From c7d88571e48fface5fc24d7d471724303e374f37 Mon Sep 17 00:00:00 2001 From: HulaHoopWhonix Date: Thu, 31 Mar 2016 03:16:10 +0000 Subject: [PATCH] Update control --- debian/control | 47 ++++++++++++++++++++++++++++++++++++++++++----- 1 file changed, 42 insertions(+), 5 deletions(-) diff --git a/debian/control b/debian/control index da44545..2163aa8 100644 --- a/debian/control +++ b/debian/control @@ -16,8 +16,45 @@ Architecture: all Depends: ${misc:Depends} Description: enhances misc security settings - deactivates previews in Dolphin - - deactivates previews in Nautilus - . - This package only takes effect for newly created user accounts. Not for - existing user accounts. This package is most useful to help Linux distribution - maintainers setting divergent defaults. +- deactivates previews in Nautilus +- deactivates TCP timestamps +- deactivates Netfilter's connection tracking helper +. +Changes to the file browser only take effect for newly created user accounts. Not for +existing user accounts. This package is most useful to help Linux distribution +maintainers setting divergent defaults. +. +TCP time stamps (rfc 1323) allow for tracking clock +information with millisecond resolution. This may or may not allow an +attacker to learn information about the system clock at such +a resolution, depending on various issues such as network lag. +This information is available to anyone who monitors the network +somewhere between the attacked system and the destination server. +It may allow an attacker to find out how long a given +system has been running, and to distinguish several +systems running behind NAT and using the same IP address. It might +also allow to look for clocks that match an expected value to find the +public IP used by a user. +. +Hence, this package disables this feature by shipping the +/etc/sysctl.d/tcp_timestamps.conf configuration file. +. +Note that TCP time stamps normally have some usefulness. They are +needed for: +. +* the TCP protection against wrapped sequence numbers; however, to + trigger a wrap, one needs to send roughly 2^32 packets in one + minute: as said in rfc 1700, "The current recommended default + time to live (TTL) for the Internet Protocol (IP) [45,105] is 64". + So, this probably won't be a practical problem in the context + of Anonymity Distributions. +. +* "Round-Trip Time Measurement", which is only useful when the user + manages to saturate their connection. When using Anonymity Distributions, + probably the limiting factor for transmission speed is rarely the capacity + of the user connection. +. +Netfilter's connection tracking helper module increases kernel attack surface by enabling superfluous functionality such as IRC parsing in the kernel (!) +. +Hence, this package disables this feature by shipping the +/etc/sysctl.d/nf_conntrack_helper.conf configuration file.