Tor/VPN Questions

After reading Tor-related threads on this forum I want to test if my understanding is correct, can someone please tell me if the following is correct:

  1. Delta Chat can be configured through the UI to be tunneled over Socks5, but this is still experimental and leaky
  2. Using Delta Chat over a desktop VPN is potentially leaky
  3. System-level approaches such as Tails and WhoNix will not leak anything, though nobody knows if multiple account isolation/compartmentalization is supported or not
  4. Using Delta Chat through Orbot on Android or iOS will not leak anything, though nobody knows if multiple account isolation/compartmentalization is supported or not
  5. Using Delta Chat through a non-Tor VPN on Android or iOS will not leak anything, though obviously there is no multiple account isolation/compartmentalization since this is only possible with Tor
  6. We can expect better Tor integration in Delta Chat in the future but there is currently no timeline for this

By the way maybe it would be useful to consolidate Tor questions and threads into a FAQ entry and/or create a guide/tutorial explaining best practices for Tor users. I think missytake first suggested a FAQ here Using Tor with socks5 leaks un-anonymized traffic in several situations · Issue #3093 · deltachat/deltachat-desktop · GitHub

Delta Chat core does not leak DNS when SOCKS5 is configured, but in the UI you enter the address before configuring SOCKS5. When you type in the address, DNS request for MX record is made bypassing SOCKS5.

Depends on VPN and operating system, everything is potentially leaky. It is a problem of VPN if it leaks DNS requests, Delta Chat just uses system DNS on desktop.

If you want to have stream isolation with Tor, you can configure IsolateSOCKSAuth (on by default) and use different SOCKS5 username:password pair for each account. Delta Chat supports SOCKS5 authentication, so this should be enough to separate streams.

This depends on the VPN application, VPN application can leak something to your local provider. Make sure to use trustworthy VPN or test it youself.

There are no plans to have Tor integration in Delta Chat other than SOCKS5 support.

1 Like

Current state in my view:

  1. as long as you don’t use the experimental map/location-streaming feature it should not leak. (also as link2xt said above first login/setup might also leak)
  2. maybe for local network transfers, but should not if your vpn is for all apps
  3. compartmentalisation of accounts is not really integrated, but you could
    • use different socks5 proxies for each account
    • disable syncing of all accounts in desktop and switch the network when you switch the account
  4. same as for 3. would maybe be possible to build in into dc, but right now it is not implemented
  5. even in tor that feature is relatively new, so not all implementations of tor already have it, I guess it needs application support, but I also don’t know exactly how this tor application compartmentalisation works.
  6. yes no plans, but if someone is interested in bringing this forward we would be happy. also there is a work in progress rust implementation of tor which we could probably integrate into deltachat core in the future when it has enough features.

This can be improved in the future, but right now there is nobody actively caring for this.

Generally everything can be leaky also android and iOS are high value targets, so if someone is reading your messages they might as well already have remote full access to your phone. So you should use some special tor OS, but even then your hardware might be hackable and spy on you, so really depends who you want to hide from.

Are there any plans to implement DNS over socks5 or HTTPS? Seems like it is really killer feature for selfhosted users

If you enable SOCKS5 in Advanced settings before configuration, DNS requests for your IMAP and SMTP server will go over SOCKS5.

Could you explain how this is related to selfhosting?