{{Title|title= Stream Isolation: Easy }} {{Header}} {{#seo: |description={{project_name_long}} Tor Stream Isolation Short Introduction |image=Streamisolationme.jpg }} <div class="mininav"> * [[Stream_Isolation/Easy|short stream isolation summary]] * [[Stream Isolation|all information below]] </div> [[File:WhonixStreamIsolation.jpg|thumb|New illustrative {{project_name_short}} stream isolation image with 4 Tor relays. (Instead of 3 in the past.) See also [[vanguards]].]] {{intro| {{project_name_short}} Tor Stream Isolation Short Introduction }} Applications such as [[Tor Browser]], <code>ssh</code>, <code>gpg</code>, <code>wget</code>, <code>curl</code>, <code>git</code>, and <code>apt</code> are configured for stream isolation by default; the full list can be found [[Stream_Isolation#List|here]]. The advantage of this configuration is that these applications will take different paths through the [[Tor]] network and will therefore be more anonymous, since it protects against identity correlation through Tor circuit sharing. <ref>If stream isolation is not enforced, different activities conducted in separate applications may pass through the same Tor circuit and exit relay, correlating these activities to the same pseudonym.</ref> This arrangement comes with a small usability impact in corner cases: * For some tunnels it may be necessary to disable stream isolation -- this is covered in the [[Tunnels/Introduction|Combining Tunnels with Tor]] chapter. * <ref> It <u>might</u> be required to [[Stream_Isolation#Deactivate_Stream_Isolation|disable stream isolation]] for applications that require local connections. For example, this is the case for opening a local ssh listener: ** If the following command is run: <code>ssh 10.152.152.11</code>, <code>uwt</code> will actually execute <code>torsocks /usr/bin/ssh.anondist-orig 10.152.152.11</code>. In this case, traffic would flow though <code>torsocks</code> via a Tor <code>SocksPort</code>. This will fail for local connections and lead to the following error message: *** <blockquote>libtorsocks(12021): connect: Connection is to a local address (10.152.152.11), may be a TCP DNS request to a local DNS server so have to reject to be safe. Please report a bug to https://gitweb.torproject.org/torsocks.git/ if this is preventing a program from working properly with torsocks</blockquote> ** This is possibly no longer required thanks to the {{project_name_short}} default [https://github.com/Whonix/uwt/blob/master/etc/tor/torsocks.conf.anondist <code>/etc/tor/torsocks.conf</code>] configuration file which sets <code>AllowOutboundLocalhost 1</code>. <pre> # Set Torsocks to allow outbound connections to the loopback interface. # If set to 1, connect() will be allowed to be used to the loopback interface # bypassing Tor. If set to 2, in addition to TCP connect(), UDP operations to # the loopback interface will also be allowed, bypassing Tor. This option # should not be used by most users. (Default: 0) AllowOutboundLocalhost 1 </pre> </ref> Further information: <div class="mininav"> * [[Stream_Isolation|Learn more about stream isolation]] * [[Stream_Isolation/Disable_Easy|Disable stream isolation: easy]] * [[Stream_Isolation#Deactivate_Stream_Isolation|Disable stream isolation: more options]] </div> = Footnotes = {{reflist|close=1}} {{Footer}} [[Category:Documentation]] [[Category:Design]]