eyedeekay / si-i2p-plugin Goto Github PK

View Code? Open in Web Editor NEW

12.0 2.0 1.0 94.3 MB

An experimental approach to provide a destination-isolating mechanism for http-over-i2p.

License: MIT License

Go 86.61% Makefile 10.71% Shell 2.05% Dockerfile 0.63%

i2p http-proxy si-i2p-plugin destination-isolation

si-i2p-plugin's Introduction

Destination-Isolating i2p HTTP Proxy(SAM Application)

one eepSite, one destination. Semi-automatic contextual identity management for casually browsing i2p eepSites.

This is an i2p SAM application which presents an HTTP proxy(on port 4443 by default) that acts as an intermediate between your browser and the i2p network. Then it uses the SAM library to create a unique destination for each i2p site that you visit. This way, your unique destination couldn't be used to track you with a network of colluding sites. I doubt it's a substantial problem right now but it might be someday. Facebook has an onion site, and i2p should have destination isolation before there is a facebook.i2p.

I2P Link - Stream Isolation I2P Link - Shared Tunnels

Development here has ceased. A replacement that will work much better is in development at eyedeekay/eeProxy.

Usage

License

Sorry for forgetting to license this. It's MIT Licensed now.

Installation:

Moved to misc/docs/INSTALL.md

Usage Examples(HTTP Proxy)

firefox

curl

    curl -x 127.0.0.1:4443 http://i2p-projekt.i2p

surf

    export http_proxy="http://127.0.0.1:4443" surf http://i2p-projekt.i2p

What works so far:

It seems to do exactly what it says on the package.

If you'd like to test it, the easiest way is to use Docker. To generate all the required containers locally and start a pre-configured browser, run:

    make docker-setup browse

The http proxy

It's still a little experimental, but currently it is possible to set your web browser's HTTP proxy to localhost:4443 and use it to browse eepSites with the guarantee that you will show a different destination to every eepSite you visit. Combined with a browser designed to minimize your uniqueness to the servers you visit, you should be much more difficult to track across sites and across sessions.

That said there is the obvious thing to consider:

If it wasn't super, super obvious to everyone, it's really, really easy to tell the difference between this proxy and the default i2p/i2pd http proxies and I don't think there's anything I can do about that. Also if you're the only person to visit a particular group of colluding eepSites then it's still possible to link your activities by timing, but I don't think it's possible to "prove" that it the same person exactly(certainly not in a cryptographic sense), just that it's likely to be the same person. I can't do anything about a small anonymity set. That said, the tunnels created by this proxy are inherently short-lived and tear themselves down after an inactivity timeout, requiring an attacker to request resources over and over to keep a tunnel alive long-term to be useful for tracking. By the way, as far as I know, using this will drastically reduce your anonymity set unless it's widely adopted. TESTING ONLY.

I haven't been able to crash it or attack it by adapting known attacks on browsers and HTTP proxies to this environment. It should at least fail early if something bad happens.

User-Defined Jump Hosts

Addresshelpers are tentatively working again. I'll need to explain more on how soon.

Current Concerns:

It mostly looks like Jumphelper is working immediately after it's started, but if you try to visit a base32 address before they sync, then si-i2p-plugin will ask jumphelper for it and fail, interpreting it as a hostname error. It lasts for like, 15 seconds and only affects base32 URLs and is fixable.

I wonder if I could make it talk to TorButton?

Littleboss seems like it could potentially be useful in lots of contexts, like in a portable browser bundle and stuff like that.

I really need to get a Windows machine, but it's just such an awful way to work.

What the final version should do:

The final version should use the parent pipe and the aggregating pipe to send and recieve requests as an http proxy in the familiar way.

Version Roadmap:

~~0.17 - Named Pipes work for top-level i2p domains and can retrieve~~ ~~directories under a site~~
~~0.18 - Named Pipes for i2p domains and can retrieve subdirectories,~~ ~~which it caches in clearly-named folders as normal files(Containing HTML)~~
~~0.19 - Expose an http proxy that hooks up to the existing infrastructure~~ ~~for destination isolation~~
0.20 - ~~Ready for more mainstream testing~~, ~~should successfully isolate~~ ~~requests for resources embedded in the retrieved web pages. Addresshelper~~ ~~functions but it's it's own whole thing now.~~
0.21 - Should be able to generate services on the fly by talking to the SAM bridge. Truth be told, except when I break something, it works nearly perfectly. I do break stuff alot though, development is quite active and I have to leverage the communication tools available to me to get it done, of which github is, for better or for worse, an integral one at this point. ~~Tunnels should kill themselves after inactivity, and revive themselves with~~ ~~new identities after. This will help minimize the impact of cross-site~~ ~~resource-request timing attacks by making destinations more ephemeral,~~ ~~requiring an attacker to keep tunnels alive to monitor an identity~~ ~~long-term.~~
0.22 - Library-fication should be finished by here. Turning the underlying code into a library will mostly be a matter of identifying which features need to be exposed for it to be useful in that way. I'll update the number when I've written go-based tests for it. ~~Maybe 3/4ths of the code that exists~~ ~~has relevant tests now. All of them actually test a thing that knows how~~ ~~to fail now.~~
0.23 - ~~Enable additional configuration options, like tunnel lengths~~ ~~(always symmetrical) tunnel quantities(not always symmetical) idle~~ ~~connections per host, and backup tunnel quantity.~~ Implement "Saved Tunnels" which will allow per-eepSite long-term destinations, and ironically, potential parity with standard http proxies from i2p and i2pd. I used that word deliberately.
0.24 - Experiment with adding a SOCKS proxy. Create a version which contains a SOCKS proxy for testing. Actually have a SOCKS proxy. This should be acceptable in implementing the SOCKS proxy Torbutton Control Port compatibility.
0.25 - Package.
0.26 - Android? WebRTC over SSU? Try linking libi2pd? Help make go-i2p into a usable router? Browser Bundle(s?)? At risk of growing a little further than I originally intended, but I feel like there's some potential here.

The pipes

Moved to misc/docs/PIPES.md

Screenshots:

moved to misc/SCREENSHOTS.md

Donate

Monero Wallet Address

XMR:43V6cTZrUfAb9JD6Dmn3vjdT9XxLbiE27D1kaoehb359ACaHs8191mR4RsJH7hGjRTiAoSwFQAVdsCBToXXPAqTMDdP2bZB

Bitcoin Wallet Address

BTC:159M8MEUwhTzE9RXmcZxtigKaEjgfwRbHt

si-i2p-plugin's People

Contributors

Stargazers

Watchers

Forkers

bonedaddy

si-i2p-plugin's Issues

Explore Tor Control Protocol, TorButton compatibility layer

When using the Tor Browser Bundle, basic configuration and control is made available through TorButton, which, among other things, talks to Tor by way of the control port. It does things like request, restart, and close connections, provide coarse controls over active content, and management of contextual identities. Some or all of these functions may be useful to browsers using this proxy. To do this without modifying TorButton, I may need to create a compatibility layer, which translates TorButton's calls to the Control Port to equivalent requests for information and processes from within the proxy and within the i2p router it uses instead. This issue is to track how, ~~or if I should~~, attempt to create such a thing.

Update: In order fully to achieve what I wish to achieve(An un-linkable browser for safe casual viewing of multiple eepSites), I should make this proxy understand a subset of the Tor Control Protocol information as used by TBB, and translate them into equivalent i2p requests. New, much longer-term question, should I add outproxy support via Tor and pass instructions for clearnet and .onion sites to the regular Tor Control Port?

Other attacks?

So I've pretty much successfully broken the cryptographic connection between a visits to separate eepSites. But less reliable forms of linkability are still possible. This issue is to keep track of what those attacks are and whether the proxy will be able to do anything about them. I'll add them as I hear about/understand them:

"Classic" fingerprinting

Fingerprinting techniques using Javascript are pretty well known, I won't waste time here.

Is it something that can be fixed? Probably better to think of it like an arms race rather than a problem to be solved for now. Browsers are complicated AF. Pessimism is a perfectly fair position. In terms of the arms-race stance, though, the tool to use is the Tor Browser Bundle, modified to use non-tor proxies.
Does it lead to identification? Kinda. It fails to de-obfuscate the location of the user, but it's capable of gathering so much information about a person's computer that it can be pretty unique.

Addressbook Fingerprinting

Currently, it's probably possible to tell whether a readable address is in the local addressbook. If that's true, then it's possible that an addressbook may be unique enough to be personally identifiable. If that's true, then it defeats the purpose of this software. I need to find a way to make this information useless.

Eventually, jumphelper will fix this, but it needs a LOT of work. Jumphelper also needs the interstitial 'add to book' page, and it also needs

Attacks on the control interfaces:

Right now the primary interface for granular control is the pipe system, but since it's path-based, there's the possibility that a malicious URL could be used to inject something into someplace it shouldn't be(i.e. use a malicously crafted URL to retrieve content overtop of a "send" pipe). In order to fix this, pipe interface names should be reserved, and replaced transparently before they can do damage. A resolution I think will work is now in place.

I'm pretty sure I fixed it.
It should be resolved.

Besides this, I have planned a disk-avoidance mode which will disable the pipe system entirely in favor of the control port emulator.

Request Timing Attacks:

Using a similar network of colluding sites as the one used to correlate i2p destinations, make a request from one site to a resource from another site. Record the time. Requests close in time are likely to have come from the same user, especially on sites with very little traffic.

Is it something that can be fixed? Maybe. One partial solution is to tear-down tunnels to a particular eepSite after X minutes without a request. That way, an attacker has to keep a connection open to create reliable longitudinal data. Of course, that's simple enough, just keep requesting resources from that site. Another partial solution would be to intercept requests to off-eepSite resources and inject a random delay before sending the request. That would make it harder to correlate third-party requests to an individual user if a site has sufficient traffic. Unfortunately, there's no way to determine how long to make the delay that I can see because it depends on the traffic to the eepSite. In combination, these are probably worth doing even if they can't fix the issue completely. Besides that, it's an argument for TorButton integration which I'd been considering anyway(Use new circuit for this site or whatever). It would also be possible to use a unique dynamic URL for the same correlation(i.e. send the destination of the requester in the URL of the request). This is definitely damn-near impossible to fix, except maybe if I scrub it out of requests, but then it's still possible to do with any other unpredictable piece of data. I could make this unproductive by making all cross-site requests appear to be from the destination of the page including the resource request, but as far as I can tell, it's a break-even prospect and would involve more work on my part.
Does it lead to identification? Not reliably in most circumstances, AFAICT. It leads to suspicion, it can probably be used to profile, but it neither de-obfuscates a user's location nor links them to a very unique piece of data. Moreover, the more people using an eepSite, the less likely such an attack is to indicate anything useful.

Requests for local resources:

These types of attacks have, traditionally, been mitigated in browsers rather than in proxies, and using TBB will fix this. Still though, I would like to explore whether it would be worthwhile to try and "Strip" malicious requests for say, an image in the i2p router's admin panel out of pages before they reach the browser, or offer some kind of warning?

Is it something that can be fixed? Yes, use TBB(more accurately, disable un-proxied requests to the localhost in any browser, but TBB does this automatically). This is simply exploratory.
Does it lead to identification? Not usually, but I bet it can.

Include in core I2P

Great work. This is an important security feature. Can you please include this in I2P by default?