Fwd: Re: The --use-tor option

Werner Koch wk at gnupg.org
Tue Oct 20 15:05:52 CEST 2015


On Tue, 20 Oct 2015 13:43, jacob at appelbaum.net said:

> Will gnupg have a UseTor option for gpg.conf now?

You will need to add "use-tor" to dirmngr.conf because dirmngr is now
solely responsible for all network access.  As soon as the DNS leak has
been addressed that option will show upin the preference dialogs of GPA
and Kleoptara (and possible more MUAs).

> UseTor /path/to/unixsocket
> UseTor 127.0.0.1:9050

I was not ware that there is a Unix Domain socket entry point to TOR.
Anyway I implemented a fixed 127.0.0.1:9050 for now.

> If GnuPG had Tor ControlPort integration, we could even generate Tor
> Hidden Services automatically and use them together in smart ways with

Its a few years since I ran a TOR node thus I have to read again about
the control port.  Pointers to concrete ideas?

> I hope you'll also support the Unix Domain Socket SOCKS port that
> we're now shipping with Tor (0.2.7.x and up, I think). That would mean
> that gnupg could be entirely sandboxed from the internet and only able
> to talk to the internet through Tor.

Well, this could be added but there other high priority tasks.  What is
the concrete use case for the Unix Domain socket?

With --use-tor dirmngr won't be able to connect to anything except the
localhost - modulo bugs of course.

> What else isn't proxy friendly in GnuPG?

LDAP access to keyservers and CRLs.  LDAP for keyserver is not a public
service, so it does not make sense.  CRL downloading introduces a web
bug because the CRL distribution point is taken from the certifciate.
More code is require to fix that.  For now I think it is better to also
disable HTTP access to CRLs.


Salam-Shalom,

   Werner


p.s
I have just pushed my ADNS patches to
http://git.gnupg.org/cgi-bin/gitweb.cgi?p=adns.git

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.




More information about the Gnupg-devel mailing list