[Geoff Down] [Polipo-users] Polipo crash (Vidalia Bundle) on OSX10.3.9
---BeginMessage--- Hello, the Polipo in https://www.torproject.org/dist/vidalia-bundles/vidalia-bundle-0.2.2.22-alpha-0.2.10-ppc.dmg crashes on startup as follows: dyld: /Applications/Vidalia.app.new/Contents/MacOS/polipo Undefined symbols: /Applications/Vidalia.app.new/Contents/MacOS/polipo undefined reference to ___stderrp expected to be defined in /usr/lib/libSystem.B.dylib /Applications/Vidalia.app.new/Contents/MacOS/polipo undefined reference to ___stdoutp expected to be defined in /usr/lib/libSystem.B.dylib Trace/BPT trap (This is a similar error message to that with which the Vidalia in that bundle crashes, even when Polipo is already running (an older version) and so Vidalia doesn't need to start it...) Regards, Geoff Down PS I haven't joined the list, so please cc me in any reply. *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/ ---End Message---
Re: Polipo bug reporting
( I saw http://archives.seul.org/or/talk/Jan-2011/msg00161.html but it doesn't specify where the new bugtracker is). We do not know of any new bug tracker for Polipo. If you have a bug report for Polipo itself, report it to the polipo-users mailing list (see https://lists.sourceforge.net/lists/listinfo/polipo-users). Please note that Polipo is very short on manpower -- there's only me working on it in my copious free time, and it's my nth project, for some large value of n. As Robert mentioned, you're welcome to report your bug on the Polipo mailing list, but please don't expect a timely fix. --Juliusz *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
[Polipo-users] Polipo moved back to PPS
---BeginMessage--- Dear all, I've just moved the Polipo repository back to PPS. In order to get the upstream Polipo sources, you now need to do git clone git://git.wifi.pps.jussieu.fr/polipo My branch is called ``master''; Chris's old branch is called ``polipo-chrisd'', and his last tree is tagged ``polipo-chrisd-20100330''. Note that master has moved around; unless you fully understand what that implies, I suggest you just clone yourself a new copy. I'll be cherry picking the more reasonable of Chris's changes over the next days, at which point I'll start working on getting 1.0.5 out the door. If you have any useful patches that fell into the cracks, next week should be a good time to rebase them and send them again. Tor folks -- would you be so kind as to remove the Polipo repository From git.torproject.org, remove the Polipo project from Tor's bug tracker, and make any mentions of Polipo in the tor wiki point at the new location? Thanks to all for your patience, Juliusz pgpMgaauGQc5l.pgp Description: PGP signature -- Protect Your Site and Customers from Malware Attacks Learn about various malware tactics and how to avoid them. Understand malware threats, the impact they can have on your business, and how you can protect your company and customers by using code signing. http://p.sf.net/sfu/oracle-sfdevnl___ Polipo-users mailing list polipo-us...@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/polipo-users ---End Message---
Re: polipo
For the most part, anything involving HTTPS, needs to be taken care of in the browser itself. My personal opinion (and I'm the author of Polipo) is that all content munging should be done in the browser -- munging in the proxy is a broken design. Unfortunately, the browser vendors care more about functionality than privacy. Properly-configured extensions help a lot here. I'd rather see privacy features in the browser core, not slapped-on as extensions. Juliusz *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Re: polipo
Trystero Lot lo...@callout.me writes: it seems the censoredHeaders not working for me. It works for me. have anyone tried to use this and add useragent? It's user-agent, not useragent. censoredHeaders = user-agent Juliusz *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Re: Polipo question
does anyone know if there is a config file option to turn off all caching in Polipo? If you look at the Polipo manual, there's an index. If you look at the index, there's an entry for uncachable. If you follow the entry, you'll find the config variable uncachableFile. --jch *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Re: Tor WIN in germany :)
And here is the german press release: http://klangbuero.net/2009/10/29/freispruch-fur-tor/ Please publish an English translation, so it gets Googlified. Juliusz *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Re: TOR and HADOPI
While HADOPI mandates massive surveillance of Internet users, the total budget voted for enforcing it is a mere 6.7 M¤ per annum, which implies that enforcement will be entirely from the ISPs' pockets. I'm sure they'll love it. The ISPs' pockets? I'd guess they'll all quickly raise their rates an amount generous enough to cover those additional costs. Heh. only people pay taxes and fees. :-) Fortunately, the ISP market in France has been fairly healthy since Proxad/Free.fr successfully challenged France Telecom's monopoly. There are at least 5 major players competing in the mass market on razor-thin margins, plus a number of higher-priced professional offers, plus at least one non-profit organisation that manages to actually provide ADSL to peoples' homes (fdn.fr). I really don't see how an ISP could significantly increase the costs without losing a significant part of the French market share. Juliusz
Re: SoC Project: Improving Hidden Service Security and Usability
Specifically, I will be creating a how-to guide for securing standard LAMP servers as well as a script that will help Linux users set them up. I have a few ideas for locking down apache, php, etc. but I would appreciate any other ideas admins of hidden services have as well as suggestions on how to implement them. Interesting. I've always been conflicted about whether it's possible to distill enough how-to advice that novices can actually safely set up a complex (i.e. more than just static html) website. Not to get into a « my Emacs is better than your vi » discussion, but I've had excellent experiences with Lighttpd. I've also found the code to be much cleaner than that of thttpd. Whatever the web server, PHP is a security disaster, and I wouldn't dream of putting it on a hidden service. Juliusz P.S. « PHP is a minor evil perpetrated and created by incompetent amateurs, whereas Perl is a great and insidious evil, perpetrated by skilled but perverted professionals. » — Jon Ribbens
Re: GSoC Introduction! (TorButton)
I will also point out functionality Privoxy has as an option. When you come from another site, it spoofs the referrer as the root of the site being visited as indicated above. But as you move around within a site it reports the referrer accurately. Some sites require this for proper functioning. Just for the record, this feature first appeared in Polipo: http://archives.seul.org/or/talk/Aug-2006/msg00191.html Juliusz
Re: TOR and HADOPI
Is anyone know where find an how to use TOR against HADOPI ? Using tor to evade the French data retention and HADOPI laws is no different from using tor for evading the surveillance of other police states. (Hadopi is the new law in france about P2P: if you download some music or movie with a P2P system, the provider will send you a mail to say stop; if you continue, they send a real letter and after, they stop your connexion and FINE you (and you will continue to pay provider but you will have no right to have an internet connexion :-(( ) - http://www.p2pnet.net/story/21764 - ) Now don't get me started about how stupid HADOPI is. Under HADOPI, the ISP is required to monitor your Internet usage, at their cost. After three warnings, they are meant to disconnect you while you continue paying your ISP bill. I'm sure that's going to do wonders for the ISPs' customer relations. While HADOPI mandates massive surveillance of Internet users, the total budget voted for enforcing it is a mere 6.7 M€ per annum, which implies that enforcement will be entirely from the ISPs' pockets. I'm sure they'll love it. Juliusz
Re: Be ready: We're switching version control systems
Hello, everyone! Sometime in the next week or two, I am planning to move the repository for Tor software from Subversion to Git. This is excellent news. - Better support for offline development. This also means that occasional contributors will be able to use the RCS. A centralised RCS, such as CVS or SVN, segregates contributors into two categories: those who have commit rights, and are able to enjoy all the nice features of the RCS, and those who don't, for whom the RCS is little more than a way to get the latest sources. With a decentralised RCS, all contributors are able to use the RCS; if you're a non-comitter, you work on his private branch, which can be on a different server or simply on your laptop. When your code is ready, you either ask somebody with commit rights to pull your changes into the official repository, or you push over e-mail. Juliusz
Re: exit counts by port number over 61 days
Bittorrent is indeed heavy on resource consumption and that's why it's on the default reject list, I think, but saying it will disrupt the network, come on, it's a bit hard to tell Dear Marco, The issue is somewhat controversial, and as far as I know it's not discussed in detail anywhere. Cons: 1. Bittorrent is optimised for bulk transfer. Tor is designed to be a low-latency network. Using high-throughput applications such as Bittorrent over tor is pointless. One should instead implement anonymity in the P2P applications themselves (as Freenet tried, and failed, to do). 2. Tor currently doesn't include proper fairness algorithms. Hence, running a Bittorrent client gives you an unfair share of the available bandwidth, and kills the latency for the rest of us. Pros: 1. Tor should be able to deal with Bittorrent. Running Bittorrent over tor is what might finally get the tor developers to implement proper inter-flow fairness. (Yes, I know, it's a *very* difficult problem.) 2. People do want to run Bittorrent anonymously. Allowing Bittorrent on the tor network might bring more interest to tor. I think that's it. Take your pick. Juliusz
Re: exit counts by port number over 61 days
A better [idea] would be, again IMHO, open a list of ports used by normal-use of the tor-network, and block the rest. [...] Web (80,443), Pop3 (*), NNTP (*), DNS (53), Torrent (default 6881), FTP (20/21). Moon, Please don't give this kind of advice. Somebody might think you know what you're speaking about. Your list includes Bittorrent, which is a highly optimised protocol for sending massive amounts of data. Running BT over the tor network is considered as an abuse of the network. Your list doesn't include for example 22 (ssh), which is absolutely essential for many of us. Juliusz
Re: tor over ipv6
For anyone who wants to try IPv6: If you're running Linux, there's a write-up on http://www.pps.jussieu.fr/~jch/software/ipv6-connectivity.html Juliusz
Re: RetroMessenger over Tor / TorMessenger
RetroMessenger has been released for linux http://retromessenger.sf.net Is there anything to make it working over Tor? I've only had a quick look, but there are good arguments that the PGP web of trust is not necessarily the right framework for IM. I suggest that you look into OTR, which arguably is a better model *for this particular application*. http://www.cypherpunks.ca/otr/ OTR is layered above the IM protocol, and to a great extent it's agnostic to the underlying protocol -- it works over Jabber just like it works over GG or MSN. Juliusz
Re: Any plans to fix tor for OpenDNS?
I have no idea what is involved in running [a recursive name server] having never configured/setup one before. Would it consume lots of harddrive realestate? Consume lots of swap or RAM? This is on a server that is recursive for a small user community (2 to 10 users, depending on the time of day), and authoritative for a small network (a dozen machines). $ ps -ubind lw F UID PID PPID PRI NIVSZ RSS WCHAN STAT TTYTIME COMMAND 1 103 2728 1 18 0 31100 3884 rt_sig Ssl ? 0:10 /usr/sbin/named -u bind FWIW, this machine is a 600 MHz Pentium III with 128 MB RAM, and it serves as a name server, a firewall (for both IPv4 and IPv6), a router (using two different routing protocols, over both IPv4 and IPv6), and a VPN endpoint for 6 tunnels. I've never seen it swap. It's running a heavily customised version of Debian, which makes it lighter than whatever you'll be able to achieve with proprietary software. Still, it makes my point -- building your own network infrastructure is cheap. Juliusz
Re: GnuPG through Tor
FYI, polipo + gpg's HKP don't work together due to a bug in polipo. Basically polipo crashes when it encounters the expect 100 continue sent by gpg. For more info, see: http://thread.gmane.org/gmane.comp.web.polipo.user/2144 Note that this only happens when the server uses an obsolete protocol (RFC 2068). However, this is definitely a bug, and will be fixed in Polipo 1.0.5. Juliusz
Re: Performance
True, I did take that into account. I could be mistaken but I think the main problem lies with the proxy software. I think that Polipo and, especially, Privoxy are pretty resource intensive, and affect performance more than Tor itself. Polipo has been shown to be faster than most browsers' implementation of HTTP. As for resources consumed, people are running Polipo on embedded routers with 16 MB of memory. Juliusz
Re: Traffic routed through Sweden
**: FWIW and IMHO, I believe that much of the privacy and security of clients not only has to be, but *should be* left to them. Stopping Darwin and bottle-feeding those with inferior skills and/or capacity only drags down the human race. Those who can, will learn; those who cannot, will suffer the consequences. I cannot but strongly disagree with that notion. I expect my automobile vendor and my car mechanic to guarantee my safety while I know little more about cars than how to check the tyres' pressure. I expect the people who built the bridges in my area to guarantee that they won't fall down without me needing to know much about statics. And I expect to be able to go from Calais to Dover by ferry without knowing anything about ship buidling. This is not to say that we should guarantee anything at the exit-node level, but please don't take the elitist attitude that your car mechanic, your civil engineer and your ship-builder should know whether AES-128 is more or less secure than Blowfish. Juliusz
Re: Default Exit Policy
Just as with SMTP, security [with SMTP-submit] is optional. See RFC 4409 for details on the protocol. 4.3. Require Authentication The MSA MUST by default issue an error response to the MAIL command if the session has not been authenticated using [SMTP-AUTH], unless it has already independently established authentication or authorization (such as being within a protected subnetwork). In other words, SMTP-submit MUST use authentication, but the authentication may be something as weak as deciding depending on the IP address. Folks, unless you are running on a network that allows unauthenticated SMTP-auth, please allow port 587 in your exit policy. Juliusz
Changing configuration depending on local IP?
Hi, My laptop is running tor, and its connectivity to the global Interned depends on where I connecti it to. I'd like to change the tor configuration depending on my IP address. More precisely, I'd like to usually run as a client in the default confi- guration, as a client behind a paranoid firewall if I'm in 192.168.4.0/24, and as a server if I'm on a certain (globally routable) prefix. Yes, I know I could manage with a bunch of sed scripts in if-up.d, but it would be much more convenient if I could just tell tor about the various IP prefixes and be done with that. Juliusz
Re: Your system clock just jumped on Debian+VMware ESX
I'm guessing this is a kernel thing, so running date a lot will probably not help to notice it. Is gettimeofday() the wrong way to ask what time it is under vmware? :) Using select (or poll) and gettimeofday, while not technically correct, is the only portable way of writing an even-driven program under Unix. I can't believe that vmware might not support this technique. The issue with the above technique is that it's vulnerable to clock stepping. The correct wa is to use clock_gettime(CLOCK_MONOTONIC) rather than gettimeofday, but it's supported on precious few systems. (The older BSD technique of using select and checking the time spent in select is not only not portable, but it's also not correct since it causes skew.) Juliusz
Re: Running on embedded hardware
I'm trying to run a tor client on my router in order anomyise my network. - System is: Asus WL-500G (32MB Ram) Nice router. The CPU is a 260 MHz MIPS core from Broadcom that implements almost all of the MIPS32 instruction set (the one exception being the WAIT instruction). - OS is: OpenWRT whiterussian (Linux: 2.4.30) Switch to Kamikaze. It's much more pleasant to work with, and I've found it to be somewhat more stable than Whiterussian. I built tor with ./configure --prefix=/opt/tor -with-libevent-dir (...) --with-ssl-dir (...) You're cross-compiling, so you'll probably want to say something like CC=mipsel-linux-gcc CFLAGS='-Os -march=mips32' ./configure --whatever --- SIGILL (Illegal instruction) @ 0 (0) --- +++ killed by SIGILL +++ As coderman noted, this might indicate a mis-compiled binary. Make sure you compile for MIPS32, and that you use at least gcc 3.4.4. Upgrading to Kamikaze is good, since it will have been compiled with a more recent release. Juliusz
Re: Help me understand tor with SSL?
Using privoxy is necessary because browsers leak your DNS requests when they use a SOCKS proxy directly, which is bad for your anonymity. Firefox should in principle not use the DNS if network.proxy.socks_remote_dns is set to true (in about:config). Privoxy also removes certain dangerous headers from your web requests, and blocks obnoxious ad sites like Doubleclick. This is better done in the browser, for quite a few reasons, including the fact that there is no way a proxy can do that for SSL connections. Juliusz
Re: Questions about a TOR server
accept *:443 reject *:* Folks, please open port 22. 587 and 5222 would be helpful too. Juliusz
Re: Tor appliances
You might or might not be aware about ALIX, the successor to WRAP. As far as I know, this is proprietary software. Since there are a number of Free Operating Systems available for embedded platforms[1], I am not quite sure why you are posting this on or-talk. Juliusz [1] My favourite happens to be OpenWRT, the latest version of which has been ported to x86 hardware.
Re: javaprogram using tor
i have searched the FAQ's and find the Torlib, and i cannot find where to download it or any sample of it. And cannot find exactly how can i use it in my program. Is there any other way to connect my java program to tor, or kindly point me to something useful.. Tor appears to client applications as a SOCKS proxy. Sun's JDK can speak SOCKS out of the box if you set the system properties socksProxyHost and socksProxyPort. So I believe that your Java application will automatically go through tor if you do java -DsocksProxyHost=localhost -DsocksProxyPort=9050 AlicesRestaurant Alternatively, you could modify your application to explicitly use a SOCKS proxy by creating your sockets as so: new Socket(new Proxy(Proxy.Type.SOCKS, new InetSocketAddress(127.0.0.1, 9050))); Note however that Java most probably implements SOCKS with IP addresses, and unless you take special precautions, you will suffer from DNS leaks. Which may or may not be a problem for your application. Juliusz
Re: Firefox IPv6 Anonymity bypass
If you are using Tor (and have Firefox configured to use the HTTP proxy), Firefox will not use the proxy for IPv6 traffic. Nonsense. At the time at which Firefox decides whether to make a request through a proxy, it doesn't yet know whether the target server has an IPv6 address. What you're seeing is probably some other issue, which it would be good to clarify. Juliusz
Re: Browser dos/don'ts ( was Re: Incognito Live CD using Polipo)
: a bobnjoe browser : For the crass foreigners among us -- what does this idiom mean? Bob Joe's Bait, Tackle, and Web Browsers [...] Sorry for the confusion. Quite the opposite -- thanks to you for the snippet of local colour. Juliusz
Re: Incognito Live CD using Polipo
If phobos doesn't have a script I'll most likely write one. The problem would be that the 'easylist' also includes a whitelist at the end, I assume that all patterns are scanned from start to end and if something is blacklisted AND whitelisted, it is allowed. AFAIK Polipo only provides a blacklist. If you provide me with the precise semantics of the whitelist, I can implement something compatible in Polipo. Juliusz
Re: Incognito Live CD using Polipo
What about censoring ETag, Last-Modified and If-Modified-Since ? Those are used to send info to the client that will be send back to the server, hence something can be encoded there to identify the machine. Don't censor ETag and Last-Modified under any circumstances. Polipo will survive an out-of-memory situation much more gracefully when there is a strong validator. Keep in mind that there is no on-disk cache, so the live time of the ETag and Last-Modified data is short, i.e. only during the user's session. Nothing serious should break if you censor IMS and friends (If-None-Match etc.), but it will slow you down quite a bit -- Polipo will detect every server as broken, and do a lot of slow things to compensate. So I certainly don't recommend it. Juliusz
Re: Incognito Live CD using Polipo
You should use RefControl https://addons.mozilla.org/en-US/firefox/addon/953 to spoof referrers headers, not Polipo, as RefControl does HTTPS and HTTP. Yep. In all cases, doing things in the browser is better than doing them in the proxy. However, I understand that Pat is trying to be at least somewhat browser-agnostic. The nice thing about RefControl is it can be set to the forge option which will use the current site's own root as the referrer. Good idea. I'll put that into Polipo. Juliusz
Re: Incognito Live CD using Polipo
It's fairly easy to convert the adblock plus 'easylist' into a polipo forbidden file. Do you have a script you'd be willing to share? I'd be glad to link to it from the Polipo page. Juliusz
Re: Incognito Live CD using Polipo
Hi, I am considering changing the Incognito LiveCD to use Polipo. Excellent news. Polipo config - https://tor-svn.freehaven.net/svn/incognito/branches/polipo/root_overlay/etc/polipo/ First point -- you'll definitely want to set disableLocalInterface. Since you're running with no on-disk cache, you will also want to increase the memory cache. No hard guidelines -- it depends on the machine's memory -- (The default in Polipo 1.0.3 is 24 MB or 1/4 the machine's memory, whichever is less. 1.0.2 and earlier use 8 MB). serverSlots=4 serverMaxSlots=8 I think that more experience is needed with finding the right value for serverSlots. I'm running polipo with serverSlots set to 2, 4 might be overkill. On a related note, you'll also want to decrease maxConnectionAge and maxConnectionRequests. I suggest 5 minutes and 120 connections, respec- tively. Plese see http://archives.seul.org/or/talk/Apr-2007/msg00076.html censorReferer=maybe Yep. This is a reasonable compromise -- doesn't leak too much memory while not breaking most sites. censoredHeaders=from, accept-language, x-pad, link, warning Don't censor Warning -- it allows the server to send information to the user, not the other way around. Any suggestion for additional censorings? Juliusz pgpD1lKGXaY9h.pgp Description: PGP signature
Re: funneling a wireless net's outbound connections through tor
You should not make traffic go transparently through tor, unless the people using your network fully understand what tor is about, and what are the associated security risks (such as exit nodes performing MITM attacks on SSL certificates). Thank you for your opinion, but it was not particularly relevant to what I posted. Perhaps this tone is not absolutely necessary? First, please reread what I wrote. I will be providing a *free wireless access* service to my neighbors. Even if I tell them *nothing*, they will be better off than without the service. No, they won't. Non-technical people often assume that DNS and routing are secure. We know they aren't, but they don't. By routing their traffic transparently through tor, you increase their chance of exposure to MITM attacks. Unless you warn them, you'd actually be doing them a disservice. Third, you didn't even ask whether I might have already given some thought to the matter of educating/informing my neighbors about how their TCP connections and name server queries will be reaching the Internet and how responses will be returned from the Internet. [...] It is quite possible that I will never have any direct communication with many of my neighbors, so requiring them to reconfigure their applications, which may include more than mere web browsers, to use an HTTP proxy is out of the question. So are you or aren't you in touch with them? Fourth, my primary motivation for running my neighbors' connections through tor is to protect *me* from whatever *they* are doing. The fact that routing their connections through tor should also give *them* some protection is a purely secondary benefit. You will have the same amount of protection if you put a stateless firewall (with no interception) that forces them to go through the proxy. Please re-read the following: Instead, put a simple stateless firewall on your network, and redirect port 80 traffic to a web server that explains how to set up their web browser to go through tor. It also would not be of any use to network applications that do not use HTTP. Please re-read the following: Please make sure that your HTTP proxy allows CONNECT to TCP ports 22, 80, 109-110, 143, 443, 873, 993 and 995. 22 is especially important if there are any geeks in your neighbourhood. CONNECT is a sub-protocol of HTTP that is used to tunnel non-HTTP protocols through an HTTP proxy. It's sort of like SOCKS, but cleaner. Juliusz
Re: [Polipo-users] Testing Polipo on Windows
[CC-ing or-talk, in case somebody there has already heard about this Windows thing] 1. I'm seriously thinking about removing the native Windows code, unless I find a maintainer. That worries me a bit, It's not like Polipo development breaks things daily. If the Mingw code starts rotting, you'll get plenty of advance notice (months). For now, I'm simply doing my best not to break anything, but not actively testing under Windows. But it does make me uneasy to have this blob of code in Polipo which I'm not able to maintain. Unless this changes, I am unwilling to commit to anything. it's part of Hv3's plan for world domination. World domination is my plan. Please pick a different one. And I can test it informally as part of Hv3 a bit. I think that would be more effective if Hv3 used a pristine copy of Polipo rather than a local copy, and tracked the head branch regularly -- this would make you notice faster if anything broke. Of course, if there were one or two Windows users willing to check every release candidate for Windows-specific regressions, that would do a lot to make me more comfortable. However I'm a bit limited in what I can do. All I have at present is the mingw compiler and windows-xp under vmware. It looks like we're all struggling to support an obsolete OS that none of us use any longer. It reminds me a little of the ``#ifdef VMS'' fetish we used to have in the nineties. Juliusz
Re: About HTTP 1.1 Cache
Most servers treat Last-Modified values as opaque validators -- IIS and Apache -- don't. Interesting -- thanks for the info. Juliusz
Re: Load Balancing
- privoxy will use new streams on the same circuit for each of the images - polipo will generally pipeline everything over the same stream Not quite. Polipo will try to use up to n simultaneous connections to a given server, where n is - 2 for a server that can do pipelining; - 4 for a server that can do persistent requests but not pipelining; - 8 for a server that cannot do persistent requests. These magic constants are configurable. Ideally, Polipo should choose the number of simultaneous connections depending on an estimate of average queue length, but I haven't thought about it seriously yet. I believe this results in a perceptible performance improvement for general browsing. I think so too, but some people disagree. Since I don't want to get into this discussion again, I refer you to the following friendly flamewar. (Note that while the tone was not always as polite as it should have been, Fabian and I live in good friendship and mutual respect.) Me: http://archives.seul.org/or/talk/Apr-2007/msg00056.html Fabian Keil: http://archives.seul.org/or/talk/Apr-2007/msg00063.html Me: http://archives.seul.org/or/talk/Apr-2007/msg00066.html Me clarifying: http://archives.seul.org/or/talk/Apr-2007/msg00069.html You may also find this paper interesting: http://www.w3.org/Protocols/HTTP/Performance/Pipeline.html Juliusz
Re: [Polipo-users] Reminder: running Polipo with Tor, no need to mail me
On Sat, Sep 22, 2007 at 05:11:57PM +0200, [EMAIL PROTECTED] wrote 1.3K bytes in 35 lines about: For Polipo 1.0.3, I'll include a config.tor for the lazy people. Point taken. Patches welcome. Juliusz
Re: About HTTP 1.1 Cache
What about If-Modified-Since header with time now? The website can know the las visit, time and the pages of browser with a database. Added this information with browser identification can not be good. You're right. This is one of the reasons why you must purge your browser cache and your proxy cache regularly when you use tor, typi- cally whenever you switch from one persona too the other. This is also why I recommend that people using Polipo with tor should not use an on-disk cache, unless they understand the consequences. Regards, Juliusz
Re: [Polipo-users] ANNOUNCE: Polipo-1.0.2
I put together a standard Polipo 1.0.2 universal binary for OSX users. It's located at http://interloper.org/tmp/polipo/. Excellent. The config file has comments for those wishing to use it with Tor. Could I please see a copy? I'm rather keen on having the default installation of Polipo be roughly the same on all platforms. DJB is annoying, but he often has a point. Please see http://cr.yp.to/compatibility.html especially the last paragraph. Juliusz, feel free to link to it from your polipo page. Done. Juliusz
Re: Privoxy usage?
Tor in my experience. i've also had success tweaking the TCP VPN layer (disable nagle for example, and i recall someone using cork to benefit too). This approach is described in RFC 1925 section 2.3. Juliusz
Re: Privoxy usage?
what may be useful is the transparent TCP proxy support in Tor for ensuring the VPN connections are going through Tor. (VPN software being difficult to SOCKS'ify so to speak) Ahem... if your VPN software is using TCP rather than UDP or raw IP, then I strongly recommend that you choose a different VPN vendor. Which means that until Roger, Nick and their basementful of slaves implement a datagram transport for tor, it will not be possible to run a well-designed VPN over tor. Juliusz
Re: Privoxy usage?
I may be doing a horrible job of explaining the problem. No, you're doing fine. I'm just going to explain it differently. IP over IP works. UDP over UDP works if your UDP protocol supports it. TCP over TCP fails. The timeout rules cannot stack properly. You missed the two important cases ;-) TCP over IP works (duh) TCP over UDP works This last case is why things like OpenVPN can do their job. TCP over TCP is extremely inefficient; it will cause spurious retransmissions, seriously impair the throughput you get and congest the tor network. (This does not apply to tunnelling over ssh, since ssh tunnels the higher-layer data stream rather than the TCP packets.) Juliusz
Re: Privoxy usage?
Ahem... if your VPN software is using TCP rather than UDP or raw IP, then I strongly recommend that you choose a different VPN vendor. that's not good advice. tcp to 443 and other uses in general are quite acceptable. (ok, i do favor AH/ESP or UDP, but TCP is still quite usable and useful) That's not a VPN. That's encryption at the application layer, and that's fine. with Tor your tcp endpoint is terminating quite close, in this case on the same host stack or one host over. That's not TCP over TCP. That's two TCP connecitons put end to end, and that's fine. the performance hit for TCP over TCP in Tor land is the latency and bandwidth associated with onion routing, not nested TCP transport. There is no nested TCP in normal tor operation; there's multiple layers of SSL encryption over a single TCP connection. On the other hand, if you run a layer 2 VPN over tor, you get TCP within IP within multiple layers of SSL within TCP. And that's not good, either for your performance, or for the network. Juliusz
Re: constrained socket buffers patch
this is a good idea. 16k might be even better if it worked reliably (the usual default is 32 to 64k). Your information might be somewhat obsolete... Have a look at my machine (a pretty ordinary recent Linux) connecting to tor.eff.org: lanthane.45747 209.237.230.67.www: SWE 4264190125:4264190125(0) win 5840 mss 1460,sackOK,timestamp 315382960 0,nop,wscale 6 209.237.230.67.www lanthane.45747: S 3004159902:3004159902(0) ack 4264190126 win 65535 mss 1460,nop,wscale 1,nop,nop,timestamp 1445924711 315382960,sackOK,eol Lanthane (my machine) opened a connection to tor.eff.org. Since it doesn't have any information about the connection's RTT yet, it declares a very small TCP window (5.8 kB). Tor.eff.org has a somewhat more traditional implementation of TCP, so it starts with a window size of 64 kB. (Note that both sides negociated the wscale option, so from now on we need to multiply lanthane's values by 64, and tor.eff.org's by 2). A little while later, the situation has evolved as so: 209.237.230.67.www lanthane.pps.jussieu.fr.45747: P 4112:4445(333) ack 4629 win 33304 nop,nop,timestamp 1445925772 315383225 lanthane.pps.jussieu.fr.45747 209.237.230.67.www: . ack 4445 win 408 nop,nop,timestamp 315383277 1445925772 As you may see, tor.eff.org has grown its receive window to 67 kB, while Lanthane has gone up to 26 kB. Juliusz
Re: constrained socket buffers patch
Now the throughput (``bandwidth'') of a TCP connection is limited by window/rtt. What this means is that with ConstrainedSockets enabled, your tor server will have basically unlimited throughput on a local connection, but be limited to roughly 40 kB/s per connection (that's bytes, not bits) over a transatlantic link[1]. I'm interested to see your [1] where you do the numbers. :) You asked for it ;-) The distance between Paris to New York is 5851 km, which is pretty close to 20 ms * c. The speed of light in fiber is almost exactly 2/3 * c, which means that just the signal propagation gives a round trip time of 60 ms; make it 70 ms to allow for router latency. A 4 kB window contains 2 Ethernet-size packets (I'm assuming that your TCP is sending full-size packets, i.e. that's it's doing SWS-avoidance), so you send 3 kB of data every 70 ms, or 43 kB per second. Tor servers advertise aggregate throughput. Good to hear -- I guess this solves the issue. There is another issue, which doesn't appear in the above. TCP is extremely sensitive to packet loss when the window is smaller than 4 packets (fast retransmit doesn't work in that case). So could I suggest a default value for ConstrainedSockSize of 8 kB? Juliusz
Re: constrained socket buffers patch
attached is the constrained sockets patch. I'd like to know how this will interact with tor's circuit selection. If I understand this patch correctly, it sets the SO_SNDBUF and SO_RCVBUF socket options so as to limit the maximum size of the TCP send and receive windows respectively. Now the throughput (``bandwidth'') of a TCP connection is limited by window/rtt. What this means is that with ConstrainedSockets enabled, your tor server will have basically unlimited throughput on a local connection, but be limited to roughly 40 kB/s per connection (that's bytes, not bits) over a transatlantic link[1]. Perhaps one of the tor developers could clarify whether tor's circuit selection and congestion control can deal with server's whose per- connection throughpout (but not necessarily aggregate throughput) is widely dependent on where you come from? Juliusz
Re: [Polipo-users] Polipo 1.0.1 Windows binary
(Andrew -- are you on polipo-users? If so, I suggest we move there, no need to clutter or-talk.) I put up the source from which I built the dmg and universal binary, Thanks. (For anyone listening and who's not familiar with Apple's marketing talk, a « Universal binary » is what us mere mortals call a fat binary or a multiarch binary. It's merely a binary that contains the object code for multiple architectures. In Apple's case, it's PPC and x86.) +UNIVERSAL = -O -g -isysroot /Developer/SDKs/MacOSX10.4u.sdk -arch i386 -arch ppc +LDFLAGS = -Wl,-syslibroot,/Developer/SDKs/MacOSX10.4u.sdk +CFLAGS = $(MD5INCLUDES) $(CDEBUGFLAGS) $(DEFINES) $(EXTRA_DEFINES) $(UNIVERSAL) I'd just replace this hunk with PLATFORM_DEFINES=-sysroot ... -arch i386 -arch ppc This way, you can still say something like make CDEBUGFLAGS='-O0 -g' and get the expected result. I'm following the X11 makefile conventions (with a few additions from GNU), and the idea is that: - CDEBUGFLAGS should have a reasonable default value, but it can be changed by the user; - PLATFORM_DEFINES is reserved for platform-dependent stuff; - EXTRA_DEFINES is reserved for the user -- it should never be set in the makefile; - all other variables are internal to the makefile and should not be changed by the user. - md5import.c md5.c ftsimport.c fts_compat.c socks.c mingw.c + md5import.c md5.c ftsimport.c fts_compat.c socks.c That's not necessary -- there's an « #ifdef MINGW » around mingw.c. +proxyAddress = 127.0.0.1# IPv4 only That's already the default. +allowedClients = 127.0.0.1 That's not necessary if you set proxyAddress. +socksParentProxy = localhost:9050 +socksProxyType = socks5 Hmm... I'm wondering whether it's a good idea to have this enabled by default -- after all, Polipo is useful without tor. If you do so, may I kindly request that you should put a prominent notice in the README file about that? + chunkHighMark = 50331648 + objectHighMark = 16384 I guess that if you're running Mac OS X, fifty megs is small change ;-) Thanks again for your work, Juliusz
Re: [Polipo-users] Polipo 1.0.1 Windows binary
I've built a Polipo-1.0.1 universal binary for OSX 10.4 and above. Excellent. Is the async resolver working? I tested it under 10.3 at some point, but I'd be glad to hear whether I've broken anything since then. The config file [...] attempts to make intelligent decisions for usage. Could you please explain that? (I'm unfortunately unable to unpack your dmg file since I replaced my installation of MacOS 7.1 with NetBSD 1.5. So now you know why Polipo contains ``#ifdef __mc68020__''.) The package is signed by my key, which signs most of the packages created for Tor. Conveniently, Andrew's key (31B0974B) is signed by Roger's (28988BF5) which is signed by more or less everyone, so you should have no trouble veryfing it. Thanks a lot for your work, Andrew. Juliusz pgpmqBr7S8nqR.pgp Description: PGP signature
Re: HTTP response is Connection: close
FWIW, if Polipo can detect such a situation (either because we haven't reached the Content-Length the server declared, or because there was an unterminated chunk), it will refetch the object. The responses in question are completely empty, there's not a single HTTP header and of course the nothingness isn't chunked either. Then you should get a « 502 Server dropped connection » error. If you don't, please report it as a bug. I get the impression that Polipo forwards them as empty page and puts some headers on top. This shouldn't happen -- unless Polipo's immediate upstream happens to be an HTTP/1.0 implementation. (Even if the upstream is HTTP/1.0, this should only happen if the upstream sends no Content-Length *and* the connection is broken just after the CR-LF-CR-LF that ends the headers.) Please let me state this once more. HTTP/1.0 is obsolete, it is slow, it is unreliable. I've done my best to make HTTP/1.0 reasonably reliable in Polipo, but there's really not much that one can hack around with such a deficient protocol. (Note that, since HTTP/1.1 is backwards compatible with 1.0, it is possible to send an HTTP/1.0 reply with an HTTP/1.1 header.) At least I'm currently running Privoxy-Polipo-Tor as default proxy chain Then don't do that. Privoxy is downgrading perfectly good HTTP/1.1 replies down to the old, unreliable, HTTP/1.0 kind. (Note that it does tag them with « HTTP/1.1 », which it is perfectly allowed to do.) Tested with Privoxy 3.0.6. Refreshing with CTRL+F5 usually results in the real page. Yes, there's a special hack to ensure that objects served as HTTP/1.0 are less sticky than normal. (File server.c line 2086.) Juliusz
ANNOUNCE: Polipo 1.0.1
Dear all, I'm pleased to announce the release of Polipo-1.0.1, which you will find on http://www.pps.jussieu.fr/~jch/software/files/polipo/polipo-1.0.1.tar.gz http://www.pps.jussieu.fr/~jch/software/files/polipo/polipo-1.0.1.tar.gz.asc For more information about Polipo, please see http://www.pps.jussieu.fr/~jch/software/polipo/ This version tweaks Polipo's default behaviour with respect to sites hidden behind an HTTP/1.0 front-end proxy (such as Wikipedia) to make it slightly more aggressive. It also adds a number of completely pointless options that were requested by the tor crowd. It fixes a possible crash that happened when using some of the more exotic cache-control options. Finally, it fixes a serious descriptor leak under Windows. Upgrading is not necessary if you're under Unix or using the Cygwin port, but strongly recommended if you're using the native Windows binary. Juliusz 25 June 2007: Polipo 1.0.1: Made Polipo slightly more aggressive when speaking to HTTP/1.0 servers (thanks to Fabian Keil for noticing that). Fixed a crash that would happen when a client used Cache-Control: only-if-cached, and the object was not in cache. (Reported by F. Zappa, A. Patala and V. Ghosal.) Fixed a descriptor leak when running under Windows. Made Polipo optionally drop connections after servicing a number of connections (maxConnectionAge and maxConnectionRequests). pgp2lb9hgkCpz.pgp Description: PGP signature
Polipo 1.0.1 Windows binary
A Windows binary for Polipo 1.0.1 is now available on http://www.pps.jussieu.fr/~jch/software/files/polipo/polipo-win32-1.0.1.zip http://www.pps.jussieu.fr/~jch/software/files/polipo/polipo-win32-1.0.1.zip.asc This binary has never seen a Windows machine, so feedback would be appreciated. Juliusz pgpfK7afrY3pG.pgp Description: PGP signature
Re: HTTP response is Connection: close
Like Andrew, I assume the real problem is a malfunctioning intercepting proxy on the exit node, so there's little you can do about it. I would rather blame it on a tor server that crashes or drops the connection. WWIW, if Polipo can detect such a situation (either because we haven't reached the Content-Length the server declared, or because there was an unterminated chunk), it will refetch the object. Juliusz
Re: Exiting only port 80
If I am right, wouldn't the majority of the tor user base be better served if a collection of exit nodes only exited port 80 and 443 traffic? Please add port 22 (ssh). I think you sort of missed my point. I'm aware there are lots of protocols and ports used on tor and that they all need bandwidth. As far as I understand you, you're trying to work out a traffic engineering policy that will cause tor to work better for most people while only impacting a minority. Ssh doesn't use much bandwidth; what it needs is low latency and stable servers. So if you are setting up a fast stable tor server, you'd be doing some people a favour by opening port 22. Since ssh uses negligible bandwidth, you won't be impacting web traffic at all. Juliusz
Re: Exiting only port 80
If I am right, wouldn't the majority of the tor user base be better served if a collection of exit nodes only exited port 80 and 443 traffic? Please add port 22 (ssh). Juliusz
OT: French laws on data retention [was: We won't need Tor anymore]
anybody who speaks German read this: http://www.heise.de/newsticker/meldung/89086 My German is next to nonexistent, but I understand it's about the data retention provisions of the so-called LCEN law (« law about trust in digital economy »), more precisely Art. 6 of law 2004-575 dated 21 June 2004: http://www.legifrance.gouv.fr/texteconsolide/PCEBX.htm It's old news, unfortunately. These laws were voted in June 2004 by both ruling conservative parties (UMP and UDF), while the Socialist and Green parties voted against them. (Aside: there is a growing suspicion of an alliance between the ruling UMP party and media companies, something that would appear to be confirmed with the forcing through parliament of the infamous DADVSI laws in December 2005 through June 2006 by Christian Vanneste, Renaud Donnedieu de Vabres and Michèle Alliot-Marie, the latter being most probably our next prime minister. The position of the UDF party is less clear, at least to me. Aside ends.) According to our best-beloved government, LCEN is merely the transposition into French law of the European directive 2000/31/CE. The critics of the laws claim that LCEN goes beyond what the directive requires, but this might bear veryfing. The forthcoming electoral campaign for the French parliament might be a good time to campaign for revising the LCEN law. (If you're a French citizen, writing to your député or main opposition candidate is definitely a good idea.) The first thing before anything will be that Tor is outlawed. My understanding is that the data retention provisions of LCEN (Art. 6.II) only apply to service providers (as defined in Art. 6.I paragraphs 1 and 2), so it's not clear to me whether Tor servers are covered. On the other hand, Tor hidden services are clearly made illegal by Art. 6.III. (Punishable by up to one year in jail and a E$65000 fine.) Sorry for the off-topic post, Juliusz
Re: Importance of HTTP connection keep-alive
While such interesting configurations are uncommon, single HTTP/1.0 front-end proxies do happen sometimes, so I'll increase serverSlots when speaking to such a site in the next version of Polipo. This is done now. Juliusz
Re: Importance of HTTP connection keep-alive
(1) use a smaller timeout for idle connections; (2) shut down a connection after some number of serviced requets; (3) shut down a connection after it's been used for some time. I for one would like to see (1) and (3) implemented as I tend to agree with Roger. Sigh. Here I am, brain the size of a planet, and they're asking me to implement timeouts. I've done all three, for the paranoid among you. Since I don't believe in this particular threat, the default values are very large for (2) and (3). They're controlled by the following variables : (1) serverIdleTimeout, default 45 s; (2) maxConnectionRequests, default 400; (3) maxConnectionAge, default 21 m. Another possible anonymity threat is when a Tor user routing through Polipo passes the NEWNYM signal to Tor. This signal makes Tor use a new (clean) circut for new connections. Ahem... you're expecting to get a new persona without flushing Polipo's cache, your browser's cookies and your browser's cache? Could Polipo be made to listen for the NEWNYM signal passed to Tor? There's no need for that -- whoever is sending the NEWNYM signal should restart both the web browser and Polipo. Juliusz
Re: Importance of HTTP connection keep-alive
With http://www.kde.org/screenshots/: So according to this test, this page downloads roughly two times faster through Polipo/tor than through Privoxy/tor, right? I also tested with another website (http://www.spiegel.de/): This test is not representative: this is an HTTP/1.0 site. There are fortunately very few of these left nowadays. (Interesting that you should have chosen to test with this particular site.) Privoxy may have had a slight advantage here, because by removing three tracking pixels it had to do three requests less. And notwithstanding the fact that you so carefully crafted this test to advantage Privoxy, Polipo/tor was still 13% faster? It certainly looks like keep-alive's effects aren't big enough to guarantee faster web browsing through Tor, though. I guess there's no point in continuing this discussion, then. Juliusz
Re: Importance of HTTP connection keep-alive
[CC-ing polipo-users again] this is an HTTP/1.0 site. There are fortunately very few of these left nowadays. What exactly is the problem with the site? Watching the circuits in Vidalia I had the impression that Polipo used keep-alive. HTTP/1.0 keepalives and HTTP/1.1 persistent connections are not quite the same thing. From memory, the limitations of HTTP/1.0 are - HTTP/1.0 kept-alive connections must be broken after every dynamic object; - pipelining is not allowed in HTTP/1.0; - HTTP/1.0 keepalives are not allowed when speaking to a proxy. Polipo respects the first two limitations. It doesn't respect the third limitation, but instead plays a number of tricks that ensure that it works with common HTTP/1.0 proxies (Squid, WWWOFFLE, Privoxy). In order to be nice to the network, Polipo limits itself to 2 connections when speaking to a server that can do persistent connections or keepalives. This works fine when there are opportunities for pipelining, but results in poor performance otherwise. You can customise the magic value 2 with the variable serverSlots. I'd actually be very curious to see the results for your previous test with serverSlots set to 5. (I guess I should be more aggressive with HTTP/1.0 servers by default; ideally, I'd like to work-out a scheme to tune serverSlots automatically depending on our traffic patters.) There's a paper about the tradeoffs involved on http://www.w3.org/Protocols/HTTP/Performance/Pipeline.html Can you name some other sites that you consider valid targets then? There's no good answer to that, unfortunately, as there are so many variables involved; I don't think there's a typical web site, there are a few classes of web sites that I believe are typical, and that Polipo should deal with pretty well. The easiest case is an HTTP/1.1 web server with purely static content, or dynamic content generated by people who knew what they were doing. Unfortunately, such servers have been becoming rare as most sites have moved to dynamic content generation. The KDE site is what I believe is quite typical of a modern web site: on the one hand the content is dynamically generated by crufty PHP scripts (no useful validators are provided), but the HTTP is generated by a fully HTTP/1.1 web server (Apache 2). Polipo is slightly suboptimal in such a case, but it should be reasonably good. Another fairly common case is that of a mis-configured server that doesn't do persistent connections at all -- for example http://www.gnome.org/. Polipo will notice that after a few requests, and switch to using up to 8 connections to that server. Unless there's something really wrong in either Polipo or Privoxy, performance should be roughly identical in the two implementations (except for the effects of caching and range requests, of course). The Spiegel.de web site that you tested against is actually an interesting case. It appears to be a bunch of typical PHP scripts (no ETags) running on an HTTP/1.0 web server hidden behind no less than two HTTP/1.0 front-end proxies (somebody is probably trying to do load-balancing with a total budget of 12 pf. and an old button). While such interesting configurations are uncommon, single HTTP/1.0 front-end proxies do happen sometimes, so I'll increase serverSlots when speaking to such a site in the next version of Polipo. Juliusz
Re: Importance of HTTP connection keep-alive
Polipo/tor was still 13% faster? To which numbers are you referring here? Sorry, I got confused. However if I understand you correctly, you're saying that I intentionally... My apologies, I got carried away. Juliusz
Re: Importance of HTTP connection keep-alive
Michael Gersten: getting keep-alive to work will help a lot with web browsing, Fabian Keil: Is this an assumption or did you just forget to show your benchmarks to back this claim up? I've just tested this by running wget -p http://www.kde.org/screenshots/ That's 87,607 bytes in 14 files -- a small page with a few images. I'm using tor 0.1.2.8, Polipo 1.0.0, and, for the second series, Polipo with the attached patch applied. Polipo was run with no on-disk cache, and was restarted between every two tests. The test was run 5 times, and I alternated between the two versions of Polipo, so there should be no correlation between a given version and a particular tor circuit. Average after removing outliers (smallest and largest value): Persistent: 33s Non-persistent: 61s Average of all values: Persistent: 66s Non-persistent: 98s All times (sorted): Persistent: 19 39 40 52 114 Non-persistent: 44 61 91 92 107 Please feel free to repeat my tests and report the results on this list. Juliusz diff -rN -u old-polipo/server.c new-polipo/server.c --- old-polipo/server.c 2007-04-18 01:01:39.0 +0200 +++ new-polipo/server.c 2007-04-18 01:01:39.0 +0200 @@ -1661,6 +1661,7 @@ } } +request-flags = ~REQUEST_PERSISTENT; n = snnprintf(connection-reqbuf, n, bufsize, \r\nConnection: %s\r\n\r\n, (request-flags REQUEST_PERSISTENT) ?
Re: blog about tor and skype
The problem is that Skype uses either UDP or TCP, depending on the situation. If it chooses TCP, Freecap will intercept it Roger, Would you agree that Tor should be able to tunnel UDP traffic too? There's a /lot/ of UDP-based applications that it would make sense to tunnel over tor. Juliusz
Re: blog about tor and skype
Would you agree that Tor should be able to tunnel UDP traffic too? One day I'd like to support this, yes. It's hard though: http://wiki.noreply.org/noreply/TheOnionRouter/TorFAQ#TransportIPnotTCP Forwarding raw IP is difficult, I agree. But it's UDP I'd like you to forward. Considering your list: 1. irrelevant for UDP. 2. let us application authors deal with it. 3. that's just (2) in disguise. 4. I'm not sure I understand this point. You could just forward UDP over TCP, as long as you make sure that the entry node discards datagrams when there's congestion. (This basically means making sure that your writes to the tor socket are non-blocking.) 5. irrelevant for UDP. 6. irrelevant for UDP. Juliusz
TTL expired?
I've just switched to 0.1.2.8, and when trying to access a hidden service that doesn't exist, I'm getting SOCKS 5 error number 6 ``TTL expired''. That's a somewhat unexpected error -- I'd expect to get error 4 ``host unreachable''. Juliusz
Re: TTL expired?
Is this a host unreachable case or a network unreachable case? As far as I can tell, the socks5 error messages are totally undocumented beyond the short phrase for each one. It doesn't matter much in my case -- I'm just trying to ensure that the user of Polipo gets an error message that makes sense. None of these fit the we timed out without even trying to make the connection case in Tor, but host unreachable and network unreachable seem closest. What about defining a tor-specific extension to SOCKS that provides both a user-readable error message instead of an error code? I'd be quite willing to implement support for that in Polipo, and I have no doubt that so would the Privoxy people. Juliusz
Re: PHP coder needs Tor details
Actually Windows does exactly the same thing... I'm sorry I have started this discussion, which is off-topic for this list. My point is merely that giving user ``nobody'' access to tor's data is a tragically bad idea. This has nothing to do with Windows. Juliusz
Re: tor proxy chain
I've set up the proxy in firefox in order to connect to tor, and it works well, now I would like to do this: my_pc - tor - proxy_choosen_by_me:port-www_page The simplest way would be to set a proxy that can do that upstream of tor. my_pc - my_proxy - tor - proxy_choosen_by_me:port - www_page With polipo, you do that by setting parentProxy to proxy_chosen_by_me, and socksParentProxy to tor's address. http://www.pps.jussieu.fr/~jch/software/polipo/manual/Parent-proxies.html I know that it can also be done with Privoxy, but someone else will need to fill in the details. Juliusz
Re: PHP coder needs Tor details
To shorten... How do I allow nobody to utilize Tor (It can already do that but I must start it like a root and stop it like a root) Please don't. The very reason Unix is more secure than Windows is that Unix actively uses the permission system to prevent insecure things like PHP from munging the networking daemons. By running PHP with higher privileges, you'll make your Unix system just as insecure as Windows. Juliusz
Re: Torbutton 1.0.5 release candidate
I'm using custom proxy settings currently, because I'm using Polipo on port 8123. You certainly know that, but I'll mention that you can run Polipo on port 8118 by putting the following in your config file: proxyPort = 8118 OTOH, would it clutter torbutton's interface too much to have an option ``use Polipo'' that switches everything to localhost:8123? I'm planning to release Polipo 1.0.0 before Christmas, so a SOCKS-capable Polipo should hit the major Linux and BSD distributions in the next months. (Yes, that does mean that I do need more people testing. Hint, hint.) Juliusz
Re: Tor with ssh port forwarding
1. Run squid on your machine at home (say on port 3128) Don't do that. Squid will add the ``X-Forwarded-For'' header, and hence leak your IP. Instead of Squid, you should run either Privoxy or Polipo. Juliusz
Re: Tor with ssh port forwarding
1. Run squid on your machine at home (say on port 3128) Don't do that. Squid will add the ``X-Forwarded-For'' header, and hence leak your IP. # TAG: forwarded_for on|off Ah, sorry, I didn't know that. Juliusz
Re: Earthlink's broken DNS affecting Tor nodes?
Alternatively, you can use OpenDNS's servers. See www.opendns.com. OpenDNS is very easy (just use their IP addresses), and quite fast. I'm not sure I like their privacy policy: « Other than to its employees, contractors and affiliated « organizations, as described above, OpenDNS discloses potentially « personally-identifying and personally-identifying information only « when required to do so by law, court order, or when OpenDNS believes « in good faith that disclosure is reasonably necessary to protect the « property or rights of OpenDNS, third parties or the public at large. » Remember that your DNS resolver can collect the complete list of websites you visit. Juliusz
Re: Attn: Nick or Roger: An offer to enable you to release Widows builds
The past two versions of Tor (v.0.1.1.23 and v.0.1.2.1-alpha) have taken awhile to be built/released for Windows (the latter still is MIA). I know this is because you guys don't have a Windows box FWIW, I don't have a Windows box either, and use the Mingw cross-compiler to build Windows binaries of Polipo. Of course, this makes testing tricky... Juliusz
Re: Polipo web proxy
On Wed, Aug 23, 2006 at 03:02:48AM +0200, Juliusz Chroboczek wrote: 6) Polipo writes your hostname in every request. Either define proxyName to something else, or set [d]isableVia = true in your config file. This cannot be stressed enough. Unfortunately, use of Via is a MUST according to RFC 2616 (it's not completely useless -- Polipo uses it to detect proxy loops). So if you want to follow the RFC, would it be adequate to use the pseudonym polipo in each case? That's a somewhat radical approach to proxy loop avoidance ;-) (It would disallow chaining proxies, and chaining proxies is a somewhat common usage scenario -- when evading firewalls, or when trying to work around a lossy wireless link.) I guess I'll just make disableVia the default, and give up on my policy of conforming by default. People who actually care about loop avoidance can enable it manually. Juliusz
Polipo-20060823 native Windows binary
Hi all, I've put an experimental native Windows binary of Polipo in http://www.pps.jussieu.fr/~jch/software/files/polipo/polipo-20060823.exe http://www.pps.jussieu.fr/~jch/software/files/polipo/polipo-20060823.exe.asc This is still very experimental; for serious use, I still recommend using the Cygwin binary. Unlike the previous Windows binary, this version has support for tunnelling (https proxying) and SOCKS, which should make it usable with tor. A number of features are still disabled, notably the asynchronous resolver and the on-disk cache. (Dan! help!) There are a a number of other issues, notably error reporting (you'll see a lot of ``unknown error'' messages). This binary has never seen a real Windows system (I test under Linux with a Windows emulator -- sorry, but I don't have a Windows machine), and I'd be very grateful for feedback from Windows users. Juliusz pgpEFv6tzfgeL.pgp Description: PGP signature
