Open Shoalsteed opened 1 year ago
Shoalsteed
commented
1 year ago Testing: I have tested the Outproxy workflow and cannot se that it is working. Even using bgp tools, the DNS requests are all in Canada.
I have the addresses in my address book I have the stormy cloud exit in my hidden services.
Solution: Participant is using the I2P In Private Browsing Firefox add on. They therefore need to open a new I2P browser tab. Verified by checking DNS in same tab.
Shoalsteed
commented
1 year ago Unable to connect, but
Is there a way to specify what the actual error is? Following the links provided does not reveal any information about the problem. In troubleshooting I was able to connect to a site in the same tab in the clearnet.
Could Stormy create a check outproxy page?
Shoalsteed
commented
1 year ago Address: exit.stormycloud.i2p
Open your I2P router console page, navigate to your Tunnel Manager, and open your HTTP Proxy configuration
Under the ‘Outproxies’ and ‘SSL Outproxies’ section in the Tunnel Manager / Hidden Services Manager, specify exit.stormycloud.i2p
If you are not using Firefox as your browser, download and install Firefox. https://www.mozilla.org/en-US/firefox/new/
Add the Firefox In Private Browsing add-on. https://addons.mozilla.org/en-US/firefox/addon/i2p-in-private-browsing/
Open the extension modal by clicking on the I2P in Private Browsing icon in the browser menu.
You will see a green indicator that the proxy is ready.
To access a clearnet site, navigate to the Control section and choose "New I2P Browser Tab"
This will open a new tab with a dark purple background.
Search BGP Tools https://bgp.tools/ to verify that you are in fact using the outproxy.
Verify, clear field and add the site you want to visit.
Keep a container just for your I2P browsing.
Shoalsteed
commented
1 year ago Synthesis I2P Java Outproxy Workflow: New User Testing and Evaluation Using I2P In Private Browsing Mode On MacOS https://theoverlay.ghost.io/i2p-core-o
eyedeekay
commented
1 year ago
- Add exit.stormycloud.i2p to your I2P address book
Address: exit.stormycloud.i2p
2. Open your I2P router console page, navigate to your Tunnel Manager, and open your HTTP Proxy configuration 3. Under the ‘Outproxies’ and ‘SSL Outproxies’ section in the Tunnel Manager / Hidden Services Manager, specify exit.stormycloud.i2p
This is now configured by default for all I2P users
4. If you are not using Firefox as your browser, download and install Firefox. https://www.mozilla.org/en-US/firefox/new/ 5. Add the Firefox In Private Browsing add-on. https://addons.mozilla.org/en-US/firefox/addon/i2p-in-private-browsing/
I do not believe that it will ever, ever be safe or intuitive enough to browse the clear web using an outproxy using I2P in Private Browsing. It was designed as and remains a solution which is designed to keep clear web browsing and I2P browsing separate and the fact that there is a specific way in which it can be used with an outproxy isn't really, in my opinion, even a good thing. It's a compromise, intended primarily to work around the shortcomings of I2P sites that don't adequately remove requests to clearnet resources, and one which I actively try to minimize with ad-blockers and locally cached CDN resources. I would go so far as to say that I believe in-I2P browsing with the extension would become marginally safer if I dropped all clearnet requests coming from I2P tabs and deliberately broke outproxy support extension-side.
Mixing regular clearnet and clearnet-over-outproxy browsing in the same browser makes it more likely that an attacker who is trying to fingerprint you can develop a correlation between your I2P and non-I2P activity. So if you have an attacker who controls a CDN, for instance, if you're not actively trying to avoid the CDN they have a higher chance of identifying you across tabs. I do not think this is safe without control over at least a whole browser profile, it cannot be done safely with extensions.
I have tried very hard to make it clear that I do not think that I2P in Private Browsing is capable of being the appropriate solution for this, even if the workflow was made abundantly clear. Outproxy browsing is only safe for general use in a dedicated browser profile with an audited, narrow, shared fingerprint, ideally a modified Tor Browser Bundle like what Easy-Install for Windows does. The right answer on other platforms is i2p.plugins.firefox.
6. Open the extension modal by clicking on the I2P in Private Browsing icon in the browser menu. 7. You will see a green indicator that the proxy is ready. 8. To access a clearnet site, navigate to the Control section and choose "New I2P Browser Tab" 9. This will open a new tab with a dark purple background.
It is important that this tab is, in a regular Firefox profile, perfectly willing to share many common characteristics with the non-private tab right next to it. The display resolution is the same, the image loading policy is the same, the background downloading policy is the same. Visiting facebook.com in an I2P tab and a non-I2P tab won't keep facebook.com from knowing who you are in both tabs, it will just keep you from being logged in in both tabs. This is why I think a whole-browser solution is better. It actually delineates outproxy-forward browsing from i2p-forward browsing, without exposing a potential clearnet host, eliminating a whole group of footguns, reducing attack surface, and eliminating vulnerabilities before people can get hurt.
10. Search BGP Tools https://bgp.tools/ to verify that you are in fact using the outproxy.
We can host a service for these checks, see final three paragraphs of: https://github.com/Shoalsteed/I2P-Secure-Design-Collective/issues/135
Secure workflows are important to our network participants. In recent user studies, volunteers were not sure about how the outproxy worked.
They did not understand what to look for to understand that they were "connected" to it. They were looking for verification in the browser that it was working.
They were able to verify that they had the stormycloud outproxy on, but the connection between the green running button in the Hidden Service manager and moving to the browser revealed a gap in both trust and available documentation.