Should I run Tor in a VM?

  • I've heard advice that to further protect my anonymity/privacy it's best to run Tor (the Tor Browser Bundle) in a Virtual Machine, which you would ideally roll back after each use.

    What extra security, if any, does this provide?

  • pabouk

    pabouk Correct answer

    9 years ago

    There are several anonymity concerns when you use your main machine for communication. Running a separate secured OS will give you advantages when you use other software with Tor than just the Firefox in the Tor Browser Bundle which is considerably secured. The separate secured OS can also help you against possible information leak vulnerabilities in Firefox.

    • Your machine contains and collects information which could be used for your identification. Examples are: host name, IP address, state information and configuration of various applications. This should not be a problem if you use the Tor Browser Bundle properly as in most cases it should not leak the information which is stored outside of the bundle package.
    • Various versions (and default configuration) of your software including operating system can be possibly identified from your communication. It is advisable to use least possible customized software. The Tor Browser Bundle already solves this for the included software (Tor, Firefox, Vidalia Bundle). To be more secure you should use a complete secured operating system with unified configuration so that you cannot be identified when versions of various parts of it get revealed. Example of such OS is Tails.
    • OS like Tails makes information leaks less probable by not allowing clear-text communication. If it is possible it is transparently redirecting all traffic to the Tor network regardless of used applications and their possible vulnerabilities. Furthermore Tails is able to separate unrelated traffic into different Tor circuits.
    • By reverting the state of the OS after each use either by using a live OS without permanent data storage or a virtual machine with non-persistent storage you avoid long-term storage of the information which could lead to your identification.
    • Various hardware information can leak through your communication. (display resolution, size of RAM...) When you use an unified OS running inside a virtual machine you can prevent discovering most of the hardware related information.
    • By using a separate OS you lessen probability of leaking information from your Tor sessions in you open communication. (e.g. requests to the .onion domain)
    • You can safely control the communication from the virtual machine while your main OS is running.
    • You can easily encrypt the virtual machine image and in case of emergency you can eventually destroy the encryption key.

    Ideally when all the Tor users would use the same OS running in the same virtual machine on the same virtualization platform they can be almost indistinguishable each from the others.

    You say "the Firefox in the Tor Browser Bundle [...] is secured relatively well enough." Alas, I disagree. I think putting Firefox in its own VM, and making it much harder for it to make any connections on its own, or interact with the local system, would be a huge security improvement. So far, various law enforcement groups have found Tor so hard to break that they resort to exploiting the browser -- we should find some usable ways to make those exploits much harder. (Please help!)

    In particular, as part of the recent Freedom Hosting takedown, the FBI served a Javascript exploit that caused users to access one of its servers directly, bypassing Tor. See "FBI Admits It Controlled Tor Servers Behind Mass Malware Attack" If Firefox (and other apps) had been isolated in a VM (or better, a separate physical machine) with no Internet access except through Tor, the exploit would have failed. More generally, it's always prudent to isolate userland apps from Tor and other networking processes.

    @RogerDingledine: Thank you for the good point. I have changed the reply.

    Although encrypting virtual machines or images is useful, unencrypted data may remain on the host machine through disk caching. It's also important to use full-disk encryption on host machines.

License under CC-BY-SA with attribution

Content dated before 7/24/2021 11:53 AM