[liberationtech] Tor2web support for HTTPS on .onion
Dear all, We’re happy to announce the release of Tor2web 3.1.30 [1] that includes support for access to .onion sites over TLS. Tor2web[2] is HTTP proxy server software used for accessing onion sites. The Tor2web support for TLS includes the following security features: - TOFU (Trust on First Use) certificate validation by caching the fingerprint of the .onion site - Validation of CN (Common Name) and SANs (Subject Alternative Names) specified in the certificate of the .onion domain. As Facebook has recently opened its own onion site [3], we’ve been coordinating this release with Alec Muffett from Facebook in order to block access to Facebook by means of the Tor2web proxy. Because Facebook has a normal website, using Tor2web merely presents an option for users to hurt themselves. You can see the Facebook block here: https://facebookcorewwwi.tor2web.org Current Tor2web conduits are: - tor2web.org (running 2 out of 3 servers after recent server takedown due to CryptoWall abuses) - tor2web.fi by Ahmia (https://ahmia.fi) - onion.lt - onion.to (temporally dead after server takedown) - tor2web.blutmagie.de (expired certificates) We remind the community that Tor2web yearns for additional operators. If you want to run a Tor2web conduit or otherwise support Tor2web: - take a look at our wiki https://github.com/globaleaks/Tor2web-3.0/wiki - join the tor2web-talk mailing list http://lists.tor2web.org/mailman/listinfo/tor2web-talk [1] https://github.com/globaleaks/Tor2web-3.0 [2] https://www.tor2web.org/ [3] https://blog.torproject.org/blog/facebook-hidden-services-and-https-certs Giovanni Pellerano - Founding Member HERMES - Center for Transparency and Digital Human Rights http://logioshermes.org - https://globaleaks.org - https://tor2web.org - https://ahmia.fi -- Liberationtech is public & archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
[liberationtech] A new major GlobaLeaks version has been released
Dear all, We’re happy to announce the release of GlobaLeaks 2.60.43 [1]. The release includes the following major improvements: * Added support for Field Templates configuration * Added support for Context Steps configuration * Implemented caching for API * Early Support for Stats Tracking and Visualization * Removed Pickles in favour of JSON data structures * Properly packaged as debian package * Added support of Debian Jessie and Debian 7 (in addition to Ubuntu 12.04 and Ubuntu 14.04) * Simplified installation procedure on supported platforms: curl https://deb.globaleaks.org/install.sh | sh * Improved UX thanks to JoyLab consultancy * Raised code coverage up to 82% * Implemented basic scripts for ready-to-use globaleaks Vagrant machines * Added translation for: Japanese, Chinese, Ukrainian For the complete list of closed tickets please refer to the Changelog [2]. For your information, thanks to the new Open Technology Fund grant started in July 2014 [3], the project development is now proceeding in daily basis [4] and GlobaLeaks is now being used by more than 20 initiatives in more than 15 countries [5]. The GlobaLeaks team wishes you a Merry Christmas and and happy new year Leaking! [1] https://github.com/globaleaks/GlobaLeaks [2] https://github.com/globaleaks/GlobaLeaks/blob/master/CHANGELOG [3] https://www.opentechfund.org/projects [4] https://github.com/globaleaks/GlobaLeaks/wiki/OTF-Reporting [5] https://en.wikipedia.org/wiki/GlobaLeaks#Implementations Giovanni Pellerano - Founding Member HERMES - Center for Transparency and Digital Human Rights http://logioshermes.org - https://globaleaks.org - https://tor2web.org - https://ahmia.fi -- Liberationtech is public & archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
Re: [liberationtech] Tails ISO verification extension for Firefox
hi Sajoda, i find your idea really interesting and useful but i think the idea of developing it in relation to ISO or simply file download in the end would result in a limit, while this plugin would result really useful and interesting if developed thinking in general to content (regardless of the file type; passive/active content, etc) authentication. while developing GlobaLeaks (https://github.com/globaleaks/GlobaLeaks) and developing our end-to-end encryption ideas where we would need verify Javascript signing and collaborating with SecureDrop people in relation to shared topics we ended in discussing exactly the same need you are explaining but a little more generic in relation to projects signing/integrity; we where thinking to build plugin (for firefox / tor browser itself) in order to perform code integrity checks; we were thinking to call it code integrity everywhere. You find here the root document of the tentative specification we did together in a shared hackaton done this summer in berlin together with the SecureDrop team and supported by the Open Technology Fund. https://securedrop.hackpad.com/Code-Signing-Everywhere-jKSUBY1civF it would be interesting to continue on this collaborative design and development on this topic. best, Giovanni -- Liberationtech is public & archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
[liberationtech] Tor2web 3.1.41 release with GetTor & CheckTor
Dear all, We’re happy to announce the release of Tor2web 3.1.41 [1]. This release includes the following important features: - Tor2web GetTor: that provides end-user a super-easy-automatic way to download Tor Browser - Tor2web CheckTor: that enables third party sites to check if a user is behind Tor - Improved URL rewriting for JS, CSS, and XML files - Improved packaging and signing Most of the improvals are thanks to a private donation by Virgil Griffith in relation to the Onion.city project [2]. ### Tor2web GetTor Tor2web GetTor [3] is designed to enable third party to design and develop their own Tor Browser installation instruction, by simplifying and localizing that process. It serves the latests stable Tor Browser for Windows and Mac OS X directly from any Tor2web public or private server on the following URL: * /gettor : gives you the latests TBB for your OS/Language * /gettor/signature : gives you the signature file for the latests TBB for your OS/Language It automatically detects the operating system (Windows, Mac OS X) and language, by serving the right TBB installation file. For iOS and Android does redirect to the Apple Store and Google Play. Documentation of Tor2web GetTor is at https://github.com/globaleaks/Tor2web/wiki/GetTor . The corresponding ticket for development is at https://github.com/globaleaks/Tor2web/issues/168 Tor2web GetTor feature comes from a functional requirement for a GlobaLeaks deployment for Amnesty International. The feature is the result of a collaborative effort between Hermes Center (Giovanni/Fabio) and Ilv (https://github.com/ilv/gettor) working on the Tor Project’s GetTor (https://www.torproject.org/projects/gettor.html). ### Tor2web CheckTor Tor2web CheckTor [4] enables a third party website, to verify if a user is connecting over Tor or not, in a flexible way with the regards to the different usage/integration requirements. It serves an HTTP Header X-Check-Tor (true/false) on each Tor2web response, additionally providing a /checktor embeddable URI (CORS enabled) that provide a data format compatible with https://check.torproject.org/api/ip . CheckTor.js and CheckTor.html examples have been written in order to simplify user adoption and integration inside third party websites: https://github.com/globaleaks/Tor2web/blob/master/contrib/checktor Documentation of Tor2web CheckTor is at https://github.com/globaleaks/Tor2web/wiki/CheckTor . Tor2web CheckTor comes from a functional requirement for a GlobaLeaks deployment for OCCRP (Organized Crime and Corruption Reporting Project), where we designed a new "Integrated way" to deploy Whistleblowing site (https://github.com/globaleaks/GlobaLeaks/wiki/Integration-Guide). We invite the Tor community to contribute, evaluate, constructively criticize those additional facilities we’ve integrated into Tor2web. If you want to run a Tor2web conduit or otherwise support Tor2web: - take a look at our wiki https://github.com/globaleaks/Tor2web/wiki - join the tor2web-talk mailing list http://lists.tor2web.org/mailman/listinfo/tor2web-talk [1] https://github.com/globaleaks/Tor2web [2] http://www.onion.city [3] https://github.com/globaleaks/Tor2web/wiki/GetTor [4] https://github.com/globaleaks/Tor2web/wiki/CheckTor Giovanni Pellerano - Founding Member HERMES - Center for Transparency and Digital Human Rights http://logioshermes.org - https://globaleaks.org - https://tor2web.org - https://ahmia.fi -- Liberationtech is public & archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.