- 1 Introduction
- 2 Privacy Enhancing Live Distribution Specification
- 2.1 Intent
- 2.2 Threat model
- 2.3 Distribution
- 2.4 Operational requirements
- 2.5 Other considerations
- 2.6 Implementation requirements
- 2.7 The future
- 3 Implementation
- 3.0 Other Tails design documents
- 3.1 Download
- 3.2 Software
- 3.3 Internationalization
- 3.4 Notification of security issues and new Tails releases
- 3.5 Feedback
- 3.6 Configuration
- 3.6.1 The Tor™ software
- 3.6.3 DNS
- 3.6.4 HTTP Proxy
- 3.6.5 SOCKS libraries
- 3.6.6 Network Filter
- 3.6.7 MAC address spoofing
- 3.6.8 Host system swap
- 3.6.9 Host system RAM
- 3.6.10 Host system disks and partitions
- 3.6.11 Filesystems stored on removable devices
- 3.6.11 Secure erasure of files and free disk space
- 3.6.12 Passwords
- 3.6.13 Tor Browser
- 3.6.14 Claws Mail
- 3.6.15 Pidgin
- 3.6.16 GnuPG
- 3.6.17 Persistence feature
- 3.6.18 Installation on USB sticks and SD cards
- 3.6.19 Wireless devices handling
- 3.6.20 OpenSSH
- 3.6.21 Incremental upgrades
- 3.6.22 Panel applets
- 3.6.23 DHCP hostname leaks
- 3.6.24 TCP timestamps
- 3.6.25 Application isolation
- 3.6.26 wget
- 3.6.27 APT
- 3.6.28 Electrum
- 3.7 Running Tails in virtual machines
- 3.8 Build process and maintenance
- 3.9 Hardware support
- 3.10 Caveats
- 3.11 Fingerprint
- 4 Security analysis
- 5 Bibliography
In this document we present a specification of a Privacy Enhancing Live Distribution (PELD) as well as an actual implementation of it called The Amnesic Incognito Live System (in short: Tails).
By writing this document we intend to help third-parties do security analyses of any given PELD and specifically of Tails. We also wish to help establish best practices in the field of PELD design and implementation, and thus raise the baseline for all similar projects out there.
This document is heavily based on preliminary work that was done as part of Incognito 2008.1-r1 Documentation. The Bibliography section has pointers to other inspiration and reference sources.
Note: the key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119.
Let us introduce what the PELD goals are: the features provided by the PELD, the kind of user the PELD targets, and the (empty) room we think the PELD fills in the Tor distributions landscape.
The Privacy Enhancing Live Distribution (or PELD for short) aims at providing a software solution providing the user with the technological means for using popular Internet technologies while maintaining the privacy of the user, in particular with respect to anonymity. While there are different techniques and services providing that functionality, this specification will assume the usage of The Tor™ Project's state-of-the-art anonymizing overlay network Tor.
Due to its deep dependency on Tor, the PELD defers the same possible goals as Tor:
- The PELD does not try to conceal it is connected to the Tor network unless Tor bridge relays are used.
- The PELD is not secure against end-to-end attacks, such as end-to-end timing or intersection attacks.
Moreover, the PELD is likely to be affected by any feasible attack against Tor; e.g. the PELD is not secure against some local attacks, such as confirmation attacks based on website fingerprinting: see Lexi and Dominik's Contemporary Profiling of Web Users conference at 27C3 for details.
The PELD aims at protecting the user from post-mortem analysis of the equipment (notably storage media and memory) he or she runs the PELD on. It is impossible for such a system to determine which information is sensitive and which is not. Thus, the PELD MUST be amnesic by default:
- It is REQUIRED no trace is left on local storage devices unless the user explicitly asks for it: the PELD MUST take care not to use any filesystem or swap volume that might exist on the host machine hard drives.
- The usage of encrypted removable storage devices (such as USB sticks) SHOULD be encouraged.
- Volatile memory MUST be erased on shutdown to prevent memory recovery such as cold boot attack.
- Secure erasure of files and free disk space SHOULD be made easy.
The PELD aims at providing a "safe" environment to produce and optionally publish sensitive documents. While the combination of anonymous access to the Internet and resistance against future equipment analysis does most of the job, some application-level attacks deserve special treatment: e.g. tools needed to inspect and cleanup metadata — such as EXIF data — in files SHOULD be available.
The PELD MUST be self-contained and portable (literally, not necessarily with respect to code portability), and thus possible to run in as many computing environments as possible from the same single distribution. In addition, while the PELD's main objective indeed is to act as a traditional Live Distribution (i.e. a Live CD or Live USB) it SHOULD also be compatible with popular virtual machine technologies for users who simply want a sandboxed environment within their usual operating system.
The PELD's target user is the average user in terms of computer literacy; he or she does not necessarily control fully the computer being used. Examples would be a public computer in a library, coffee shop, university or a residence. We assume that the target user does not want to do any of the configurations (at least with respect to security and anonymity) of the various applications and tools used themselves, either because of insufficient knowledge, lack of interest or other reasons. The PELD MUST provide strong anonymity with no need of advanced configuration whatsoever. It MUST be made as difficult as possible for the user to unknowingly compromise anonymity.
The PELD is meant to be complementary to other Tor distributions. It has no such goal as replacing other existing tool that properly fulfills its use cases.
The PELD fills an empty place alongside of other Tor distributions. Using the PELD certainly requires the user to change more of his or her habits than installing e.g. the Tor Browser Bundle. On the other hand, the PELD currently is the only tool that makes it feasible to use the Internet, and more generally computers, for certain activities in contexts where the user cannot afford the risks involved by other Tor distributions.
On the online privacy side of things, the PELD is aimed at offering roughly the same protection level as e.g. the Tor Browser Bundle, but provides a full-blown Tor-ified operating system instead of a few selected and carefully configured applications; this e.g. allows to safely download and open files using external applications, as mentioned by the Torbutton warning popup when a user attempts such an operation outside the PELD.
About protection from post-shutdown data recovery, thanks to its amnesic-by-default behavior, the PELD can aim at providing a level of protection only a fine-tuned Live operating system can offer. On the contrary Tor distributions that rely on an untrusted underlying operating system could hardly guarantee anything in this area, regardless of the amount of resources and cleverness that is spent to leave less traces on local storage:
- widespread operating systems and shipped Internet applications generally default to write all kinds of traces to local storage; Tor distributions that depend on such systems are therefore forced to adopt a blacklist approach to lessen the amount of traces left behind. Such an approach is known to be prone to human error, such as bug #7449 on Tor Project's Trac.
- widespread operating systems typically offer very few control knobs to userspace applications over their not-amnesic-by-default behavior, especially when run without any kind of administrator credentials. Tor distributions that depend on such systems generally have no choice but hope no undesired trace will be left e.g. in the system's swap file or partition.
The PELD amnesic feature also allows the user to safely perform non-Internet activities, which is yet another distinctive trait compared to other Tor distributions.
To sum up, one can be a Tor expert and carefully configure a non-amnesic system to be as much Tor-ified as the PELD, but he or she won't get the same post-mortem analysis protection.
In short, the PELD aims at providing privacy on computers and on the Internet for anyone anywhere.
The goal of staying anonymous and keeping sensitive information protected stands in direct conflict with the goals of several entities "present" on the Internet. The following threat model is meant to describe the intentions and capabilities of such attackers.
The adversary may have one or more goals among the following ones.
- Identify or locate the user, track his or her activities on the Internet: information such as the User-Agent HTTP header, locale and especially IP address can all be used in various degrees to identify or locate the user, and to track his or her activities on the Internet.
- Eavesdrop on sensitive data: the Tor network only prevents the data from being traced (according to Tor's threat model) but does not protect it from eavesdropping.
- Data recovery after system shutdown: "normal" operating systems keep a lot of traces about their users' Internet activities (notably browser cache, cookies and history) on local storage media; similary, working on a sensitive document with a "normal" operating system is very likely to leave traces of this document. User's data can remain on the equipment even after the machine is shut down; be it stored in the filesystem or in the memories, both RAM and swap, which might as well retain data (for example encryption keys or passwords). The adversary may want to recover such information by analyzing the equipment that has been used.
The adversary may have capabilities needed to perform the following attacks.
- Eavesdropping and content injection: it is assumed that the adversary is non-global and has full control over the network traffic of some portion of the Internet (e.g. some Tor exit nodes, upstream routers of exit nodes, or the ISP that provides the Internet connection the user is sitting behind). The adversary is thus able to eavesdrop, modify, delete or delay parts or all of the user's traffic on the Internet.
- Bypass attacks: it is conceivable for attackers to mount attacks which bypass the proxy and DNS setup in the applications which could then be used to identify the user, either by injecting data or social engineering.
- Exploit software vulnerabilities: the attacker might be able to run arbitrary code by exploiting vulnerabilities present in any of the software packages installed.
- Physical access, live monitoring, post-mortem equipment analysis: some users face adversaries with intermittent or constant physical access to the equipment they use. Users in Internet cafes, for example, face such a threat. This means the adversary might be physically monitoring the computer while the PELD is running on it. Moreover the adversary might raid the user at any moment and then confiscate and analyse the equipment, storage media and memory in particular.
The PELD MUST be distributed in a common format that can easily be used to install the PELD on the selected medium. For instance, if distributed as an ISO 9660 compatible image file it can be burned to a DVD with almost any DVD recording software available.
Also, it is RECOMMENDED to make it possible for end-users to verify the downloaded PELD image's integrity using public-key cryptography.
This section handles mostly the criteria that the PELD should be portable and able to run in as many environments as possible.
The binaries MUST all be executable on the most common computer hardware architecture(s). As of 2014, the x86 computer architecture seems to be the obvious choice as the vast majority of personal computers in use is compatible with it. The PELD SHOULD support UEFI. Supporting widespread hardware architectures used in mobile computers, such as phones, is also welcome.
The PELD SHOULD be able to boot and run natively from either a DVD or a USB drive. While running the PELD in native mode it MUST be completely independent from the host operating system and all other storage media on the host computer unless the user explicitly tries to access any of them.
In all circumstances, binaries, dynamic libraries and other executable code susceptible to virus infections and similar MUST always be completely write-protected, even when running from a writeable USB medium. Such files SHOULD not even be modifiable temporarily, which could be the case even when running from DVD if the filesystem is loaded into memory (e.g. tmpfs).
Configuration files, temporary files, user home directories and similar files that most likely need to be modifiable during operation MUST only be saved temporarily in memory (e.g. by use of something like tmpfs or unionfs) unless the user explicitly enables some persistence feature.
It is tempting to use the possibility to write back data when running from USB in order to allow user settings to be persistent. If this is considered, this feature MUST be optional and offer the possibility to use strong encryption for the persistent storage.
As an alternative to running the PELD natively from a DVD or USB, it SHOULD also be possible to run it inside virtual machines.
Running the PELD is such a virtualized environment provides weakened security compared to running it natively. This drawback is due to the dependency on the host OS. When the PELD runs as a guest OS:
- The PELD cannot defend against keyloggers, viruses and other malware that could be present in the host OS. The user activities in the PELD might thus be under surveillance by an attacker who would control the host OS enough.
- The PELD can not guarantee anything with respect to writing to local storage: the host OS does its own memory management and can write to swap any part of the memory being used by the PELD without the user being told.
On the other hand, running the PELD inside a virtual machine is useful in situations where the user is not in a position to run the PELD natively, which often is the case with public computers. Additionally, many users seem to prefer this mode of operation and would prefer to use their usual operating system instead of rebooting to run the PELD natively; that alone is a reason for making sure it works.
The procedure to update the PELD SHOULD NOT be prohibitive to provide timely software updates that address issues related to security or anonymity. A scripted, automatic build procedure is RECOMMENDED over manually setting up things.
PELD development SHOULD be a team work rather than a one person work, and the deep knowledge of this work SHOULD be shared among the team members. Thus the development infrastructure SHOULD be designed and deployed in order to share this knowledge.
For the sake of transparency the use of open-source software is RECOMMENDED. Binary blobs SHOULD only be used when no good alternative exists, which could be the case with certain hardware drivers or driver firmwares.
Having third-parties analyze the PELD security is necessary to ensure it is working as intended. It is thus REQUIRED for the PELD itself to be open-source. Moreover decisions with non-trivial implications SHOULD be clearly and publicly documented: such information about what a PELD implementation intends to achieve and how it does so SHOULD be made available to reviewers.
Third-parties SHALL be able to reproduce a PELD implementation by building it from the released source code and publicly available information. The process MUST yield consistent results.
In order to collect bug reports and wanted features, the PELD project SHOULD offer easy ways for end-users to provide feedback to the developers (email, web forum, bug tracker, shipped-within application, ...). Efforts SHOULD be made to offer the most anonymous (or at least pseudonymous) possible way to send this feedback.
The role of the kernel is mainly to provide support for the features required elsewhere in this specification. This includes:
- Good hardware support is REQUIRED: "good" is a sketchy word in a specification. The general idea is to include as much drivers for relevant hardware as possible, in particular for network cards (wired and wireless), video adapters and anything necessary for basic operation.
- Support for a stateful firewall with packet filtering capabilities is REQUIRED: it must somehow be able to sort traffic out for transparent proxying (mentioned in the next section) to work. Similarly, it must be able to identify and drop traffic destined to the Internet that is not supported by the Tor network, such as transport layer protocols other than TCP.
- Security features are RECOMMENDED: with the dangers of exploitable vulnerabilities in any code running, attempts to mitigate these on the kernel level is a good idea. Executable space protection with the NX bit, address space layout randomization and similar techniques are all interesting in this respect. Access control in the form of Mandatory Access Control, Role-Based Access control and so on SHOULD also be considered.
In order to prevent accidental leaks of information, proxy bypass attacks on Tor and similar, the access to the Internet MUST be heavily restricted by a firewall:
- All non-TCP transport layer protocols SHOULD be dropped as they are not supported by the Tor network.
- All TCP traffic not explicitly targeting Tor SHOULD be redirected to
the transparent proxy (i.e. to the
TransPortas set in
torrc); alternatively this traffic SHOULD be dropped (then only applications explicitly configured to use Tor will reach the Internet).
- All DNS lookups SHOULD be made through the Tor network (i.e.
DNSPortas set in
- All IPv6 traffic SHOULD be forbidden as it is not supported by the Tor network.
Note that the above is not necessary (or desirable) for local network (RFC1918) addresses; it is RECOMMENDED to special-case DNS queries though as some home gateways and captive wifi portals reply the public IP provided by the ISP when one asks information about themselves to their DNS resolver (source: The State of the DNS and Tor Union (also: a DNS UDP - TCP shim) thread on the or-talk mailing-list).
Any exception to these rules MUST be thoroughly thought through and properly documented. If an action that is excepted from the above rules is user initiated, that MUST be made obvious to the user, and user opt-out MUST be offered, if possible.
Efforts SHOULD be made so that it is harder to fingerprint PELD users as being using the PELD. Considering this goal can conflict with others, trying to reach perfection in this domain is not necessarily reasonable.
The user SHOULD be able to do all relevant things with easy-to-use graphical interfaces. The PELD SHOULD present a solid, user-friendly desktop environment with all the expected features after booting: file management, system settings configuration, support applications etc.
At least clients for the following Internet activities MUST be supported:
- Email: support for PGP or S/MIME is highly RECOMMENDED. Also,
beware that the EHLO/HELO sent to the SMTP-server will contain the
host's IP address in many email clients. The
- Instant messaging, including IRC and XMPP.
- Secure Shell client such as OpenSSH.
Other RECOMMENDED clients for Internet activities include:
- P2P file-sharing such as BitTorrent: note, however, that large scale file-sharing activity in general is frowned upon in the Tor community as it consumes extreme amounts of network resources compared to other kinds of services.
- Collaborative text editing such as Gobby.
- Remote desktop such as VNC or RDP.
- Feed aggregator for RSS/RDF, Atom and other widely spread feed formats.
Given that these applications will be the user's interface to the Internet, they MUST be chosen and configured cautiously, and with security in mind. In general, as little information as possible SHOULD leak about the user, the applications used and the system settings.
A great deal of communication over the Internet is done via the distribution of different types of commonly used media and document formats, so the PELD MUST contain the basic facilities for creating and editing such formats. More specifically, at least the following media and text production tasks MUST be possible using software shipped by the PELD:
- Word processing
- Bitmap and vector graphics
- Sound recording and editing
- Desktop publishing
- Printing and scanning
Other RECOMMENDED media and text manipulation tools include:
- Video editor
- Presentation software
- Gettext catalogs (.po files) editor
These applications SHOULD be compatible with widely spread file formats in their domain.
Tools for securely signing, verifying, encrypting and decrypting files
and messages SHOULD be available. In particular, some implementation
of OpenPGP SHOULD be included as it is the de-facto standard for these
tasks in the Free Software world. GUIs for managing keys and
performing the relevant cryptographic tasks SHOULD be available. The
OpenPGP implementation SHOULD be pre-configured to use an encrypted
tunnel when connecting to a keyserver (read:
Tools for creating and using encrypted storage containers are also RECOMMENDED.
A password manager SHOULD be included and allow one to store many passwords in an encrypted database which is protected by a single key. This is meant to encourage users to use strong passwords, and to discourage password reuse.
Any cryptographic tool shipped in the PELD SHOULD by default use up-to-date parameters with respect to the current commonly agreed best practices: digests, ciphers and key sizes.
Only stable releases SHOULD be considered since Tor really is at the core of the PELD.
Tor SHOULD be set up to enable its DNS server (
DNSPort) to allow DNS
lookups through the Tor network; alternatively a local DNS server can
be configured to use Tor.
If transparent proxying (as opposed to dropping non-Tor traffic) was
chosen in the network section, then Tor MUST be set up to enable its
transparent proxy (
TransListen); alternatively any
transparent proxy configured to use Tor as the parent proxy can be
While there are many other interesting configuration possibilities described in the Tor manual, care MUST be taken to avoid those that may impair anonymity or security.
A GUI Tor controller application such as Vidalia or TorK is highly
RECOMMENDED. However, this requires opening the control port in Tor,
and thus some means of authentication will be REQUIRED
CookieAuthentication preferably) to hinder attacks on the Tor
As an addition to the security against exploitable vulnerabilities provided by the kernel, compiling software with stack smashing protection, Position Independant Executable (PIE) and similar compiler security enhancements is RECOMMENDED. Note that some compiler-level options may be necessary to take advantage of in-kernel security features. Thus the use of a hardened tool chain might depend on the vendor distribution used to build the PELD upon. If such techniques are not widely deployed at this level, using them to build the PELD can require a lot of time from its developers and impact its ease of maintenance, which would make it harder for new contributors to get involved in the project. For this reason, compile-time hardening features should be carefully selected to balance the costs they impose against the extra security they bring. If using a hardened tool chain to build the PELD is deemed to require too much energy, resources could be better spent pushing usage of such hardening features in the base operating system.
Since one goal of the PELD is to permit usage of untrusted computers while preserving anonymity, measures MUST be taken against hardware that might de-anonymize or facilitate recording of a user, such as hardware keyloggers. Thus a virtual keyboard (usable with the mouse) MUST be available.
Some crucial applications of the PELD, such as the Tor client, make heavy use of cryptographic techniques and therefore rely on a high quality pseudo-random number generator (PRNG). Initializing (seeding) a PRNG is tricky in a Live system context as the system state after boot, if not fully deterministic, is parameterized by far fewer variables than in the case of a non-Live system.
Using an auxiliary entropy source such as haveged is thus REQUIRED.
Security is usually hard to get. Therefore steps SHOULD be taken in order to make users more comfortable with the PELD, and also to educate users about specific risks and non-intuitive situations that may affect their anonymity on the Internet.
The user MUST be able to easily select his or her language of preference among a great number of widespread ones. User applications SHOULD be localized to fit this preference, as SHOULD system settings such as keyboard layout.
The PELD documentation, either online or shipped within, SHOULD be easily translatable. Software written specifically for the PELD SHOULD be developed with i18n/l10n-awareness in mind.
The PELD SHOULD include an easy-to-read document explaining:
- what the PELD goals (and non-goals) are. The PELD is no magic wand.
- how to securely use the PELD and the bundled software.
As the user is assumed to only have the knowledge of an average computer user, it will be required to explain some general security concepts.
Real-world experience demonstrates that the average user quite rarely thinks about upgrading his or her PELD copy, and is often pretty happy unknowingly running an obsolete version affected by numerous well-known security issues. A PELD running copy SHOULD therefore notice it is affected by known security issues and notify the user if a newer release fixes some.
A few more or less well known issues shall be thought through so that this specification can provide reasonable guidance about them.
Research aims at recovering a Live system's in-memory filesystem and partial recovery of its previously deleted contents. Most current Live systems do not protect against that kind of attacks: at best, they erase free memory on shutdown, leaving intact in memory any data saved in the unionfs/aufs ramdisk branch.
This was discussed on the or-talk mailing-list, and a new system that mitigates such attacks is part of Tails 0.7 and newer.
This specification must warn about such matters.
Quoting the Live CD Best Practices document on the Tor wiki:
OPTIONAL? To prevent the browser from keeping HTTP sessions open over existing circuits the following network settings should be applied. This will ensure that new circuits, such as requested via NEWNYM, will service subsequent HTTP requests.
The impact of HTTP keepalive and possible solutions are being discussed on the tails-dev mailing-list.
Some attacks recently put under the spotlights exploit vulnerabilities in the desktop software stack that triggers automatic mounting, display and files preview of filesystems stored on removable devices.
This specification must warn about such matters.
- FireWire is known to allow read access to the system memory, at
least when such devices are allowed to use DMA (Linux:
options ohci1394 phys_dma=0helps mitigating that).
- Bluetooth, IrDA and other network links might allow attacks.
Tails is an implementation of the PELD specification above. It is licensed under the GNU GPL version 3 or (at your option) any later version.
Critical parts of the configuration are based on the ones from well-known and trusted sources, namely Tails ancestor Incognito and the Tor BrowserBundle. This is for example the case for the firewall and Tor configurations.
NOTICE: this distribution is provided as-is with no warranty of fitness for a particular purpose, including total anonymity. Anonymity depends not only on the software but also on the user understanding the risks involved and how to manage those risks.
See the download section on Tails's website for download information. Published Tails images integrity can be checked using OpenPGP detached signatures made with a key that is well linked to the web-of-trust.
The latest version of this document can be found on the Tails website: contribute/design.
Tails ships the following software. This list is not complete, but
only contains packages deemed as important for whatever reason. The
full packages list can be found in the BitTorrent files download
directory (look for files with the
- Debian GNU/Linux: the base operating system, provides hardware detection, infrastructure. Please note that the Debian distribution does not provide or endorse Tails.
- Tor: anonymizing overlay network for TCP. Our intention is to always use the latest stable version.
- Vidalia is used to control Tor's behavior.
Being based in Debian, Tails benefits from its great package
management tools, facilitating its build and the inclusion of new
software. Sadly compile time options that would enhance Tails
-fstack-protector etc.) are not widely
used in Debian yet. Thus having them included in Tails would require
to recompile every package with the right compile-time options. This
would badly impact the development and build efforts required to
release Tails. As an alternative, efforts have been
to push usage of such hardening features in Debian.
A lot of security features have been implemented upstream at the
kernel level (ASLR, removal of
various stack and heap hardening features,
/sys not leaking
sensitive information, etc.), most of them being slowly integrated
into Debian. This is the reason why the Tails kernel has no more special
kernel security feature than the stock Debian kernel.
Tails ships, as is, localization files provided by the installed Debian packages. All available Tor Browser localization packages are installed. Spell checking software and data is installed for the set of best supported languages; it is usable at least is Tor Browser, LibreOffice and gedit.
Tails ships with IBus and a few engines (Anthy for Japanese, Pinyin and Bopomofo for Chinese, and Hangul for Korean).
A login script prepares and configures IBus. When a Japanese, Chinese or Korean locale is selected, this login script selects the right default input method, and then starts the IBus daemon.
Since one may want to work on documents written in Chinese, Japanese or Korean even when selecting English as their preferred language, IBus can also be manually started in other locales using the "IBus Preferences" launcher in the System->Preferences menu. IBus' environment variables is always exported on login to make this work.
Tails ships a script that checks if there are security issues that are not fixed by any Tails release (and thus, affect the currently running Tails regardless of its version). A desktop notification is displayed for every such issue.
The connections are made to the Tails website through Tor, over HTTPS
with a pinned CA. The only piece of information leaked to the Tails
web server (apart of LWP::UserAgent's specific User-Agent
and HTTP behavior) is the first two chars of the
This script is run after the user has logged-in and Tor is in known-working state.
- config/chroot local-includes/usr/local/bin/tails-security-check
- config/chroot local-includes/usr/local/bin/tails-security-check-wrapper
Security issues that were fixed in a newer version of Tails are taken care of by Tails Upgrader that tells the user whenever they should upgrade and leads them through the necessary steps.
A dedicated application called WhisperBack is also available in every running Tails copy. WhisperBack allows users to send anonymous or pseudonymous feedback via OpenPGP-encrypted email. It is configured in Tails to use a Tor hidden service run by Tails developers as the outgoing SMTP server. WhiperBack only sends email over a STARTTLS session after carefully verifying the remote SMTP SSL certificate. Some minimal information about the system is gathered and sent along with the report; the reporting user can opt-out of this though. Users can also provide an email address and an OpenPGP public key in case further discussion is needed to address the reported issue. WhisperBack's graphical interface fully supports internationalization and is ready to be translated.
In this section we briefly present the setup of several key software packages and system settings of Tails with respect to security and anonymity. There are of course other minor tweaks here and there, but those are mainly for usability issues and similar.
The Tor software is currently configured as a client only (onion proxy). The client listens on a control port 9051 (using cookie authentication), as a transparent proxy on port 9040 (only used for remapped hidden services) and as a DNS server on port 8853.
The client listens on a few SOCKS ports (the rationale being detailed on the Tor stream isolation design page): 9050, 9061, 9062 and 9151.
Only connections from localhost are accepted. It can be argued that running a Tor server (onion router) would increase one's anonymity for a number for reasons but we still feel that most users probably would not want this due to the added consumption of bandwidth. The user can nevertheless easily choose to turn his or her Tor client into a relay, thanks to the Vidalia graphical user interface.
If a compromised software had access to the Tor control port,
an attacker who controls it could simply ask Tor the public
IP through the
GETINFO address command.
To prevent this, access to the Tor control port is only
granted to the vidalia user, who is running Vidalia.
A filtering proxy to the control port exists, so
Torbutton still can perform safe commands like
- chroot local-hooks/06-adduser vidalia
- chroot local-includes/usr/local/sbin/restart-vidalia
- chroot local-includes/usr/local/sbin/tor-controlport-filter
- chroot local-includes/etc/tor/torrc
Tor does not support UDP so we cannot simply redirect DNS queries to the Tor transparent proxy.
Most DNS leaks are avoided by having the system resolver query
the Tor network using the
DNSPort configured in
There is a concern that any application could attempt to do its own DNS resolution without using the system resolver; UDP datagrams are therefore blocked in order to prevent leaks. Another solution may be to use the Linux network filter to forward outgoing UDP datagrams to the local DNS proxy.
Tails also forbids DNS queries to RFC1918 addresses; those might indeed allow the system to learn the local network's public IP address.
An exception to the above DNS configuration is the
used to run the Unsafe Browser, which uses the
DNS server provided for DHCP for resolving.
resolvconf is used to
configure the system resolver in
/etc/resolv.conf; it is also set up
to prevent NetworkManager and dhcp-client to modify this file.
Since the Tor DNS resolver lacks support for most types of DNS queries
except "A", ttdnsd is also
running and offers support for all kinds of DNS queries Tor does not
know about. This can be useful for advanced users to do system administration
for example. However, ttdnsd is not used in the default name resolution
loop, mostly due to it being quite too
It is configured to forward incoming UDP DNS requests to a open,
recursive TCP DNS resolver (namely: OpenDNS's
184.108.40.206) via the Tor
SOCKS proxy. Completely replacing the Tor resolver with ttdnsd was
considered, but doing so would give too much power to a single
third-party, that is to the organization or people that runs the
recursive DNS resolver ttdnsd is configured to use.
- config/chroot local-includes/etc/resolvconf/resolv.conf.d/base
- config/chroot local-includes/etc/tor/torrc
- config/chroot local-includes/etc/firewall.conf
- config/chroot local-includes/lib/live/config/000-resolv-conf
- config/chroot local-hooks/99-zzz resolvconf
- config/chroot local-includes/etc/default/ttdnsd
tsocks and torify are installed. Since Tor-ification is done at a lower level (in-kernel network filter, Tor-ified DNS), these tools are actually unnecessary. They are solely included due to dependencies and configured for completeness.
One serious security issue is that we don't know what software will attempt to contact the network and whether their proxy settings are set up to use the Tor SOCKS proxy correctly. This is solved by blocking all outbound Internet traffic except Tor (and I2P when enabled), and explicitly configure all applications to use either of these.
The default case is to block all outbound network traffic; let us now document all exceptions and some clarifications to this rule.
Tor itself obviously has to connect to the Internet without going
through the Tor network. This is achieved by special-casing
connections originating from the
debian-tor Unix user.
I2P (Invisible Internet Project) is yet another anonymizing network (load-balanced unspoofable packet switching network) that provides access to eepsites (.i2p tld); eepsites are a bit like Tor hidden services. Some users would like to be able to access eepsites from Tails.
debian-tor user, the
i2psvc user is allowed to connect
directly to the Internet. Any rules granting the
i2psvcuser access are only
applied if the user explicitly enables I2P at the boot prompt. See
the design document dedicated to Tails use of I2P for details.
clearnet user used to run the
Unsafe Browser is granted full network access
(but no loopback access) in order to deal with captive portals.
The I2P Browser is run by the
i2pbrowser user. This
account is granted access to ports 4444, 7657, and 7658 on the loopback device if
I2P is enabled at the boot prompt. Sites outside of I2P cannot be reached by
Tails short description talks of sending through Tor outgoing connections to the Internet. Indeed: traffic to the local LAN (RFC1918 addresses) is wide open as well as the loopback traffic obviously.
LAN DNS queries are forbidden to protect against some attacks.
The Tails firewall uses a whitelist which only grants access to each local service to the users that actually need it. This blocks potential leaks due to misconfigurations or bugs, and deanonymization attacks by compromised processes. For specifics, see the firewall configuration where this is well commented: config/chroot local-includes/etc/ferm/ferm.conf
AutomapHostsOnResolve is enabled in Tor configuration, and
a firewall rule transparently redirects to the Tor transparent proxy
port the connections targeted at the
127.192.0.0/10 virtual mapped
amnesia user is granted access to the Tor transparent proxy
port, so in practice only them can use this hostname-to-address
Tor does not support IPv6 yet so IPv6 communication is blocked.
Tor only supports TCP. Non-TCP traffic to the Internet, such as UDP datagrams and ICMP packets, is dropped unless it's going through I2P, which supports UDP.
Tails takes care not to use any swap filesystem that might exist on
the host machine hard drive. Most of this is done at build time:
/sbin/swapon binary is replaced by a fake no-op script, and
swapon option is not set.
In order to protect against memory recovery such as cold boot attack, the system RAM is overwritten when Tails is being shutdown or when the boot medium is physically removed.
The previous implementation of the Tails memory erasure feature suffered from flaws that were demonstrated by external audit. In short, it only erased free memory and let data in the aufs read-write branch in recoverable state.
In order to erase the biggest possible part of the system memory, the hereby described new implementation, shipped in Tails 0.7, runs in a fresh environment provided by a newly started Linux kernel. This way, a given part of the memory either is used by the memory erasure process itself or it is considered as free and thus erased by this process; in any case, it is at least overwritten once.
The Linux kernel and initramfs used to erase the memory are the same as the ones normally used by a Tails system... that actually includes some bits of code dedicated to this mission.
An initramfs-tools hook includes the necessary files in the initramfs
at build time. A runtime init-premount script either does nothing, or
erases memory before shutting down or rebooting the system; its
behaviour depends on the
sdmem kernel command line parameter value.
sdmemopts kernel command line parameter allows
fine tuning the options passed to the
- config/chroot local-includes/usr/share/initramfs-tools/hooks/sdmem
- config/chroot local-includes/usr/share/initramfs-tools/scripts/init-premount/sdmem
sdmemopts are appended to the fresh kernel command
line parameters, when memory erasure is triggered, by the
tails-kexec initscript that is itself parameterized by the usual,
slightly customized, kexec-tools configuration file.
The software that performs the actual memory erasure is sdmem, which
is part of the secure-delete package. sdmem is
called using the
-v (verbose mode) option to give feedback to the
user, as well as the
-llf options: memory is only overwritten once
with zeros; this is the fastest available mode, and is enough to
protect against every memory forensics attack we know of.
Different kinds of events trigger the memory erasure process. All lead
to run the
First, the memory erasure process is triggered at the end of a normal
shutdown/reboot sequence. This is implemented by slightly modifying
the System V initscripts shipped by the
kexec-tools Debian package:
kexec-load initscript, that normally only runs at reboot time,
is enabled to run at shutdown time as well. A custom
initscript replaces the
kexec one in order to support the case when
the boot medium is not available anymore at the time this script runs;
it also provides an improved user interface more suitable for Tails
target users needs. Finally, the standard Debian
initscripts are taken over by having the
tails-kexec initscript run
before they have a chance to be run (implemented with
in the LSB headers).
- config/chroot local-patches/run kexec-load on halt.diff
- config/chroot local-patches/disable kexec initscript.diff
- config/chroot local-includes/etc/init.d/tails-kexec
- config/chroot local-hooks/52-update-rc.d
Second, the memory erasure process is triggered when the boot medium
is physically removed during runtime (USB boot medium is unplugged or
boot DVD is ejected). This is implemented by a custom
program monitors the boot medium; it's run by a wrapper, started at
boot time, that brutally invokes the memory erasure process, bypassing
other system shutdown scripts, when this medium happens to be
- config/chroot local-includes/usr/local/sbin/udev-watchdog-wrapper
- config/chroot local-includes/usr/src/udev-watchdog.c
- config/chroot local-hooks/52-udev-watchdog
- config/chroot local-includes/etc/init.d/tails-sdmem-on-media-removal
- config/chroot local-hooks/52-update-rc.d
memlockd daemon, appropriately configured, ensures every file
needed by the memory erasure process is locked into memory from boot
to memory erasure time.
Care have to be taken during the shutdown sequence, as
memlockd is normally
unloaded before the
kexec happens. This is done by preventing
be stopped, and also by adding memlockd PID to the list of process that are
omitted by the
sendsigs script (responsible for sending TERM and KILL signals
to remaining processes).
- config/chroot local-includes/etc/memlockd.cfg
- config/chroot local-patches/keep memlockd on shutdown.diff
- config/chroot local-includes/etc/init.d/tails-reconfigure-memlockd
Since this process can take a while the user can leave the computer and let it finish on its own after removing the boot medium, or simply turn it off if he or she is not worried about this attack: if Tails was booted from a DVD it is ejected before the memory wiping is started, and if it was booted from a USB drive it can be removed as soon as the memory wiping has been started.
A short but visible message, displayed for a few seconds, explains the user what is going to happen.
Tails takes care not to use any filesystem that might exist on
the host machine hard drive, unless explicitly told to do so by the
user. The Debian Live persistence feature is disabled by passing
nopersistence over the kernel command line to live-boot.
Removable drives auto-mounting is disabled in Tails 0.7 and newer.
Two users are intended to be used for logins:
None have a password by default; the
amnesia user is
allowed to gain super user privileges, using
sudo, if an
administrator password is set in tails-greeter.
The PELD specification recommends to prevent executable code to be modifiable, even temporarily; Tails does not implement this recommendation. Instead, thanks to the super user privileges being available to the end-user, Tails makes it possible to modify or add executable code by:
- upgrading bundled software: this allows (technical) users to protect themselves from serious security issues until an updated Tails is released
- installing additional software: this helps achieving the PELD "Working on sensitive documents" goal by enabling users to perform tasks that need software not shipped in Tails.
Such modifications happen only in RAM, the user will remove the DVD/USB when done and there are no services allowing logins from the network.
As a first step Tails has stopped
sudo privileges to the
amnesia user by default.
Unless an administrator password is set in tails-greeter,
no root access is possible afterwards.
Tails ships with the Tor Browser, which is based on Mozilla Firefox and patched by the Tor Project for improved anonymity by reducing information leaks, decreasing attack surface and similar. The actual binaries etc. used in Tails are those distributed by the Tor Project, but the configuration differs slightly, which is described below.
In Tails we diverge from the TBB's one-profile-only design, and install the Tor Browser in a globally accessible directory used by all browser profiles (and other XUL applications).
The default profile is split from the binaries and application data:
As for extensions we have the following differences:
Tails also installs the Adblock plus extension to protect against many tracking possibilities by removing most ads.
Tails does not install the same Torbutton as in the TBB. We installed a patched version.
Tails does not install the Tor Launcher extension as part of the browser. A patched Tor Launcher is installed for use as a stand-alone XUL application, though.
In Tails we do not use the
start-tor-browser script, since it does a
lot of stuff not needed in Tails (error checking mainly) and isn't
flexible since it looks for the browser profile in a specific
place. Our custom script makes use of the global installation and also
makes sure the default profile is used as a basis. Any shared libraries
shipped inside the TBB are also used (via
Debian stable often has too old versions to start the browser.
Whenever the user tries to start the Tor Browser before Tor is ready, they are informed it won't work, and asked whether to start the browser anyway:
- config/chroot local-includes/usr/local/bin/tor-browser
- config/chroot local-includes/usr/local/bin/generate-tor-browser-profile- config/chroot local-includes/usr/local/sbin/tor-has-bootstrapped
- config/chroot local-includes/etc/sudoers.d/zzz tor-has-bootstrapped
Once Tor is ready to be used, the user is informed they can now use the Internet:
The remaining configuration differences can be found in:
- config/chroot local-includes/etc/tor-browser/preferences/0000tails.js
- config/chroot local-hooks/12-install browser searchplugins
- config/chroot local-hooks/12-remove unwanted browser searchplugins
- config/chroot local-hooks/13-override-tbb-branding
- config/chroot local-hooks/14-add localized browser searchplugins
- config/chroot local-hooks/14-generate-tor-browser-profile
- config/chroot local-hooks/15-symlink-places.sqlite
It should also be noted that the global TBB installation is also used for the Unsafe Browser and I2P Browser, although they are user-isolated and use separate profiles with very different configurations.
Claws Mail generates
Message-ID headers using the hostname part of
the sender's email address, which does not leak usage of the PELD nor
any user location information.
It also always says
EHLO localhost to the SMTP server instead of
disclosing the real IP address and hostname. This is achieved thanks
to tsocks, as Claws Mail leaks the hostname in the HELO/EHLO
message, resulting in a hostname leak in the
Message ID and
Received email headers, when run with
Furthermore, any account a user creates is pre-configured to not use HTML in order to get rid of a whole class of privacy concerns.
OpenPGP support is provided by the PGP/inline and PGP/MIME plugins.
- config/chroot local-includes/etc/skel/.claws-mail is copied to
$HOMEat boot time
- config/chroot local-includes/usr/local/bin/torified-claws-mail
- config/chroot local-includes/etc/tor/tor-tsocks-mua.conf
Pidgin is configured in Tails to not log anything as well as not to reveal too
much of user activity by disabling reporting of online/away/typing
status. Only IRC and Jabber/XMPP protocols are left available, to
avoid the usage of less well audited plugins. The Off-the-record
plugin is enabled
to help one-to-one conversations being as private and unrecordable as
possible. At boot a language confluxer generates a random looking default
nickname from the 2000 most common U.S. names (according to the U.S. social
security administration in the 1970's), which results in something Englishesque
sounding. The nickname is further made to look like a typical IRC nickname by
prefixing it with ^ or _ with probability 0.05, and changing it to leet speak
with probability 0.05. When answering to CTCP requests, Pidgin does
not leak any information apart from PING and VERSION (
which is deemed acceptable as there are probably other weirdness in
how the protocol is implemented, that disclose as much.
- config/chroot local-includes/lib/live/config/2010-pidgin
- config/chroot local-includes/etc/skel/.purple
- config/chroot local-hooks/09-remove unsupported pidgin libs
GnuPG tools (namely: GPG itself and Seahorse) are configured to use
the sks-keyservers pool since it's reliable, well-synchronized with
the other HKP keyservers pools, and reachable over
hkpms:// support will be used as soon as
possible in place of the hierarchical X.509 certification model.
GnuPG is configured accordingly to the OpenPGP Best Practices, e.g. to prefer non-outdated digest algorithms from the SHA-2 family, to force exclusion of the version string in ASCII armored output, to avoid automatically locating and retrieving keys, and to disregard the preferred keyserver assigned to specific keys.
- config/chroot local-includes/etc/skel/.gnupg/gpg.conf
- config/chroot local-includes/etc/ssl/certs/sks-keyservers.netCA.pem
- config/chroot local-includes/usr/share/amnesia/gconf/desktop pgp.xml
- hkpms is available in Debian: msva-perl
An opt-in data persistence feature is available in Tails 0.11 and newer. See persistence for details.
An easy (read: not command-line based) way to install and upgrade Tails on USB sticks and SD cards is available in Tails 0.11 and newer. SD cards readers wired via SDIO are supported since Tails 0.21. See installation for details.
Tails puts the wireless devices in a sensible state at boot time.
At boot time, Tails unblocks Wi-Fi, WWAN and WiMAX radios, unblocks Bluetooth radio (so that it can be dealt another way:), and soft-blocks all other kinds of wireless devices (e.g. UWB, GPS, FM).
- config/chroot local-includes/etc/init.d/tails-set-wireless-devices-state
- config/chroot local-includes/usr/local/sbin/tails-set-wireless-devices-state
The OpenSSH client is configured to use the Tor SOCKS proxy, and to prefer strong ciphers and MACs..
- config/chroot local-includes/etc/ssh/ssh config
- config/chroot local-includes/usr/local/bin/connect-socks
When a Tails release is out, Tails users are proposed to download and apply a partial upgrade (that is, only what has changed between two releases). See incremental upgrades for details. To start with, this upgrade mechanism may be only available for point-releases.
Tails ships a few custom applets in the GNOME panel.
The shutdown helper applet provides two-clicks shutdown and restart actions.
- config/chroot local-includes/etc/skel/.config/gnome-panel/panel-default-layout.layout
- config/chroot local-includes/usr/local/lib/shutdown-helper-applet
- config/chroot local-includes/usr/share/dbus-1/services/org.gnome.panel.applet.ShutdownHelperFactory.service
- config/chroot local-includes/usr/share/gnome-panel/4.0/applets/org.boum.tails.ShutdownHelper.panel-applet
The Tails OpenPGP applet allows to symmetrically and asymmetrically encrypt and decrypt text, and to verify OpenPGP signatures.
Tails prevents dhclient from sending the hostname over the network.
First, only the
keyfile NetworkManager plugin is used; that is, the
ifupdown plugin is disabled:
- this is needed, because the only the
keyfileplugin supports setting
dhcp-send-hostnameto false, while the
ifupdownplugin retrieves the hostname to send from
- this is OK, because we actually don't use the functionality provided
ifupdownplugin (that is, reading from
/etc/network/interfaces-- that only configures the loopback connection in Tails, which is itself ignored by NetworkManager anyway).
Second, the NetworkManager
keyfile plugin is configured to not
send the hostname over DHCP by default. Likely this can be overridden
on a per-connection basis if one really needs to change this.
Third, dhclient itself is told not to send the hostname. This is
needed because on Wheezy, NetworkManager runs dhclient with the
/var/run/nm-dhclient-eth0.conf option, and generates that file by
/etc/dhcp/dhclient.conf with its own settings.
Fourth, dhclient is told to override any hostname provided by the DHCP
amnesia. This is meant to prevent dhclient hooks,
NetworkManager and others from setting the hostname to a value
controlled by the DHCP server.
TCP time stamps allow for tracking clock information with millisecond resolution. This may or may not allow an attacker to learn information about the system clock at such a resolution, depending on various issues such as network lag. This information is available to anyone who monitors the network somewhere between the attacked Tails system and the Tor entry nodes being used. It may allow an attacker to find out how long a given Tails system has been running, and to distinguish several Tails systems running behind NAT and using the same IP address. It might also allow to look for clocks that match an expected value to find the public IP used by a user.
Hence, Tails disables this feature.
Note that TCP time stamps normally have some usefulness. They are needed for:
the TCP protection against wrapped sequence numbers; however, to trigger a wrap, one needs to send roughly 232 packets in one minute: as said in RFC 1700, "The current recommended default time to live (TTL) for the Internet Protocol (IP) [45,105] is 64". So, we don't think this is a practical problem in the context of Tails.
"Round-Trip Time Measurement", which is only useful when the user manages to saturate their connection. When using Tails, we believe that the limiting factor for transmission speed is rarely the capacity of the user connection.
Tails has some minimal application isolation to mitigate a bit the consequences of security issues in individual applications being exploited by attackers.
torsocks, after unsetting the
environment variable and friends, so that it talks directly to the Tor
During most of the ISO build process, APT uses the proxy configured
live-build (that is, usually a local
However, at boot time, a hook does (a more elaborate version of)
s,http://,tor+http:// in APT sources. Then, APT will use the
tor+http method, that is a simple torsocks wrapper for the good old
- config/chroot local-includes/usr/lib/apt/methods/tor+http
- config/chroot local-includes/lib/live/config/1500-reconfigure-APT
We install the Electrum Bitcoin client and the default configuration tells it to use the default of Tor's SOCKSPort:s, and sync the necessary parts of the Bitcoin blockchain (as a lightweight client) from the default server pool using SSL.
There is also a persistence preset for the live user's
configuration folder, which stores the Bitcoin wallet, application
preferences and the cached Bitcoin blockchain.
Tails may of course be run in virtual machines. Due to the popularity of VMWare we include open-vm-tools (an open-source alternative to VMware tools) as well as special video drivers for an improved user experience in that environment. Due to the closed-source nature of VMWare we try to encourage users of open VMs, like VirtualBox and QEMU, by making sure that these also work. In the case of VirtualBox both video and input drivers are included, as well as the guest utilities.
Security concerns for all VMs are numerous. Tails therefore tries to detect whether it is run inside a VM and warns the user if it is.
Potential work may make it easier to run the DVD/USB in a virtual machine inside a Windows session whenever native boot is impossible or not desirable. This probably will be implemented by shipping a QEMU or VirtualBox binary for Microsoft Windows.
The Debian Live is a toolkit to build Live systems based on Debian, such as Tails. Debian Live is designed to automate the build process of the target distribution, which eases Tails development and maintenance. As an added bonus, Debian Live makes it possible for other people to build custom systems based on Tails, e.g. to include additional software.
An automated build and test environment is useful to avoid regressions in Tails, especially anonymity and security related ones. It also makes it easier for developers to work on Tails with more confidence, and at release time to cut down the time needed for quality assurance work.
Keeping Tor (stable releases only, unless the Tor core developers recommend otherwise) and the Tor Browser up-to-date is a priority.
Remaining applications, including the base system, will be upgraded using Debian standard upgrade process, and generally based on the latest Debian stable release so there are not many problems.
We intend to build and publish point releases (e.g. 0.6.1) in a timely manner when security issues affect Tails. Such releases are based on the stable Git branch and can thus also fix important — although not security-related — bugs.
Tails generally ships the latest Linux kernel from Debian unstable or Debian Backports as a compromise between stability and recent hardware support. Recent Intel and AMD microcode are included as well.
The x86 hardware architecture is the main supported one.
A 64-bit Linux kernel (amd64 flavour) and a 32-bit one (486 flavor, for maximal backward-compatibility) are provided. The best supported one is used.
Tails currently offers almost no protection against live physical monitoring, except for hardware keyloggers.
UDP and IPv6 are a problem. The Tor network does not support any of those yet. Outgoing UDP and IPv6 packets are dropped altogether by netfilter for this reason.
Support of arbitrary DNS queries is only provided by ttdnsd listening on 127.0.0.2. ttdnsd has proved too be far too buggy to be inserted in the default DNS resolution chain.
Some tools currently available to command-line users lack the integration into Tails and/or graphical user interface that would be needed to make them useful to anyone.
Other caveats are listed on the known issues page.
See the development roadmap for more information about where Tails is heading to.
Tails tries to make it as difficult as possible to distinguish Tails users from other Tor users.
The Tor Browser used in Tails is configured to match the fingerprint of the Tor Browser Bundle and the known differences, if any, are listed in the known issues page.
However the fact that different browser extensions are installed in Tails and in the TBB surely allows more sophisticated attacks that usual fingerprint as returned by tools such as https://panopticlick.eff.org/ and http://ip-check.info/. For example, the fact that Adblock is removing ads could be analysed.
From the point of view of the local network administrator, Tails is almost exclusively generating Tor activity and that is probably quite different from other TBB users. We believe this would be hard to avoid. Other possible fingerprint issues on the LAN or ISP exist but we believe they would be harder to detect. See the discussion on fingerprinting in the Time sync design document and the fingerprint documentation.