You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
We have on our to-do list several requests from TorBox users, which are reasonable for experts who precisely know what they are doing and the potential risks of these options. However, because these settings could lead to security and anonymity issues, we hesitated to include them in TorBox. With the introduction of a new sub-menu, "Danger-Zone", we will add and centralize some of these requests.
One interesting request we received was the exclusion of specific domains from routing through tor. There are use cases for such an exclusion:
Someone in an authoritarian country wants to use tor in general but not for connections on servers stationed in the country itself, for example, a government site. Of course, it would be preferable that in such a case, two separate computers would be used, but that's not always possible.
Someone will use streaming services (which may not work with tor), which depending on the individual threat model, are not needed to be secured and/or anonymized.
Someone with a local VPN connection on the TorBox is using, in general, tor but sends domains that are not accessible through tor through the VPN connection.
There is no doubt that with the exclusion of domains from tor, the user has to be aware of a higher risk. He has to know his threat model and what he is doing.
The first test version of the domain exclusion feature can be tested. The following steps are necessary to install it:
Chose entry 5 in the Maintenance and Update sub-menu. Choose "Expert" and answer "Which TorBox menu branch do you like to install?" with torbox-v.0.5.3. With the question "Which TorBox menu fork do you like to install?" press only the enter key to take the default.
Install ipset with sudo apt-get install ipset
Add an additional run-parameter in the run-file: cd; cd torbox; sudo printf "\n# Using an exclusion list for unprotected domains\nUNPROTECTED_DOMAIN=0\n" | sudo tee -a run/torbox.run
Update the rc.local file: sudo sed -i 's/^exit 0/\nif grep "\^UNPROTECTED_DOMAIN=1" \/home\/torbox\/torbox\/run\/torbox.run ; then \/home\/torbox\/torbox\/set_interfaces_3 1 ; fi\n\nexit 0/g' /etc/rc.local
Start the TorBox menu with cd; cd torbox; ./menu. Go to the Danger-Zone sub-menu and activate the Domain Exclusion feature.
Important
Domains/IPs on the VPN list will only be excluded from tor routing if a local VPN connection on the TorBox is up and running (tor over VPN using main menu entry 10). However, the domains/IPs on the CLEARNET list will also be routed without protection.
Please remember that domains/IPs on the exclusion lists are not protected by tor. It would be best to assume that everyone will see that you connect to these IP addresses. If not correctly encrypted (for example, by using HTTP), everyone can see the content of the communication to/from these IP addresses!
Currently, the exclusion feature still has to be better integrated into the other TorBox functionalities. Your feedback could help with that.
How to use it in a controlled way?
For security reasons, the exception list should be as small as possible. I will explain this with an example: https://www.accointing.com/ is a crypto tracking software, which worked without any problem connecting through tor until they were bought by https://glassnode.com/. Since then, overcoming the login procedure, which uses the domain auth.glassnode.com, has been impossible. Because the connection to auth.glassnode.com is already secured and encrypted. There is no reason to hide from glassnode.com because they already have the user's data due to the paid account. Therefore, only auth.glassnode.com should be excluded from routed through tor, but not accointing.com.
reacted with thumbs up emoji reacted with thumbs down emoji reacted with laugh emoji reacted with hooray emoji reacted with confused emoji reacted with heart emoji reacted with rocket emoji reacted with eyes emoji
-
We have on our to-do list several requests from TorBox users, which are reasonable for experts who precisely know what they are doing and the potential risks of these options. However, because these settings could lead to security and anonymity issues, we hesitated to include them in TorBox. With the introduction of a new sub-menu, "Danger-Zone", we will add and centralize some of these requests.
One interesting request we received was the exclusion of specific domains from routing through tor. There are use cases for such an exclusion:
There is no doubt that with the exclusion of domains from tor, the user has to be aware of a higher risk. He has to know his threat model and what he is doing.
The first test version of the domain exclusion feature can be tested. The following steps are necessary to install it:
sudo apt-get install ipsetcd; cd torbox; sudo printf "\n# Using an exclusion list for unprotected domains\nUNPROTECTED_DOMAIN=0\n" | sudo tee -a run/torbox.runsudo sed -i 's/^exit 0/\nif grep "\^UNPROTECTED_DOMAIN=1" \/home\/torbox\/torbox\/run\/torbox.run ; then \/home\/torbox\/torbox\/set_interfaces_3 1 ; fi\n\nexit 0/g' /etc/rc.localcd; cd torbox; ./menu. Go to the Danger-Zone sub-menu and activate the Domain Exclusion feature.Important
How to use it in a controlled way?
For security reasons, the exception list should be as small as possible. I will explain this with an example:
https://www.accointing.com/ is a crypto tracking software, which worked without any problem connecting through tor until they were bought by https://glassnode.com/. Since then, overcoming the login procedure, which uses the domain
auth.glassnode.com, has been impossible. Because the connection toauth.glassnode.comis already secured and encrypted. There is no reason to hide fromglassnode.combecause they already have the user's data due to the paid account. Therefore, onlyauth.glassnode.comshould be excluded from routed through tor, but notaccointing.com.Please, give feedback
Please help us to make TorBox better. We would appreciate feedback, ideas, bug reports, pull requests, etc.
Beta Was this translation helpful? Give feedback.
All reactions