Disable LAN access in Tor Browser (#7976) · Issues · tails / tails

Disable LAN access in Tor Browser

Originally created by @anonym on #7976 (Redmine)

Ignoring the as of today still not finished analysis of the full scale of Jake’s FOCI12 paper (#5340) can’t we stay on the safe side for at least the Tor Browser by disabling access to RFC1918 (LAN/Private) IP addresses in it, and direct users to the Unsafe Browser for such access?

Even if we put aside the possibility of blocking some classes of deanonymization attacks (or whatever), this change makes sense for usability. Especially after we have isolated I2P from the Tor Browser (#7725 (closed)) too we would have three distinct browsers whose names rather clearly define their scope:

The Tor Browser deals with Tor stuff only.

The I2P Browser deals with I2P stuff only.

The Unsafe Browser deals with unsafe stuff, like the LAN, which we consider hostile in our threat model.

Or am I missing something about why we need to have the Tor Browser and Unsafe Browser overlap in functionality in this way?

The only drawback I can see is that users that are used to LAN access in the Tor Browser may get confused. If we consider it more than a documentation issue, perhaps we can add a note about it to the error page that the Tor Browser shows in this situation, i.e. “The Proxy server is refusing connections”? Or perhaps users are too well-trained to ignore browser error pages (except the header) by now?

Feature Branch: feature/7976-disallow-lan-in-tor-browser

Subtasks

Related issues

Related to #5340
Related to #7725 (closed)
Related to #7951 (closed)
Related to #7774
Blocks #5293

_Originally created by @anonym on [#7976 (Redmine)](https://public-redmine-archive.tails.boum.org/code/issues/7976)_

Ignoring the as of today still not finished analysis of the full scale
of Jake’s FOCI12 paper (tails/tails#5340) can’t we stay on the safe side for at
least the Tor Browser by disabling access to RFC1918 (LAN/Private) IP
addresses in it, and direct users to the Unsafe Browser for such access?

Even if we put aside the possibility of blocking some classes of
deanonymization attacks (or whatever), this change makes sense for
usability. Especially after we have isolated I2P from the Tor Browser
(tails/tails#7725) too we would have three distinct browsers whose names rather
clearly define their scope:

- The **Tor** Browser deals with **Tor** stuff only.

- The **I2P** Browser deals with **I2P** stuff only.

- The **Unsafe** Browser deals with **unsafe** stuff, like the LAN,
    which we consider hostile in our threat model.

Or am I missing something about why we need to have the Tor Browser and
Unsafe Browser **overlap** in functionality in this way?

The only drawback I can see is that users that are used to LAN access in
the Tor Browser may get confused. If we consider it more than a
documentation issue, perhaps we can add a note about it to the error
page that the Tor Browser shows in this situation, i.e. “The Proxy
server is refusing connections”? Or perhaps users are too well-trained
to ignore browser error pages (except the header) by now?

Feature Branch: feature/7976-disallow-lan-in-tor-browser

### Subtasks

- [x] tails/tails#8218
  - [x] tails/tails#9431

### Related issues

- **Related to** tails/tails#5340
  - **Related to** tails/tails#7725
  - **Related to** tails/tails#7951
  - **Related to** tails/tails#7774
  - **Blocks** tails/tails#5293

Edited May 15, 2020 by anonym

To upload designs, you'll need to enable LFS. More information