Filesharing and Torrenting

From Whonix
Jump to navigation Jump to search

Anonymous File Sharing using Whonix. BitTorrent. Torrenting.

This page describes how to share files with others.

If you are interested in copying files into and out of Whonix Virtual Machines, see File Transfer.

Magic-Wormhole[edit]

Introduction[edit]

The Magic-Wormhole package: [1] [2]

... provides a library and a command-line tool named wormhole, which makes it possible to get arbitrary-sized files and directories (or short pieces of text) from one computer to another. The two endpoints are identified by using identical "wormhole codes": in general, the sending machine generates and displays the code, which must then be typed into the receiving machine.

This is by far the simplest way to send files securely between two endpoints that the Whonix developers have encountered.

The wormhole tool uses PAKE “Password-Authenticated Key Exchange”archive.org, a family of cryptographic algorithms that uses a short low-entropy password to establish a strong high-entropy shared key. [3] The codes are short and human-pronounceable, using a phonetically-distinct word list. The receiving side offers tab-completion on the code words, so usually only a few characters must be typed. Wormhole codes are single-use and do not need to be memorized.

In the future, it is planned to use ephemeral onion services (OnionShare style) to eliminate reliance on a rendezvous server susceptible to DoS attacks. [4] Work on a Rust port is underway. [5] [6]

Operation[edit]

The following example shows the output related to sending the file "README.md" with Magic-Wormhole. Replace README.md with the name of any file in the home directory. [7]

Sender:

% wormhole send README.md

Sending 7924 byte file named 'README.md'
On the other computer, please run: wormhole receive
Wormhole code is: 7-crossover-clockwork

Sending (<-10.0.1.43:58988)..
100%|=========================| 7.92K/7.92K [00:00<00:00, 6.02MB/s]
File sent.. waiting for confirmation

Confirmation received. Transfer complete.

Recipient:

% wormhole receive

Enter receive wormhole code: 7-crossover-clockwork
Receiving file (7924 bytes) into: README.md
ok? (y/n): y
Receiving (→tcp:10.0.1.43:58986)..
100%|===========================| 7.92K/7.92K [00:00<00:00, 120KB/s]

Received file written to README.md

Code Word Security[edit]

The secret wormhole code must not be sent over an insecure channel, as an adversary can perform a Man-in-the-Middle (MITM) Attack and intercept transfers with complete reliability.

By default, wormhole codes contain 16 bits of entropy. If an attacker can intercept the network connection -- either by owning your network or owning the rendezvous server -- they can attempt an attack. They will have a one-in-65536 chance of successfully guessing the code, allowing them to pose as your intended partner. If they succeed, they can immediately start a new wormhole (using the same code), allowing your partner to connect to them instead of you. By passing, observing, and possibly modifying messages between these two connections, they could perform an MITM attack. [8]

Basic probability suggests that peers will see a large number of "WrongPasswordErrors" before the attacker is likely to successfully guess any wormhole code. In fact, about 32,000 failures would be reported before they have a 50 percent chance of being successful. If many failures emerge and it appears someone is trying to guess the codes, it is possible to make a longer code and significantly reduce adversary chances, for example: wormhole send --code-length=4.

OnionShare[edit]

See OnionShare.

Peer-to-Peer (P2P) File Sharing[edit]

Introduction[edit]

P2P is defined as: [9]

Stands for "Peer to Peer." In a P2P network, the "peers" are computer systems which are connected to each other via the Internet. Files can be shared directly between systems on the network without the need of a central server. In other words, each computer on a P2P network becomes a file server as well as a client.

In simple terms, any computer can join a P2P network with an Internet connection and the use of available P2P software. Popular, functional P2P applications include uTorrent, BitTorrent, Soulseek, Shareaza, WireShare, Gnutella, Vuze and FrostWire. [10] Once connected to the P2P network, it is possible to access thousands of other systems on the network, while other users can search for files on your computer (in a specially designated folder). [9]

Recommendations[edit]

Keep the following factors in mind if P2P programs are used over Tor:

  • Whonix keeps your IP address hidden while BitTorrent and other file sharing/P2P programs are in use. Whonix also protects against de-anonymization attacks outlined in the next section.
  • Despite protocol leaks not being feasible on Whonix, BitTorrent clients create a very large number of circuits (50x the amount by IRC) which increases the chance of traffic observation by malicious Tor-relays and results in faster deanonymization. [11] [12] The duration a download is running is also a factor in deanonymization attack speed. It is unclear how vanguards and Tor connection padding help mitigations (both introduced since the paper was written). Therefore it is recommended to run torrent downloads in a Connecting to Tor before a VPN (UserTorproxy/VPN/SSHInternet) setup, to limit the number of circuits created on Tor and also to protect Tor exit relays from DMCA harassment; see Tunnels/Introduction.
  • Torrent clients can be fingerprinted, so periodically start fresh from a clean snapshot and reinstall the torrent client.
  • The Tor network suffers from limited bandwidth shared among more than 2 million users. Please be conscious of how much is downloaded/uploaded with these programs: a single, 500MB media file can equal several hours of browsing for another user.
  • Violation of copyright laws risks harassment against exit nodes. To learn more about legal protections for file sharing in your jurisdiction, see: Legal aspects of file sharingarchive.org.
  • If P2P must be used, please disable torrent seedingarchive.org. [13] Compared to ordinary downloads over FTP/HTTP, constant P2P uploading has harmful impacts upon Tor network resources.
  • Some Trackers can serve clients over both UDP and HTTP (TCP). Changing their protocol from the default udp:// specified in the .torrent file to http:// might enable downloading the referenced file.

Setup[edit]

Some file sharing networks might require the User Datagram Protocol (UDP)archive.org.

1. Configure a UserTorVPNInternet tunnel link.

The Tor software does not support UDP. The feature request UDP over Torarchive.org was created in 2013 and closed as won't fixarchive.org by upstream, The Tor Project in 2018. It is therefore highly unlikely that the UDP over Tor feature will ever be implemented. This is unspecific to Whonix.

Tor provides a DnsPort but that is unrelated.

If UDP is urgently required in Whonix, a limited workaround is provided. For the most secure method, see Tunnel UDP over Tor.

2. Modify the Whonix-Workstation firewall.

It is necessary to Allow UDP in Whonix-Workstation firewall.

3. File sharing software that is not mentioned on this page is presently undocumented.

The Tor Project Opinion[edit]

Over the last decade, the Tor Project has been fairly consistent in advising against torrenting over the Tor network. In response to the 2010 paper Compromising Tor Anonymity Exploiting P2P Information Leakagearchive.org -- which detailed P2P information leakage over Tor that could compromise a (non-Whonix) user's identity -- Roger Dingledinearchive.org stated in 2010:

Combined, they present a variety of reasons why running any Bittorrent traffic over Tor isn't going to get you the privacy that you might want. So what's the fix? There are two answers here. The first answer is "don't run Bittorrent over Tor". We've been saying for years not to run Bittorrent over Tor, because the Tor network can't handle the loadarchive.org; perhaps these attacks will convince more people to listen. The second answer is that if you want your Bittorrent client to actually provide privacy when using a proxy, you need to get the application and protocol developers to fix their applications and protocols. Tor can't keep you safe if your applications leak your identityarchive.org.

In the same post, Tor developer phobos stated: [14]

bittorrent is not designed to be private nor anonymous. We've said for years to not use bittorrent over tor because it will screw the user in some way. Now we have an example of at least one of those ways.

Roger Dingledine also talks in his paper about the difficulties that P2P and torrenting put on the developers and the Tor network in general:[15]:

...normal web browsing users will always get squeezed out by people pulling down larger content and tolerating high latency. But the next problem is that some users simply add more load than the network can handle. Just making sure that all the load gets handled fairly isn’t enough if there’s too much load in the first place.

Roger Dingledine also comments on how exit operations often have to limit the ports used on their node to 80 and 443, limiting other protocols in an effort to prevent DMCA complaints and potentially affecting completely innocent users as mentioned above. He also comments on how even this might not work in the future if Torrenting developers add these ports as acceptable P2P ports:

We hear periodically from relay operators who had problems with DMCA takedown attempts, switched to an exit policy of “permit only ports 80 and 443”, and no longer hear DMCA complaints.

Does that mean that most file-sharing attempts go over some other port? If only a few exit relays permitted ports other than 80 and 443, we would effectively squeeze the high-volume flows onto those few exit relays, reducing the total amount of load on the network.

First, there’s a clear downside: we lose out on other protocols. Part of the point of Tor is to be application-neutral. Also, it’s not clear that it would work long-term, since corporate firewalls are continuing to push more and more of the Internet onto port 80.

That does not mean that divergent opinions do not exist. For example, former Tor developer Jacob Appelbaum stated in 2011: [16]

... I'm not clear that it will harm the network if Tails includes a BitTorrent client. I think that the harm comes when someone runs a few seeding boxes through Tor and doesn't bother to add any capacity to the network at all. ...

Similarly, in the same thread former Tor executive director Andrew Lewman stated: [17]

... There are completely legitimate uses of bittorrent over Tor. I've talked to people who want to get their ISO of Fedora or Ubuntu from outside their country, so they bt over tor to do so. ... I'm fully aware that the tor codebase punishes me for doing large downloads over Tor, so be it. ...

Torrent Client Fingerprinting[edit]

Several fingerprinting risks exist for torrent clients:

  • On initial startup, torrent clients generate a unique peer ID for the Distributed Hash Table (DHT)archive.org network. [18] In effect, the "RandomNumbers" component of the peer ID could be used to identify a client.
  • Another identifier concerns node IDs, which are persistent unless the user clears their DHT information and rejoins the network (which is uncommon).
  • It is reported trackers can set cookies in the client -- for example a newer version of qbittorrent allows you to see and manage those from the GUI.

To avoid leaving a long-lived trail of download activity, it is recommended to periodically start fresh from a clean snapshot and to delete the torrent client's user data folder. Note: Depending on the torrent client, the torrent client's user data folder is likely different from the download folder. Clearing the download folder likely does not remove unique IDs.

Footnotes[edit]

  1. https://github.com/magic-wormhole/magic-wormholearchive.org
  2. https://magic-wormhole.readthedocs.io/en/latest/archive.org
  3. https://magic-wormhole.readthedocs.io/en/latest/welcome.html#designarchive.org
  4. https://github.com/magic-wormhole/magic-wormhole/blob/master/docs/tor.rstarchive.org
  5. https://web.archive.org/web/20190817162545/https:/twitter.com/str4d/status/1153247233044860928archive.org
  6. https://github.com/magic-wormhole/magic-wormhole.rsarchive.org
  7. https://magic-wormhole.readthedocs.io/en/latest/welcome.html#examplearchive.org
  8. https://magic-wormhole.readthedocs.io/en/latest/attacks.html#low-probability-man-in-the-middle-attacksarchive.org
  9. 9.0 9.1 https://techterms.com/definition/p2parchive.org
  10. https://www.blogsdna.com/923/top-20-best-peer-2-peer-p2p-file-sharing-programs-applications-software.htmarchive.org
  11. Users Get Routed:Traffic Correlation on Tor by Realistic Adversariesarchive.org
  12. https://forums.whonix.org/t/does-whonix-have-torrents-available/10046/14#archive.org
  13. How seeding works in torrent?archive.org:

    Seed is a person who has a torrent file open in their client (let's say the same file you are trying to download) and the only difference between you and them is that they have the complete file downloaded already and are now "seeding" - sharing the file with peers but not downloading any parts of the file from others.

  14. https://blog.torproject.org/comment/5541#comment-5541archive.org
  15. https://svn-archive.torproject.org/svn/projects/roadmaps/2009-03-11-performance.pdfarchive.org
  16. https://lists.torproject.org/pipermail/tor-talk/2011-December/022376.htmlarchive.org
  17. https://lists.torproject.org/pipermail/tor-talk/2011-December/022369.htmlarchive.org
  18. https://security.stackexchange.com/questions/37167/can-bittorrent-clients-be-fingerprintedarchive.org

We believe security software like Whonix needs to remain open source and independent. Would you help sustain and grow the project? Learn more about our 12 year success story and maybe DONATE!