On Sat, Jan 14, 2017 at 10:33:00PM +0000, Patrick Schleizer wrote: > Is this actually implemented despite saying wontfix? Well, it's implemented as described in my previous mail in this buglog: The setting: Dir::Bin::Methods::http "http+tor"; will give you what this bugreport requests – well, not really, it will route all traffic through tor, not just these http-lines which have a .onion address as described in the request. I really don't like such magic and think it would be dangerous which is why its tagged wontfix, but more details in last mail. The in this bugreport requested feature is distinct (in some ways even the opposite) of what you refer to next through: > Thank you for implementing 'Acquire::BlockDotOnion "false";' - very > useful for Whonix! The option is fashioned after a similar option available in firefox: By default if we end up trying to perform DNS queries such a try will be canceled and fails without contacting a DNS server – that is so that by default a misconfiguration will not cause you to leak your onion-browsing attempt to a (potentially very) remote DNS server or even be suspect to an evil DNS server resolving the address to some fake… I guess Whonix is setup in a way that there is no communication to the outside world without Tor so there is no danger of a mis- configuration exposing you in some way. In such a world you don't need a-t-tor at all. You will need that config knob through as you want apt to contact a DNS server for all its needs – which your network-stack will deal with (as in rewriting it to be routed over tor and such). That said, it might make sense to use a-t-tor anyhow even if not strictly needed as it will deal better with certain tor anomalies given that it knows tor is involved reporting better errors (like telling you that the .onion address you typo'ed is too long/short; saying "unreachable host" if a service is… well, not reachable, instead of saying "TTL expired" which is reported by Tor and technically more correct but unhelpful), will use different circuits for different sources and stuff. Best regards David Kalnischkies
Attachment:
signature.asc
Description: PGP signature