and not easy to guess passwords.
What else are you worrying about that the authoritarian government could do to you?
I am concerned about Linux privilege escalation and other exploits, such as the Spectre and Meltdown CPU vulnerabilities. The Linux kernel is so large that even mid-level hackers can find ways to exploit it. In contrast, the Xen hypervisor used in Qubes OS has a much smaller codebase, which helps mitigate these issues. However, even with Qubes OS, there are still hardware and firmware vulnerabilities like Spectre and Meltdown. After reading your opinion, I understand that there is no definitive solution to counter such sophisticated attacks.
Thank you very much for your advice.