Well it’s not easy, but it’s possible (maybe not even be hard with Tails), for example:
- Setup Tor gateway for all outgoing HTTP traffic
OR - Run Launcher as a separate user ID, and create app-specific or user-specific rules to
- Prevent this user/app going out through 80/443
- Allow everything else
OR
- Use a smart proxy to create a similar combination of rules
Lately I’ve been setting up my home network to route some traffic through Tor, partially in order to prepare for these and other testing I need to do. Currently I route some traffic through a Web Proxy + Tor SOCKS5 server (some through the both) for incoming and outgoing connections. (It’s complicated and I’m not sure it’s worth the trouble and time, but who wouldn’t want to blow his weekend on such nonsense?)
Related to your claims that safe_launcher.exe makes those connections on its own: I looked and it’s true that it attempts to go out to the internet on its own. I don’t know whether I didn’t notice this before, or perhaps tamed its behavior using my outgoing Tor SOCKS5 proxy. But I messed around with the settings because I couldn’t connect yesterday so I don’t know what they were before.
Those who have Windows firewall could prevent safe_launcher.exe from accessing outgoing ports 21, 80, 443, 8443 and such (let it access the rest).
Ideally the Launcher should be fixed.
Edit: I forgot to mention another unusual thing I was doing: I wouldn’t set the system default proxy as official instructions say - I’d only configure that proxy localhost:8101 in Firefox, and I did that not to protect myself from the launcher but because I simply found that more convenient (as I could browse “normally” from my other browsers)…