Re: HTTPS Everywhere Firefox addon
Op Vr, 28 mei, 2010 04:34, schreef Mike Perry: Peter Eckersley of the EFF and I wrote this addon this past week to make it easier to use Google's SSL search feature, among other mixed-mode SSL sites: https://www.eff.org/https-everywhere/ This is very awesome. I was actually attempting to achieve such a thing using Squid rules oslt, but this is way easier. Might I suggest the addition of both Ixquick and Scroogle to the supported sites? https://ixquick.com/ https://ssl.scroogle.org/ Thanks for this great add-on, it works great so far. -- Ewald Tienkamp ew...@tienkamp.nl http://ewald.tienkamp.info http://ewald.tienkamp.nl *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Re: HTTPS Everywhere Firefox addon
On Thu, May 27, 2010 at 07:34:01PM -0700, mikepe...@fscked.org wrote 1.7K bytes in 51 lines about: : The eventual idea is to allow an Adblock Plus style model, where users : can submit and exchange rule files and eventually create subscriptions : for the sites they use that partially support SSL. Perhaps this is a dumb question, why not try the https:// version of every http site the user requests? If it works, reload to the https url. -- Andrew Lewman The Tor Project pgp 0x31B0974B Website: https://www.torproject.org/ Blog: https://blog.torproject.org/ Identi.ca: torproject *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Re: HTTPS Everywhere Firefox addon
On Fri, May 28, 2010 at 4:34 AM, Mike Perry mikepe...@fscked.org wrote: The eventual idea is to allow an Adblock Plus style model, where users can submit and exchange rule files and eventually create subscriptions for the sites they use that partially support SSL. Have you seen https://crypto.stanford.edu/forcehttps/ ? (I haven't read the paper and I don't know much about it, but it might be worth a look). -- Runa A. Sandvik *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Re: HTTPS Everywhere Firefox addon
On Fri, May 28, 2010 at 3:09 PM, Stephen Carpenter thec...@gmail.com wrote: On Fri, May 28, 2010 at 7:47 AM, and...@torproject.org wrote: On Thu, May 27, 2010 at 07:34:01PM -0700, mikepe...@fscked.org wrote 1.7K bytes in 51 lines about: : The eventual idea is to allow an Adblock Plus style model, where users : can submit and exchange rule files and eventually create subscriptions : for the sites they use that partially support SSL. Perhaps this is a dumb question, why not try the https:// version of every http site the user requests? If it works, reload to the https url. That sounds great about 90% of the time. However, think of someone who is troubleshooting something or is dealing with a site that has https and http content that are not the same, but may share the same URLs (or URLs that at least don't error). Doing it by site according to rules makes a lot of sense, that way I just can leave out rules for any special sites, or sites that I might personally be working on and need to be able to use both ways (testing to be sure it works for the masses) -Steve There may be an option to force https for each site requested.Or there may be an add site feature. *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Re: HTTPS Everywhere Firefox addon
On 28.05.2010 06:22, Erik de Castro Lopo wrote: DuckDuckGo and Startpage.com are two alternative (specifically to google) search engines which promise not to record your IP address : My favorite since many years is: https://ssl.scroogle.org/ (over Tor) *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Re: HTTPS Everywhere Firefox addon
On Fri, May 28, 2010 at 08:09:22AM -0400, Stephen Carpenter wrote: On Fri, May 28, 2010 at 7:47 AM, and...@torproject.org wrote: On Thu, May 27, 2010 at 07:34:01PM -0700, mikepe...@fscked.org wrote 1.7K bytes in 51 lines about: : The eventual idea is to allow an Adblock Plus style model, where users : can submit and exchange rule files and eventually create subscriptions : for the sites they use that partially support SSL. Perhaps this is a dumb question, why not try the https:// version of every http site the user requests? If it works, reload to the https url. That sounds great about 90% of the time. However, think of someone who is troubleshooting something or is dealing with a site that has https and http content that are not the same, but may share the same URLs (or URLs that at least don't error). Doing it by site according to rules makes a lot of sense, that way I just can leave out rules for any special sites, or sites that I might personally be working on and need to be able to use both ways (testing to be sure it works for the masses) But you could set this as a default for most people most of the time with an option to disable it and use site-specific rules for those who need that. -Paul *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Re: HTTPS Everywhere Firefox addon
On Fri, 28 May 2010 15:19:25 +0300 What you get is Not what you see wygin...@gmail.com wrote: On Fri, May 28, 2010 at 3:09 PM, Stephen Carpenter thec...@gmail.com wrot= e: On Fri, May 28, 2010 at 7:47 AM, =A0and...@torproject.org wrote: On Thu, May 27, 2010 at 07:34:01PM -0700, mikepe...@fscked.org wrote 1.7= K bytes in 51 lines about: : The eventual idea is to allow an Adblock Plus style model, where users : can submit and exchange rule files and eventually create subscriptions : for the sites they use that partially support SSL. Perhaps this is a dumb question, why not try the https:// version of every http site the user requests? =A0If it works, reload to the https url. That sounds great about 90% of the time. However, think of someone who is troubleshooting something or is dealing with a site that has https and http content that are not the same, but may share the same URLs (or URLs that at least don't error). Doing it by site according to rules makes a lot of sense, that way I just can leave out rules for any special sites, or sites that I might personally be working on and need to be able to use both ways (testing to be sure it works for the masses) -Steve There may be an option to force https for each site requested.Or there may be an add site feature. What seems to be missing from this discussion is the fact that NoScript already supports forcing HTTPS on a site-by-site or pattern basis. You should be using NoScript already if you use Firefox, so just tell it what to do. Scott Bennett, Comm. ASMELG, CFIAG ** * Internet: bennett at cs.niu.edu * ** * A well regulated and disciplined militia, is at all times a good * * objection to the introduction of that bane of all free governments * * -- a standing army. * *-- Gov. John Hancock, New York Journal, 28 January 1790 * ** *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Re: Re: Re: Bridges and China (new thread)
Bad news,i can't connect tor now.I get a http proxy and it can be used at IE.But my tor can't use it, this is the log: 28 23:33:19.187 [Notice] Tor v0.2.1.26. This is experimental software. Do not rely on it for strong anonymity. (Running on Windows XP Service Pack 3 [workstation] {terminal services, single user}) 28 23:33:19.296 [Notice] Initialized libevent version 1.4.12-stable using method win32. Good. 28 23:33:19.296 [Notice] Opening Socks listener on 127.0.0.1:9050 28 23:33:19.296 [Notice] Opening Control listener on 127.0.0.1:9051 28 23:33:19.296 [Notice] Parsing GEOIP file. How can i fix it? 2010/5/28 frank for.tor.bri...@gmail.com thanks a lot for your kind help, andrew. sincerely, frank 2010-05-28 - sender: andrew sending date: 2010-05-27 19:35:14 receiver: or-talk cc: subject: Re: Re: Bridges and China (new thread) On Thu, May 27, 2010 at 12:36:51PM +0800, for.tor.bri...@gmail.com wrote 2.1K bytes in 57 lines about: : why not put the tor directory server in https mode too? Your client makes a 1-hop tunnel to the directory server if it needs to get the consensus file. You can read all about how Tor works by reading the spec files at https://gitweb.torproject.org/tor.git/tree/HEAD:/doc/spec -- Andrew Lewman The Tor Project pgp 0x31B0974B Website: https://www.torproject.org/ Blog: https://blog.torproject.org/ Identi.ca: torproject *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/ *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/ -- Dare
Re: Bridges and China (new thread)
Hi, after reading the new developments concerning the chinese GFW, I wonder what technically interested people or even people with server capabilities could do, to help fight censorship (besides running a TOR relay/node/exit/hidden service or some webproxy). Are there other services/systems someone could install/run to help people in China, Iran ... (or maybe even actively fight censorship) ? Niklas *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Re: Tor Exit Node hosting: torservers.net
Hi Andrew, My advice is that if you are trying to attract non-technical people to donate money in order to create more relays, your index page needs to be far less technical. Yes, you're right. I'm not exactly the best person to do this (not a native speaker), but I've revised the index page to make it more clear (and moved the old index page to an intro page). I could use some graphics or a video, but the only non-techy video explaining onion routing I found is a clip from the US series Numb3rs and not exactly the most concise: http://www.youtube.com/watch?v=XIDxDMwwlsw :-] At the moment we're discussing possibly free hidden services/eepsite hosting on the torservers mailinglist. Also, explain how creating more tor/i2p nodes helps the normal person. Or, who it actually helps. And I suggest having two simple thermometers; total funds raised and number of nodes possible per year. A themometer definitely needs to be there. I'm thinking about a model like 1TB per Euro and a slider so users can set their own level of participation. Customizations like an own node name, contact information and DNS name cost extra. Progress is somewhat slow because I only can work on it in my spare time. Thanks for your feedback and your approval! :-) -- Moritz Bartl GPG 0xED2E9B44 http://www.torservers.net/ *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Tor Browser Bundle question
I have been using the Tor Browser Bundle on a usb pen drive on Windows. Will any traces of my data be saved on the host computer or on the pen drive?
Re: HTTPS Everywhere Firefox addon
and...@torproject.org writes: On Thu, May 27, 2010 at 07:34:01PM -0700, mikepe...@fscked.org wrote 1.7K bytes in 51 lines about: : The eventual idea is to allow an Adblock Plus style model, where users : can submit and exchange rule files and eventually create subscriptions : for the sites they use that partially support SSL. Perhaps this is a dumb question, why not try the https:// version of every http site the user requests? If it works, reload to the https url. Three examples of sites that are broken by this are Google, Facebook, and LibraryThing, simply because they violate the assumption that the HTTPS and HTTP sites are sufficiently identical to be used interchangeably. We think there are several others out there like this. In fact there are many potential concerns about sites that expose only a _portion_ of their resources in HTTPS, or that provide different things in the HTTPS and HTTP versions. This basically goes to the question of what if it works means. Peter points out that many virtual hosters don't yet support SNI, which means that name-based virtual hosts that are distinct in HTTP won't appear distinct in HTTPS (and users who access those hosts via HTTPS will get a single default site in place of several distinct sites). In that case the content will be extremely different, and wrong, but the site will still return an HTTP 200 OK. The presence of a regular expression-based rewrite rule in HTTPS Everywhere basically connotes that a human being checked out the site a bit and believes that the particular resources covered by the rule are safe to rewrite this way, without breaking other things. -- Seth Schoen Senior Staff Technologist sch...@eff.org Electronic Frontier Foundationhttp://www.eff.org/ 454 Shotwell Street, San Francisco, CA 94110 +1 415 436 9333 x107 *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Re: HTTPS Everywhere Firefox addon
Scott Bennett writes: What seems to be missing from this discussion is the fact that NoScript already supports forcing HTTPS on a site-by-site or pattern basis. You should be using NoScript already if you use Firefox, so just tell it what to do. There's one piece of additional functionality that was added in HTTPS Everywhere that can be important for these sites. Although NoScript lets you use regular expressions to choose which URLs within a site get converted to HTTPS, NoScript doesn't let you rewrite _the URL itself_, which HTTPS Everywhere does (also using regular expression substitutions). For example, the current alpha version of HTTPS Everywhere correctly handles Wikipedia rewrites like http://en.wikipedia.org/wiki/Security -- https://secure.wikimedia.org/wikipedia/en/wiki/Security http://de.wikipedia.org/wiki/Sicherheit -- https://secure.wikimedia.org/wikipedia/de/wiki/Sicherheit http://pt.wikipedia.org/wiki/Segurança -- https://secure.wikimedia.org/wikipedia/pt/wiki/Segurança It's certainly annoying that Wikimedia doesn't let you use HTTPS directly this way, but given the status quo, HTTPS Everywhere can address this. -- Seth Schoen Senior Staff Technologist sch...@eff.org Electronic Frontier Foundationhttp://www.eff.org/ 454 Shotwell Street, San Francisco, CA 94110 +1 415 436 9333 x107 *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Re: Tor Browser Bundle question
On Fri, 28 May 2010 12:22:00 -0700 a. smith cinephile...@gmail.com wrote: I have been using the Tor Browser Bundle on a usb pen drive on Windows. Will any traces of my data be saved on the host computer or on the pen drive? Yes and yes. The host computer traces are documented at https://svn.torproject.org/svn/torbrowser/trunk/docs/traces.txt And the pen drive will have whatever history, bookmarks, and cookies you told firefox to save. -- Andrew Lewman The Tor Project pgp 0x31B0974B Website: https://www.torproject.org/ Blog: https://blog.torproject.org/ Identi.ca: torproject *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Re: HTTPS Everywhere Firefox addon
Thus spake Runa A. Sandvik (runa.sand...@gmail.com): On Fri, May 28, 2010 at 4:34 AM, Mike Perry mikepe...@fscked.org wrote: The eventual idea is to allow an Adblock Plus style model, where users can submit and exchange rule files and eventually create subscriptions for the sites they use that partially support SSL. Have you seen https://crypto.stanford.edu/forcehttps/ ? (I haven't read the paper and I don't know much about it, but it might be worth a look). Yeah, this addon doesn't have a UI. It was a research implementation of the server-specified STS protocol (and the original source of this idea), which allows servers to specify the browser use HTTPS for certain paths. Our code is based on the NoScript implementation of STS, which was also amenable to creating rules. https://secure.wikimedia.org/wikipedia/en/wiki/Strict_Transport_Security -- Mike Perry Mad Computer Scientist fscked.org evil labs pgpfz79S73d4f.pgp Description: PGP signature
Re: HTTPS Everywhere Firefox addon
Thus spake Erik de Castro Lopo (mle+to...@mega-nerd.com): Mike Perry wrote: In the meantime, we'll gladly accept submissions as xml files for inclusion in the extension itself. DuckDuckGo and Startpage.com are two alternative (specifically to google) search engines which promise not to record your IP address : ruleset name=DuckDuckGo rule from=^http://duckduckgo.com/; to=https://duckduckgo.com/ /ruleset ruleset name=Startpage rule from=^http://startpage.com/; to=https://startpage.com/ /ruleset Added. I hope these have been tested ;) -- Mike Perry Mad Computer Scientist fscked.org evil labs pgpR1gKNHSLr2.pgp Description: PGP signature
Re: HTTPS Everywhere Firefox addon
On Fri, 28 May 2010 12:55:19 -0700 Seth David Schoen sch...@eff.org wrote: Scott Bennett writes: What seems to be missing from this discussion is the fact that NoScript already supports forcing HTTPS on a site-by-site or pattern basis. You should be using NoScript already if you use Firefox, so just tell it what to do. There's one piece of additional functionality that was added in HTTPS Everywhere that can be important for these sites. Although NoScript lets you use regular expressions to choose which URLs within a site get converted to HTTPS, NoScript doesn't let you rewrite _the URL itself_, which HTTPS Everywhere does (also using regular expression substitutions). For example, the current alpha version of HTTPS Everywhere correctly handles Wikipedia rewrites like http://en.wikipedia.org/wiki/Security -- https://secure.wikimedia.org/wikipedia/en/wiki/Security http://de.wikipedia.org/wiki/Sicherheit -- https://secure.wikimedia.org/wikipedia/de/wiki/Sicherheit http://pt.wikipedia.org/wiki/Segurança -- https://secure.wikimedia.org/wikipedia/pt/wiki/Segurança That is a nice feature! Two questions now occur to me. Will this add-on become available from the Mozilla web site? And are there any interaction problems between HTTPS Everywhere and NoScript? Scott Bennett, Comm. ASMELG, CFIAG ** * Internet: bennett at cs.niu.edu * ** * A well regulated and disciplined militia, is at all times a good * * objection to the introduction of that bane of all free governments * * -- a standing army. * *-- Gov. John Hancock, New York Journal, 28 January 1790 * ** *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/