Re: Yahoo Mail and Tor
On Fri, 10 Jul 2009 00:15:18 -0600 Jim McClanahan jimmy...@copper.net wrote: Scott Bennett wrote: On Thu, 9 Jul 2009 20:37:38 -0400 downie - downgeo...@hotmail.com wrote: Will Polipo be able to filter out .exit notation? Why would you want it to do that? The .exit notation has to be passed along to tor for it to work. If it were filtered out, then the user would see a connection failure of some kind. I believe you are correct that you don't want to filter it out at the privoxy level. But I don't think it would result in a connection failure, but rather that the exit node specification would not be honored (other than by accident). A long time ago I think there was a problem with the .exit... in the URL being passed along to the website in the GET (or other) requests, which sometimes caused problems. Somebody correct me if I am wrong, but I believe now something in the tor chain of software (client, relays, exit) filters that out. I should think that such a bug would have had to have been inside tor, not privoxy, if it indeed existed. Consider the process of privoxy making a connection via a tor circuit to a destination IP address and then requesting a page. An unproxied browser will first resolve a name to an IP address and then connect to that IP address. When proxied through privoxy, privoxy passes the entire hostname.domainname.Nickname.exit to tor instead of an IP address when requesting an exit connection to the destination system. The exit node itself then does the name-to-address resolution and establishes the connection to the resulting IP address. Next, privoxy sends an HTTP GET request, which contains no hostname, domainname, Nickname.exit, nor IP address through the connection to the web server at the other end. The web server reads (or has cached) the page contents from the filesystem path given in the GET relative to the base of the server's directory tree (i.e., everything *starting* with the third slash in the URL and continuing to the end of the URL) and then sends the file contents back through the connection toward the requesting system. Of course, some parts of that path may actually be other kinds of arguments that will be processed by the web server, that fact has no bearing on the process described here. Scott Bennett, Comm. ASMELG, CFIAG ** * Internet: bennett at cs.niu.edu * ** * A well regulated and disciplined militia, is at all times a good * * objection to the introduction of that bane of all free governments * * -- a standing army. * *-- Gov. John Hancock, New York Journal, 28 January 1790 * **
Re: exit notation stripping
Quoth Scott Bennett benn...@cs.niu.edu, on 2009-07-10 01:44:22 -0500: Next, privoxy sends an HTTP GET request, which contains no hostname, domainname, Nickname.exit, nor IP address through the connection to the web server at the other end. Someone's either been living in HTTP/0.9 days or hasn't been reading the specs. HTTP/1.1 requires a Host field because multiple domains may be hosted at one TCP endpoint, and that's exactly the problem: the full URI is (albeit in pieces) passed through the whole way at the application layer, and the exit notation is included in the URI. A full example flow is: - Browser sends GET http://example.net.example.exit/ to an HTTP proxy that is not aware of exit notation. - The HTTP proxy connects to the Tor SOCKS proxy, requesting a connection to example.net.example.exit. - Tor builds its circuit and makes the connection. - The HTTP proxy passes through GET http://example.net.example.exit/ to the origin server. - The origin server looks up whether it knows of any site to serve under example.net.example.exit, finds that it doesn't, and returns an error. Alternatively, it uses a default site, which may be the wrong one. Alternatively, it does whatever it usually does but now has mostly-definitive information that this user is using Tor and has requested a specific exit node. This is why Privoxy includes a filter to strip the exit notation from the Host header when passing the request through, and why this filter should be enabled when using Privoxy for Tor purposes. --- Drake Wilson
Tor-ramdisk MIPS 20090710 released
Hi everyone, I want to announce to the list that tor-ramdisk MIPS 20090710 is out. Tor-ramdisk is an i686 or MIPS uClibc-based micro Linux distribution whose only purpose is to host a Tor server in an environment that maximizes security (hardnened binaries and kernel) and privacy (no logging at any level). Everything runs in RAM so no information survives a reboot except fot he Tor configuration file and RSA key which can be imported/exported via FTP. Change Log: This MIPS release implements the changes in the i686 release of 20090627. Tor was update to 0.2.0.35. Busybox was updated to 1.14.1 and the kernel was updated to 2.6.28.10. It has been tested in the wild: node Mufasa is running the image on a Miktrotik rb433ah board. Homepage: http://opensource.dyc.edu/tor-ramdisk Download: http://opensource.dyc.edu/tor-mips-ramdisk-downloads -- Anthony G. Basile, Ph.D. Chair of Information Technology D'Youville College Buffalo, NY 14201 USA (716) 829-8197 signature.asc Description: OpenPGP digital signature
Re: Yahoo Mail and Tor
* on the Fri, Jul 10, 2009 at 01:44:22AM -0500, Scott Bennett wrote: A long time ago I think there was a problem with the .exit... in the URL being passed along to the website in the GET (or other) requests, which sometimes caused problems. Somebody correct me if I am wrong, but I believe now something in the tor chain of software (client, relays, exit) filters that out. I should think that such a bug would have had to have been inside tor, not privoxy, if it indeed existed. Consider the process of privoxy making a connection via a tor circuit to a destination IP address and then requesting a page. An unproxied browser will first resolve a name to an IP address and then connect to that IP address. When proxied through privoxy, privoxy passes the entire hostname.domainname.Nickname.exit to tor instead of an IP address when requesting an exit connection to the destination system. The exit node itself then does the name-to-address resolution and establishes the connection to the resulting IP address. Next, privoxy sends an HTTP GET request, which contains no hostname, domainname, Nickname.exit, nor IP address through the connection to the web server at the other end. The web server reads (or has cached) the page contents from the filesystem path given in the GET relative to the base of the server's directory tree (i.e., everything *starting* with the third slash in the URL and continuing to the end of the URL) and then sends the file contents back through the connection toward the requesting system. Of course, some parts of that path may actually be other kinds of arguments that will be processed by the web server, that fact has no bearing on the process described here. That doesn't sound completely accurate to me. Specifically the sentence Next, privoxy sends an HTTP GET request, which contains no hostname, domainname, Nickname.exit, nor IP address through the connection to the web server at the other end. If I'm proxying through Tor and I type this into my browser: www.google.com.example.exit My browser asks the proxy for a connection to www.google.com.example.exit Once my browser receives the connection, it then sends this down it: GET / HTTP/1.1\r\n Host: www.google.com.example.exit\r\n \r\n The problem is that some web servers have multiple websites on the same IP and they decide which website to serve by looking at the HTTP Host header. So you need privoxy/polipo to strip the example.exit from the HTTP Host header before forwarding on the actual HTTP request, so it sends this instead: GET / HTTP/1.1\r\n Host: www.google.com\r\n \r\n -- Erilenz
.exit handling (was Yahoo Mail and Tor)
Date: Fri, 10 Jul 2009 11:15:25 -0400 From: eril...@gmail.com To: or-talk@freehaven.net Subject: Re: Yahoo Mail and Tor If I'm proxying through Tor and I type this into my browser: www.google.com.example.exit My browser asks the proxy for a connection to www.google.com.example.exit Once my browser receives the connection, it then sends this down it: GET / HTTP/1.1\r\n Host: www.google.com.example.exit\r\n \r\n The problem is that some web servers have multiple websites on the same IP and they decide which website to serve by looking at the HTTP Host header. So you need privoxy/polipo to strip the example.exit from the HTTP Host header before forwarding on the actual HTTP request, so it sends this instead: GET / HTTP/1.1\r\n Host: www.google.com\r\n \r\n -- Erilenz So far so good. A possible problem then arises when the served page contains absolute URLs for resources, links etc which no longer use the .exit notation, and so could be fetched from a different exit. How often that would happen is open to question. Another Privoxy rule could be written to rewrite those page URLs I guess, but how would you pass the name of the required exit to the rule? GD _ Lauren found her dream laptop. Find the PC that’s right for you. http://www.microsoft.com/windows/choosepc/?ocid=ftp_val_wl_290
Bad Exit Node
Hello everyone, I've setup a tor exit node in russia yesterday and today it's flagged as Bad Exit. Router Name: Romulus Fingerprint: FF7D 3F88 EEB8 C7E1 0D04 005B 45D7 FD24 E572 93E9 Contact: Robert Marquardt email AT robert minus marquardt dot com IP Address: 92.241.164.157 Hostname: tor-proxy-readme.robert-marquardt.com Any advice? Thanks Robert
Re: Bad Exit Node
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 07/10/2009 07:36 PM, Robert Marquardt wrote: I've setup a tor exit node in russia yesterday and today it's flagged as Bad Exit. Router Name: Romulus Fingerprint: FF7D 3F88 EEB8 C7E1 0D04 005B 45D7 FD24 E572 93E9 Contact: Robert Marquardt email AT robert minus marquardt dot com IP Address: 92.241.164.157 Hostname: tor-proxy-readme.robert-marquardt.com Why do you think it's flagged as Bad Exit? This is what the current network status says about your node: r Romulus /30/iO64x+ENBABbRdf9JOVyk+k wcVamAnXtevgQeBzsOZ5TuX0YAc 2009-07-10 15:48:21 92.241.164.157 9001 9030 s Exit Fast Running V2Dir Valid v Tor 0.2.0.35 w Bandwidth=50 p reject 25,119,135-139,445,465,587,1214,4661-4666,6346-6429,6699,6881-6999 Where did you see that your node has the BadExit flag? - --Karsten -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkpXf2IACgkQ0M+WPffBEmURtwCgycYvJrBq7YXZPmNcdTpPiJ0A 6tAAoJb5qw8+T947exnvosbxMmTOGerV =yPUU -END PGP SIGNATURE-
Re: Bad Exit Node
In the directory entries: http://torstatus.blutmagie.de/router_detail.php?FP=ff7d3f88eeb8c7e10d04005b45d7fd24e57293e9 Robert On Jul 10, 2009, at 7:50 PM, Karsten Loesing wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 07/10/2009 07:36 PM, Robert Marquardt wrote: I've setup a tor exit node in russia yesterday and today it's flagged as Bad Exit. Router Name: Romulus Fingerprint: FF7D 3F88 EEB8 C7E1 0D04 005B 45D7 FD24 E572 93E9 Contact: Robert Marquardt email AT robert minus marquardt dot com IP Address: 92.241.164.157 Hostname: tor-proxy-readme.robert-marquardt.com Why do you think it's flagged as Bad Exit? This is what the current network status says about your node: r Romulus /30/iO64x+ENBABbRdf9JOVyk+k wcVamAnXtevgQeBzsOZ5TuX0YAc 2009-07-10 15:48:21 92.241.164.157 9001 9030 s Exit Fast Running V2Dir Valid v Tor 0.2.0.35 w Bandwidth=50 p reject 25,119,135-139,445,465,587,1214,4661-4666,6346-6429,6699,6881-6999 Where did you see that your node has the BadExit flag? - --Karsten -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkpXf2IACgkQ0M+WPffBEmURtwCgycYvJrBq7YXZPmNcdTpPiJ0A 6tAAoJb5qw8+T947exnvosbxMmTOGerV =yPUU -END PGP SIGNATURE-
Re: Bad Exit Node
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 07/10/2009 07:56 PM, Robert Marquardt wrote: In the directory entries: http://torstatus.blutmagie.de/router_detail.php?FP=ff7d3f88eeb8c7e10d04005b45d7fd24e57293e9 That page says that your node does not have the BadExit flag. All flags are listed, but your node only has those with a green check mark. Your node didn't have the BadExit flag the whole day. HTH, - --Karsten -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkpXhHcACgkQ0M+WPffBEmV36wCfYhOG5c6/QOx9xCWu5iEG9fd9 SDkAnAz2gtKHUA3uAiLjhvAym3NSxAUK =I2D9 -END PGP SIGNATURE-
Re: many new relays
Any news on this thread? Is there any reason to believe the network is under attack or not?
Re: .exit handling (was Yahoo Mail and Tor)
downie - wrote: Date: Fri, 10 Jul 2009 11:15:25 -0400 From: eril...@gmail.com To: or-talk@freehaven.net Subject: Re: Yahoo Mail and Tor If I'm proxying through Tor and I type this into my browser: www.google.com.example.exit My browser asks the proxy for a connection to www.google.com.example.exit Once my browser receives the connection, it then sends this down it: GET / HTTP/1.1\r\n Host: www.google.com.example.exit\r\n \r\n The problem is that some web servers have multiple websites on the same IP and they decide which website to serve by looking at the HTTP Host header. So you need privoxy/polipo to strip the example.exit from the HTTP Host header before forwarding on the actual HTTP request, so it sends this instead: GET / HTTP/1.1\r\n Host: www.google.com\r\n \r\n -- Erilenz So far so good. A possible problem then arises when the served page contains absolute URLs for resources, links etc which no longer use the .exit notation, and so could be fetched from a different exit. How often that would happen is open to question. Another Privoxy rule could be written to rewrite those page URLs I guess, but how would you pass the name of the required exit to the rule? Should the tor exit be removing the .exit notation from the header instead of privoxy? Or perhaps the tor client, which selects the route? (I mistakenly thought one of those did it now. It has been a long time since I've used .exit ...)
Re: Yahoo Mail and Tor
Andrew Lewman wrote: A) The Privoxies after 3.06 have a local web control interface which we believe is a security risk. We think that remote websites can probably reconfigure your privoxy via that interface, maybe even without your noticing. If newer versions have the ability to disable this interface, we can consider testing and subsequently including those with our packages. Can you provide a link to what you are talking about? I just searched on the terms/phrase web control interface with privoxy and only had a few matches, none of which seemed relevant. I also checked privoxy's online manual ( http://www.privoxy.org/user-manual/index.html , v 1.60 2009/03/21 12:58:53) and I didn't see anything about changing configuration that had substantively changed since I started using privoxy 3+ years ago. At *least* since that time there there has been the ability to edit action files via browser (web interface) if allowed in the configuration file. The configuration file itself had to be manually edited, and, at least in *nix, the config file could be owned by root and set to be not writeable by privoxy (assuming privoxy was running w/o privilege). You could also toggle enable/disable through privoxy's web interface if allowed in the config file. It should be noted that disabling merely turns off the application of the rules -- it does *not* affect packet routing. So if something was sent via Tor with privoxy enabled, it is still sent through Tor with privoxy disabled. I have specifically verified that using http://torcheck.xenobite.eu . So could you point me to what has changed since 3.0.6 that causes security concerns? Thanks. P.S. Oops, I just noticed others have requested a link. Did not mean to repeat. I believe the rest of what I said is relevant.
problem with connecting to a hidden service
Hello All I have a web server which I run as hidden service. The configuration file is the default configuration supplied with the Tor source code with appropriate changes to specify the hidden service directory and service IP etc. I observe only intermittent successful connections to the service. I to monitor the log messages of the Tor client. This is what I see on unsuccessful connection attempts Jul 11 04:37:56.513 [notice] Tried for 120 seconds to get a connection to [scrubbed]:80. Giving up. (waiting for rendezvous desc) Jul 11 04:44:02.957 [notice] Tried for 120 seconds to get a connection to [scrubbed]:80. Giving up. (waiting for rendezvous desc) The web client (wget) used to connect to the server fails with 503 Forwarding Failure. What could possibly be the problem ? Thanks Sambuddho
Hidden services
I don't seem to be able to access any .onion addresses at the moment. Can someone point me to a known working one? Thanks, GD _ Lauren found her dream laptop. Find the PC that’s right for you. http://www.microsoft.com/windows/choosepc/?ocid=ftp_val_wl_290
Re: many new relays
On 07/10/2009 05:54 PM, Phil wrote: Any news on this thread? Is there any reason to believe the network is under attack or not? We have no reason to believe the Tor network is under attack. The simplest explanation is that all of the efforts to promote Tor in Iran are resulting in a burst of new relays. In the past, we'd consistently see bursts of new relays after major press articles; such as stories on Slashdot. The full directory archives will soon be available for all to do your own analysis of the recent growth in the Tor network. -- Andrew Lewman The Tor Project pgp 0x31B0974B Website: https://torproject.org/ Blog: https://blog.torproject.org/ Identica/Twitter: torproject
Re: problem with connecting to a hidden service
On 07/10/2009 09:51 PM, Sambuddho Chakravarty wrote: Hello All I have a web server which I run as hidden service. Which version of Tor are both ends running? Try updating them to 0.2.1.17-rc. -- Andrew Lewman The Tor Project pgp 0x31B0974B Website: https://torproject.org/ Blog: https://blog.torproject.org/ Identica/Twitter: torproject
Re: Hidden services
Hidden wiki is up right now: kpvz7ki2v5agwt35.onion Ringo downie - wrote: I don't seem to be able to access any .onion addresses at the moment. Can someone point me to a known working one? Thanks, GD _ Lauren found her dream laptop. Find the PC that’s right for you. http://www.microsoft.com/windows/choosepc/?ocid=ftp_val_wl_290