Should Streisand allow users to choose what services to set up?

[ddworken]

Should Streisand allow users to choose what services to set up? Personally, I think this would be a beneficial addition to Streisand. It would give users more control allowing them to run Streisand on servers with less processing power. It also would allow people to avoid running certain services that are easily detectable (L2TP/IPsec) for greater privacy.

[jlund]

The good news is that every service is already broken out into separate Ansible roles. Switching services on and off before creating new instances is something that I do a lot during testing. Right now this involves manually editing the playbooks/streisand.yml file and commenting out the roles that I want to skip, but it should be possible to script this too. From a UI perspective, I'm not sure what the best way to present this would be. I want users to have several connection options available out of the box in case one of the methods gets blocked.

More good news: All of the services Streisand sets up are lightweight enough that they can easily run on underpowered machines and still handle lots of simultaneous connections. Streisand works perfectly on EC2 Micro instances, for example, and this is actually the default instance size for new Amazon servers that it creates.

You're right that L2TP/IPsec is easier to detect and block than the other services. I included it because it is also very simple to set up and is a fantastic option for users in countries like Turkey that are censoring the Internet but that are not performing Deep Packet Inspection or blocking L2TP/IPsec traffic. Perhaps a good starting point would be to add a flag that allowed users to easily disable L2TP/IPsec installation?

[ddworken]

Yeah, I think at the very least it would be a good idea to add a flag to allow configuring this. I glanced through the code and I didn't spot a standard location for configuration of this sort of thing. I added this feature to my fork under the bash script that starts the installation; however, if you have a better suggestion of where to place this configuration tell me.

[psifertex]

I'd like the selectability mainly because I don't want the tor bridge installed because the dynamic ports won't work on azure and it would be nice if I could just disable that and have everything else just work.

Of course, I've done it on the command-line, but that just let me run into #36. ;-)

[ddworken]

Do you guys think a series of check boxes during installation would be too confusing? It would be fairly easy to implement that and have them all automatically enabled by default. That way anyone else who has any reason to not want a certain service can easily disable it.

[jlund]

@ddworken I haven't had a chance to look at your pull request quite yet, but I am leaning towards implementing this using a command-line flag that gets passed to the ./streisand script (e.g. ./streisand --disable-l2tp-ipsec). This would make it accessible to those who care about disabling the L2TP/IPsec service without adding an additional prompt that might be confusing to most other users. I also want the default setup to ask as few questions as possible and to give people several connection options.

I'm still on the fence about adding more disable options to the mix, but I'm strongly leaning towards no. I want to allow advanced users to disable L2TP/IPsec primarily because it doesn't work well on many cloud server providers. It's not included in Streisand's default Amazon playbook, for instance.

As I said in an earlier comment, the other services are lightweight enough that I believe it's worth keeping them around. I think maintaining connection flexibility and a diverse set of working services will do a lot to make sure that any given Streisand server can remain effective for a long time, even if one of the services gets blocked. I want to avoid tempting users into easily disabling services that they (or the people they share the instructions with) might later wish that they had access to.

[jlund]

@psifertex I was able to make the Tor dynamic ports work with Amazon EC2, even though it dramatically increased the complexity of its playbook. At first, Streisand creates a barebones EC2 Security Group for the new server that only allows SSH access. Later on, after the random obfs3 and ScrambleSuit ports have been assigned, the Security Group gets updated and opens up everything else. You can see the bulk of this logic in the playbooks/amazon.yml and playbooks/roles/ec2-security-group/main.yml files. This works really well because the obfsproxy ports don't ever change after they are first assigned.

I would be really surprised if we can't make the same thing happen for Azure. Adding native Azure support is one of the next things on my list, and I'm going to fix #36 before I go to bed tonight. Hang in there :)

[dlmetcalf]

This is why I stopped using Streisand. Some of the first principles of security:

1. Reduce code. Ensure a minimal and trusted compute base. Minimise what you depend on to the bare essentials. Carefully manage external sources (build tools included). Keep it auditable.

2. Reduce attack surface. Don't expose unnecessary services and entry points. Don't provide extra code paths for attackers to exercise/exploit. Don't provide unnecessary information gathering opportunities.

3. Separate and reduce privileges. Including to isolate and sandbox software/components, e.g. limit syscalls and file access. Compartmentalise (inevitable) failures.

You can't have privacy or anonymity without security.

Streisand is an outstanding project. Great concept and we're very fortunate that it's been shared with the community. I hope someone in the community has time to work on this issue to make it more widely applicable. Streisand has many great features, but until some of the more fundamental security issues are addressed, its uptake will be limited. Developing a documented threat model, via risk management process such as http://dx.doi.org/10.6028/NIST.SP.800-30r1, would be a great step too.

[cpu]

I've picked this up and will be creating a centralized issue with a plan of attack in the next week or so.

Developing a documented threat model, via risk management process such as http://dx.doi.org/10.6028/NIST.SP.800-30r1, would be a great step too.

Contributions welcome :-)

[cpu]

There are several open issues of varying age/concentration on modularization to date. I've started on a concerted effort to implement first-party support and recommend interested parties follow #746. I'm going to close this issue as a duplicate of 746 in the short term. Thanks!