Re: SoC Project: Improving Hidden Service Security and Usability

[Ringo]

"Please correct me if I am wrong, but I believe someone made HS
security/usability improvements a while ago which included the
username:passphrase option and making it possible to keep the URL hidden
from anyone except those who are provided the URL?"

As far as I know, no such feature has been implemented. No security
would be gained by such a feature anyways. If you don't give your hidden
service address to anybody, nobody will ever find it. One could
theoretically guess addresses, in which case you can add a password
through htaccess or any number of readily available scripts/programs.

"Could you please setup or describe how to use a CAPTCHA in the form of
a 'word of the day'?"

I'm dealing with how to set up a general system, not anything specific
to any particular system. How is this different from a password? If
somebody knows a password, you can assume that they are allowed in. You
could rotate passwords, but how would you communicate them to the
intended user?

"3. Could you please make it possible or describe how to setup forums in
a secure fashion?"

My goal is to make a standard Linux-Apache-MySQL-PHP installation as
'secure' as possible. This would include forums or whatever else you
would like.

"4. Other services which an administrator could offer would be great.
Maybe a blog?  However, to me the use a forums in OnionLand is most
interesting and useful; for example a section of the forums could be a
quasi-blog."

Blog hosting systems already exist, such as (IIRC) Hidden Hosting.

"I have always been interested in the idea of a colo-HS"

Bad idea as you lose your anonymity and data integrity.

"I know the old 'how-to' for running a node on *nix included info on
setting up FDE but the directions are/were very clunky and hard to follow."

The Ubuntu Alternate Install CD makes it very easy to do full disk
encryption and if you use Windows, Truecrypt is a good option.




Chris Humphry wrote:
> Hi Ringo,
> 
> Thanks for your soon to be improvements!   I have a couple of 
> requests/questions if you do not mind:
> 
> 1. I believe the current state of Hidden Service (HS) is one where access to 
> an HS can be username:passphrase protected?  Please correct me if I am wrong, 
> but I believe someone made HS security/usability improvements a while ago 
> which included the username:passphrase option and making it possible to keep 
> the URL hidden from anyone except those who are provided the URL?  (ie. 
> 'Toogle' (sp?) (Tor-google) will not 'find' the HS URL if the administrator 
> of the HS chooses to keep the URL private).
> 
> If the above is correct could you please make it possible, or describe how an 
> administrator could setup the HS access page (ie username:passphrase)  to 
> accept a PGP key in place of username:passphrase?  Or maybe a username:PGP 
> key to access the HS?
> 
> 2. Could you please setup or describe how to use a CAPTCHA in the form of a 
> 'word of the day'?  For example, the police have a "color of the day", a 
> colored band they where when in plain cloths.  This color changes everyday.  
> If they are in question to clothed police they can show the color of the day 
> to prove they really are police.  In this fashion an administor could setup a 
> 'word (or phrase) of the day' (or week, etc).  The administor could contact 
> the members via TorPM (for example) to tell them the new 'word of the day'.  
> Thus an adversay would need a legitamte members private PGP key AND the 'word 
> of the day' to access the HS.
> 
> 3. Could you please make it possible or describe how to setup forums in a 
> secure fashion?  I like the idea of "Onion Forum" but I have no idea if it's 
> setup in a secure fashion or not.  
> 
> 4. Other services which an administrator could offer would be great.  Maybe a 
> blog?  However, to me the use a forums in OnionLand is most interesting and 
> useful; for example a section of the forums could be a quasi-blog.
> 
> 5. I have always been interested in the idea of a colo-HS.  Could you please 
> describe how one could be setup?  And could you please detail the associated 
> risks vs benefits?  I have in my minds eye that running a colo-HS is not a 
> good...
> 
> 6. I know this might be asking too much but info/scripts to setup FDE (Full 
> Disk Encryption) would be great!  I know the old 'how-to' for running a node 
> on *nix included info on setting up FDE but the directions are/were very 
> clunky and hard to follow. 
> 
> Thanks!  (and sorry if some of those are stupid requets)
> 
> 
> 
> 
> 
>   

Exit node IP *not* showing up on TorCheck and others

[Chris Humphry]

Hi,
 
I just started a session of TBB (current release) and when the homepage opened 
up it told me I was not connected to the Tor network.  So I went to TorCheck 
and it told me the same thing.  Then I used NewNym (via 'New Identity' in 
Vidalia) and with the new Exit node IP both TorCheck and the homepage for TBB 
now show I am connected to the network.
 
Here is the IP address which didn't show up as an Exit node:
 
76.73.58.224
 
 
Thanks
 


  

Re: Ping times with Tor running

[Udo van den Heuvel]

On 2009-06-27 17:47, Kris Linquist wrote:
> Is this expected or do you think it's poor performance by either my ISP
> or cable modem at accepting many connections?

Traffic shaping.
http://lartc.org/wondershaper/

Re: Ping times with Tor running

[Udo van den Heuvel]

On 2009-06-27 18:07, Kris Linquist wrote:
> Bandwidth tests (dslreports/speedtest.net) show that I am getting at
> least the guaranteed rate - usually significantly more.  DOCSIS 3.0 cable.

The you should shape your uplink to slightly below the netto speed you
measured to avoid queues in the modem.
The add the wondershaper to prioritize your traffic and your pings will
improve.

Re: Ping times with Tor running

[Kris Linquist]

Bandwidth tests (dslreports/speedtest.net) show that I am getting at 
least the guaranteed rate - usually significantly more.  DOCSIS 3.0 cable.




Udo van den Heuvel wrote:

Also:

Does your line really give you 22 mbit/s?
How fast did that (ADSL?) modem really sync?
What protocols are on the line and what is their overhead?
   

Re: Ping times with Tor running

[Kris Linquist]

D'oh.  Thank you :)



Roger Dingledine wrote:

1000KB is 8 megabit. 2000KB is 16 megabit.
Tor counts in units of '1' rather than units of '1/8' :)

Whereas your cable provider counts in units that produce large
impressive-sounding numbers.

See also
https://wiki.torproject.org/noreply/TheOnionRouter/TorFAQ#DoesBandwidthRateReallyWork

--Roger

   

Re: Ping times with Tor running

[Udo van den Heuvel]

On 2009-06-27 17:58, Roger Dingledine wrote:
>> While Tor is running, incoming and outgoing pings to the nearest hop 
>> goes from ~15ms to ~300+ms.  This is very obvious when browsing.
> 
> 1000KB is 8 megabit. 2000KB is 16 megabit.
> 
> Tor counts in units of '1' rather than units of '1/8' :)
> 
> Whereas your cable provider counts in units that produce large
> impressive-sounding numbers.
> 
> See also
> https://wiki.torproject.org/noreply/TheOnionRouter/TorFAQ#DoesBandwidthRateReallyWork

Also:

Does your line really give you 22 mbit/s?
How fast did that (ADSL?) modem really sync?
What protocols are on the line and what is their overhead?

Re: Ping times with Tor running

[Roger Dingledine]

On Sat, Jun 27, 2009 at 08:47:01AM -0700, Kris Linquist wrote:
> The answer to this may be "yeah, duh.", just thought I'd ask :).   I've 
> got a residential cable connection where I am guaranteed 22mbit down, 
> 5mbit up.   My Tor relay BandwithRate is 1000 KB  bursting up to 2000 KB.
> 
> While Tor is running, incoming and outgoing pings to the nearest hop 
> goes from ~15ms to ~300+ms.  This is very obvious when browsing.

1000KB is 8 megabit. 2000KB is 16 megabit.

Tor counts in units of '1' rather than units of '1/8' :)

Whereas your cable provider counts in units that produce large
impressive-sounding numbers.

See also
https://wiki.torproject.org/noreply/TheOnionRouter/TorFAQ#DoesBandwidthRateReallyWork

--Roger

Ping times with Tor running

[Kris Linquist]

All,

The answer to this may be "yeah, duh.", just thought I'd ask :).   I've 
got a residential cable connection where I am guaranteed 22mbit down, 
5mbit up.   My Tor relay BandwithRate is 1000 KB  bursting up to 2000 KB.


While Tor is running, incoming and outgoing pings to the nearest hop 
goes from ~15ms to ~300+ms.  This is very obvious when browsing.


Is this expected or do you think it's poor performance by either my ISP 
or cable modem at accepting many connections?


Thanks,
Kris

Re: many new relays

[Andrew Lewman]

On 06/25/2009 05:03 PM, Phil wrote:

> No discussion or comments on this?  What does it mean?

It means everyone is busy working on other things.  I encourage you to
do the analysis yourself.

-- 
Andrew Lewman
The Tor Project
pgp 0x31B0974B

Website: https://torproject.org/
Blog: https://blog.torproject.org/
Identica/Twitter: torproject

tor-ramdisk 20090627 released

[basile]

Hi everyone,

I want to announce to the list that tor-ramdisk 20090627 is out. 
Tor-ramdisk is an i686 uClibc-based micro Linux distribution whose only
purpose is to host a Tor server in an environment that maximizes
security (hardnened binaries and kernel) and privacy (no logging at any
level).  Everything runs in RAM so no information survives a reboot
except fot he Tor configuration file and RSA key which can be
imported/exported via FTP.

Change Log:
Tor was update to 0.2.0.35.  Busybox was updated to 1.14.1 and the
applet selection slimmed down, giving the system a more embedded feel
and reducing possible attack vectors.  The kernel was updated to
2.6.28.8 plus Gentoo's hardened-patches-2.6.28-10.extras.  The UI was
cleaned up by removing redundant features.

Homepage: http://opensource.dyc.edu/tor-ramdisk
Download: http://opensource.dyc.edu/tor-ramdisk-downloads

-- 

Anthony G. Basile, Ph.D.
Chair of Information Technology
D'Youville College
Buffalo, NY 14201
USA

(716) 829-8197





signature.asc
Description: OpenPGP digital signature

Re: many new relays

[Ringo]

It would be interesting to see more stats about the effect of other
major media stories about Tor, Slashdot effect, etc. This whole Iran
thing is a great way for a number of adversaries to slip in undetected.

Ringo

Phil wrote:
> --- On Wed, 6/24/09,
> 
>> 150% jump, in such a short time. Not
>> sure
>> I'd welcome that so soon. I don't have a copy
>> of the old cache files from before the jump
>> began. But if someone does, consider putting
>> them up on a filehost or analyzing it a bit more.
>> This really should be looked at in more detail
>> before chalking it up to .ir or friendlies. And
>> how does this correspond to prior slashdot/digg
>> jumps.
>>
>> netblock/isp/hostname/whois/country
>> platform
>> nickname
>> policy
>> bandwidth
>> contacts
>> uptime
>> etc
>>
> 
> No discussion or comments on this?  What does it mean?
> 
> 
>   
> 

Re: Lynx leaks DNS

[Jim McClanahan]

Phil wrote:
> 
> I realize this needs a fix not a workaround, but if a workaround is enough 
> for now you could try running lynx via proxychains --> tor
> 
> Proxychains might grab all the DNS requests.

Thanks for your response.  Now that I know lynx doesn't leak DNS when
the protocol (e.g. http://) in included, using full URLs is enough of a
"workaround" for me.  (And a relief that I haven't been leaking all of
this time.)  For everybody's information, I think I learned more about
the leaks while I was playing with proxychains.  It *appears* that lynx
is using DNS to try variations on the supplied name to find one that
works.  (Maybe there is an option to stop this?)  So while I have a
solution for myself, I think people using lynx with tor ought to be
warned about this.

> You could also probably leave privoxy in the proxy chain or test it with and 
> without.
> 
> I haven't tried this with lynx, but proxychains does work with tor.

I have tried using proxychains to chain to privoxy.  Trying to chain
directly to Tor would require more fiddling and I haven't tried that.
Lynx couldn't get to the website *and* it DNS leaked.  Maybe I didn't
have it configured correctly?  (privoxy is listening on
192.168.1.27:8119)

The non-comment, non-blank lines of the configuration file were:

strict_chain
tcp_read_time_out 15000
tcp_connect_time_out 1  
[ProxyList]
http192.168.1.27 8119

I used the command:  proxychains lynx http://torcheck.xenobite.eu

With tcpdump I saw a DNS query, a TCP handshake with Privoxy, and then
proxychains terminated the connection.  The page request was not logged
in Privoxy's logfile.   proxychains reported:
"strict chain:192.168.1.27:8119..broken", and backgrounded and
stopped lynx.

# tcpdump -nni eth0 not tcp port 22
tcpdump: verbose output suppressed, use -v or -vv for full protocol
decode
listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
23:20:08.950239 IP 192.168.2.102.42865 > 65.247.xx.xx.53: 28346+ A?
torcheck.xenobite.eu. (38)
23:20:08.952037 IP 65.247.xx.xx.53 > 192.168.2.102.42865: 28346 1/2/2 A
217.160.111.190 (137)
23:20:08.952807 IP 192.168.2.102.51357 > 192.168.1.27.8119: S
3021896822:3021896822(0) win 5840 
23:20:08.954018 IP 192.168.1.27.8119 > 192.168.2.102.51357: S
3677520579:3677520579(0) ack 3021896823 win 5792 
23:20:08.954052 IP 192.168.2.102.51357 > 192.168.1.27.8119: . ack 1 win
183 
23:20:08.954245 IP 192.168.2.102.51357 > 192.168.1.27.8119: F 1:1(0) ack
1 win 183 
23:20:08.955321 IP 192.168.1.27.8119 > 192.168.2.102.51357: P 1:54(53)
ack 2 win 1448 
23:20:08.955353 IP 192.168.2.102.51357 > 192.168.1.27.8119: R
3021896824:3021896824(0) win 0
23:20:08.955686 IP 192.168.1.27.8119 > 192.168.2.102.51357: F 54:54(0)
ack 2 win 1448 
23:20:08.955702 IP 192.168.2.102.51357 > 192.168.1.27.8119: R
3021896824:3021896824(0) win 0

Re: A Few Random Thoughts...

[Scott Bennett]

 On Fri, 26 Jun 2009 11:04:59 -0400 Michael 
wrote:
>Roger Dingledine wrote:
>> On Fri, Jun 26, 2009 at 08:16:00AM -0400, Michael wrote:
>>   
>>>What I *am* doing is deploying a couple of heavy iron closed relays 
>>> on OC3 or better bandwidth. The first is now deployed after a lot of up 
>>> and down testing, and I'll get to the second in due time.
>>> 
>>
>> Sounds great. Let us know if you have any questions or run into any
>> problems.
>>   
>
>Roger,
>
>Come to think of it I have a question about best practices. My first 
>Tor server is racked in the same datacenter as apparently two other Tor 
>servers, one is an exit. Should I name these as family in my config?

 Although Roger can certainly speak/write for himself, I'll jump into
this one, too.
>
>I'm thinking yes. But since I don't own the other servers I'm 
>hesitant. But at face value it might make sense to disallow building 
>circuits through them.

 If you don't have administrative control over the other relays, then no,
your node is not part of whatever family/families they may/may not be a part
of.  Keep in mind that most clients will not build circuits that include more
than a single node with an IP address in any given /16.  Some hosting services
may have more than that much IP address space, but in those cases, I really
doubt that you'll find much reason to worry except for the fact that they could
all be shut down at once.
 This points up an other issue that is indeed a potential security risk.
Those who manage tor nodes at hosting companies need to have ways to protect
the security of their nodes' log files and, most especially, their nodes'
secret keys.  Nodes at commercial hosting facilities need to keep *all* of
that kind of information in well encrypted file systems with no access to
anyone but the system administrator of the hosted system.


  Scott Bennett, Comm. ASMELG, CFIAG
**
* Internet:   bennett at cs.niu.edu  *
**
* "A well regulated and disciplined militia, is at all times a good  *
* objection to the introduction of that bane of all free governments *
* -- a standing army."   *
*-- Gov. John Hancock, New York Journal, 28 January 1790 *
**
/16 spaces.