Re: Re: Re: Bridges and China (new thread)
Dare, congratulations. :-) sincerely, frank 2010-05-27 - sender: Dare sending date: 2010-05-27 15:20:59 receiver: or-talk cc: subject: Re: Re: Bridges and China (new thread) I am using the 3rd party http proxy now,and stop the proxy when tor start-up successfully . So i can use tor now. 在 2010年5月27日 下午12:36,frank for.tor.bri...@gmail.com写道: hi, andrew ##You will need an http proxy for doing GET requests to fetch the Tor directory, ##and you will need an https proxy for doing CONNECT requests to get to Tor relays. ##(It's fine if they're the same proxy.) #HttpProxy IP:port #HttpsProxy IP:port my question: why not put the tor directory server in https mode too? sincerely, frank 2010-05-27 - sender: andrew sending date: 2010-05-27 11:42:55 receiver: or-talk cc: subject: Re: Bridges and China (new thread) On Thu, May 27, 2010 at 11:21:50AM +0800, for.tor.bri...@gmail.com wrote 2.7K bytes in 67 lines about: : I've been told if you search on baidu, you can find such bridge addresses. : bridge addresses are being released by blog posts, BBS posts, qq, and ads on taobao. : then bad guys can get and block them too through baidu searching, : and more, qq is totally under control of bad guys, we can't trust qq, believe me, I know the truth. The point of releasing the bridge addresses this way is to see how long it takes to go from public publishing to blocking in the GFW. : Tor supports 3rd party http/https proxies : could you kindly tell me how to use tor above 3rd party https/http proxies? what's the config? There are two ways to do this, through Vidalia or editing your torrc. In Vidalia, go to Settings, Network, and click I use a proxy to access the Internet, then enter your proxy details. In torrc, see https://trac.torproject.org/projects/tor/wiki/TheOnionRouter/TorFAQ#MyInternetconnectionrequiresanHTTPproxy . -- Andrew Lewman The Tor Project pgp 0x31B0974B Website: https://www.torproject.org/ Blog: https://blog.torproject.org/ Identi.ca: torproject *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/ *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/ -- Dare N�Р骒r��z千u┺�ē�茛j-⒑k�7���嗦+a�{.n�+�法�芝�)��骅w(m���j�!�鳜彪ア�?⒖�jY?
Re: Re: Re: Bridges and China (new thread)
thanks a lot for your kind help, andrew. sincerely, frank 2010-05-28 - sender: andrew sending date: 2010-05-27 19:35:14 receiver: or-talk cc: subject: Re: Re: Bridges and China (new thread) On Thu, May 27, 2010 at 12:36:51PM +0800, for.tor.bri...@gmail.com wrote 2.1K bytes in 57 lines about: : why not put the tor directory server in https mode too? Your client makes a 1-hop tunnel to the directory server if it needs to get the consensus file. You can read all about how Tor works by reading the spec files at https://gitweb.torproject.org/tor.git/tree/HEAD:/doc/spec -- Andrew Lewman The Tor Project pgp 0x31B0974B Website: https://www.torproject.org/ Blog: https://blog.torproject.org/ Identi.ca: torproject *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/ *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Re: Re: Tor Exit Node hosting: torservers.net
屠申完美, the bridges are blocked, try to find some more bridges. sincerely, frank 2010-05-26 - sender: 屠申完美 sending date: 2010-05-26 12:27:14 receiver: or-talk cc: subject: Re: Tor Exit Node hosting: torservers.net Dear all, My tor have a error,this is the message log: [Warning] Problem bootstrapping. Stuck at 10%: Finishing handshake with directory server. (Socket is not connected [WSAENOTCONN ]; NOROUTE; count 4; recommendation warn) I have already set the bridges. pls help me,thanks.
Re: Re: problem with bridges and a suggestion
dear andrew, I tried to reach directory server with the following config: #use a https proxy to reach directory server HttpProxy IP:port but it doesn't work, does not the directory server support https proxy? my suggestion: 1. let the directory server support https proxy, so that tor clients could reach it through a hidden https proxy; 2. the directory server tests the reachability from some relays to the requesting tor clients, then sends back to tor clients a merely enough number of relays reachable by the requesting tor clients; 3. in order to accomplish step 2, you have to set up some mechanics for relays to actively test reachability from them to tor clients. hope I can help. sincerely, frank 2010-05-26 - 发件人:andrew 发送日期:2010-05-25 19:52:05 收件人:or-talk 抄送: 主题:Re: problem with bridges and a suggestion On Tue, May 25, 2010 at 05:18:44PM +0800, for.tor.bri...@gmail.com wrote 1.3K bytes in 36 lines about: : china is blocking TOR more and more strict, : I can't establish a TOR circuit even I updated bridges in config file : of torrc with info retrieved from https://bridges.torproject.org and : email replies from brid...@torproject.org. Correct. We are aware of this. : this morning, I got some new bridges through a hidden https proxy and : established a TOR circuit, but after some time, I lost the connection : and couldn't establish a TOR circuit any more. Can you send debug logs to tor-assista...@torproject.org with what happens when your client tries to connect to the bridges? : from my knowledge to china's blocking methods, I believe they found my : newly got bridges through network traffic protocol analysis, and : blocked them. This is unlikely. In our experience, they are merely blocking IP:Port combinations. : use a general protocol for TOR clients to interact with bridges, so : that they can't distinguish the traffic between TOR clients and : bridges, : so that they can't find new bridges got through private ways. Tor traffic through bridges vs. public relays is the same. There is not a special bridge connection. See https://www.torproject.org/faq#RelayOrBridge, also that text needs to be updated to reflect China's uniqueness in filtering Tor public relays. : the general protocol could be https which is encryption protected; It is already. What may be unique is we start the connection with a TLS renegotiation. This is probably starting to stand out as unique now that OpenSSL decided to everyone used renegotiation incorrectly and almost all operating systems have erroneously disabled this functionality by default. See https://www.torproject.org/faq#KeyManagement : the general protocol could be plain http, if you can encode its : content dynamically and privately, and don't make it display any : fingerprints. Then someone can read your traffic. Hiding in plain sight sounds good on paper, but doesn't stand up to academic research, so far. See https://trac.torproject.org/projects/tor/wiki/TheOnionRouter/TorFAQ#YoushouldusesteganographytohideTortraffic. -- Andrew Lewman The Tor Project pgp 0x31B0974B Website: https://www.torproject.org/ Blog: https://blog.torproject.org/ Identi.ca: torproject *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Re: Re: problem with bridges and a suggestion
Steve, thanks a lot, steve, you got my points totally! I can't express my points very clearly, I'm not a native english speaker. :-( sincerely, frank 2010-05-27 - sender: Stephen Carpenter sending date: 2010-05-27 00:01:47 receiver: or-talk cc: subject: Re: problem with bridges and a suggestion On Tue, May 25, 2010 at 7:51 AM, and...@torproject.org wrote: On Tue, May 25, 2010 at 05:18:44PM +0800, for.tor.bri...@gmail.com wrote 1.3K bytes in 36 lines about: : this morning, I got some new bridges through a hidden https proxy and : established a TOR circuit, but after some time, I lost the connection : and couldn't establish a TOR circuit any more. Can you send debug logs to tor-assista...@torproject.org with what happens when your client tries to connect to the bridges? : from my knowledge to china's blocking methods, I believe they found my : newly got bridges through network traffic protocol analysis, and : blocked them. This is unlikely. In our experience, they are merely blocking IP:Port combinations. The question though is... how do they find them? Sure, you can get the directory list, scrape the common bridge lists. However... this pretty quickly is just Whack a Mole. You have to imagine that they are smart enough to figure that a person who was using tor yesterday, is probably looking for a new bridge today. Once you know who, even if its a small subset, is using tor, and smart enough to find bridges as you shut them down, well... it wouldn't be hard to watch them, and identify which connections of theirs are bridges, and then push out new block lists. Even if I can't prove that your connection from port x to port y is a tor connection, I can still connect to the same remote port and negotiate an ssl connection myself and verify if its a bridge. Hell, it could be automated. It may not be 100%, but, it doesn't really need to be. Its not like you need all the users all the time, just enough to raise the bar and cut down the numbers. : use a general protocol for TOR clients to interact with bridges, so : that they can't distinguish the traffic between TOR clients and : bridges, : so that they can't find new bridges got through private ways. Tor traffic through bridges vs. public relays is the same. There is not a special bridge connection. See https://www.torproject.org/faq#RelayOrBridge, also that text needs to be updated to reflect China's uniqueness in filtering Tor public relays. : the general protocol could be https which is encryption protected; It is already. What may be unique is we start the connection with a TLS renegotiation. This is probably starting to stand out as unique now that OpenSSL decided to everyone used renegotiation incorrectly and almost all operating systems have erroneously disabled this functionality by default. See https://www.torproject.org/faq#KeyManagement Perhaps other ways of hiding it are needed. As it is, it would be trivial to connect via ssl and verify if a machine talks onion router. It might be harder if there were multiple protocol paths into it. What if I connect on port 25 and get a normal mail server, then start tls from within protocol and use a command to switch to onion routing. I connect on port 636 and its ldap first. 993 and its IMAP over ssl. Perhaps the secret command to initiate the protocol could be part of the bridge description? -Steve *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/ N§²æìr¸zǧu©Þ¨¥¶Ý¢j-¢ºk¢7¶àÂ+aº{.nÇ+·¨®Ö¥)í æèw(m¶ÿj·!÷¬±ë¥¢¸?¢¿íjY?
Re: Bridges and China (new thread)
hi, andrew, I've been told if you search on baidu, you can find such bridge addresses. bridge addresses are being released by blog posts, BBS posts, qq, and ads on taobao. then bad guys can get and block them too through baidu searching, and more, qq is totally under control of bad guys, we can't trust qq, believe me, I know the truth. Tor supports 3rd party http/https proxies could you kindly tell me how to use tor above 3rd party https/http proxies? what's the config? sincerely, frank 2010-05-27 - sender: andrew sending date: 2010-05-26 23:07:04 receiver: or-talk cc: subject: Bridges and China (new thread) Rather than continue to hijack the old thread, here's a new one about bridges and china. I'm fully aware the GFW seems to have successfully crawled https://bridges.torproject.org and added all of those bridges into their blocking regime. The email distribution method, brid...@torproject.org, may also have been crawled and added to the blocking regime. There are still 3 other pools of bridge addresses, one of which is held in reserve. It seems the other two methods are continuing to work, as a paltry 5000 connections from China still can access Tor daily. This is vastly smaller than the 100,000 or so we used to get. The other methods of obtaining bridges are slower and more viral. They use social networking technologies like twitter and qq to distribute bridge addresses. I've been told if you search on baidu, you can find such bridge addresses. And until now, they still work. We've given some addresses to trusted networks inside China. What they do with the bridges is up to them. I've heard some are bridge addresses are being released by blog posts, BBS posts, qq, and ads on taobao. I'm assuming the admins of the GFW read or-talk in some fashion. They are doing their job and we're doing ours. Conversely, Tor supports 3rd party http/https proxies. Many people use Tor because they want the privacy aspects of it, not just the ability to circumvent a firewall. You can use the 3rd party http/https proxy as the access layer around the blocking system, and then to tor. This is an arms race, we're working on next steps in it. -- Andrew Lewman The Tor Project pgp 0x31B0974B Website: https://www.torproject.org/ Blog: https://blog.torproject.org/ Identi.ca: torproject *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/ *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Re: Re: problem with bridges and a suggestion
hi steve, Perhaps other ways of hiding it are needed. As it is, it would be trivial to connect via ssl and verify if a machine talks onion router. It might be harder if there were multiple protocol paths into it. What if I connect on port 25 and get a normal mail server, then start tls from within protocol and use a command to switch to onion routing. I connect on port 636 and its ldap first. 993 and its IMAP over ssl. that's it! to use a general protocol even like udp 53 to act as a tunnel for tor negotiation traffic. sincerely, frank 2010-05-27 - sender: Stephen Carpenter sending date: 2010-05-27 00:01:47 receiver: or-talk cc: subject: Re: problem with bridges and a suggestion On Tue, May 25, 2010 at 7:51 AM, and...@torproject.org wrote: On Tue, May 25, 2010 at 05:18:44PM +0800, for.tor.bri...@gmail.com wrote 1.3K bytes in 36 lines about: : this morning, I got some new bridges through a hidden https proxy and : established a TOR circuit, but after some time, I lost the connection : and couldn't establish a TOR circuit any more. Can you send debug logs to tor-assista...@torproject.org with what happens when your client tries to connect to the bridges? : from my knowledge to china's blocking methods, I believe they found my : newly got bridges through network traffic protocol analysis, and : blocked them. This is unlikely. In our experience, they are merely blocking IP:Port combinations. The question though is... how do they find them? Sure, you can get the directory list, scrape the common bridge lists. However... this pretty quickly is just Whack a Mole. You have to imagine that they are smart enough to figure that a person who was using tor yesterday, is probably looking for a new bridge today. Once you know who, even if its a small subset, is using tor, and smart enough to find bridges as you shut them down, well... it wouldn't be hard to watch them, and identify which connections of theirs are bridges, and then push out new block lists. Even if I can't prove that your connection from port x to port y is a tor connection, I can still connect to the same remote port and negotiate an ssl connection myself and verify if its a bridge. Hell, it could be automated. It may not be 100%, but, it doesn't really need to be. Its not like you need all the users all the time, just enough to raise the bar and cut down the numbers. : use a general protocol for TOR clients to interact with bridges, so : that they can't distinguish the traffic between TOR clients and : bridges, : so that they can't find new bridges got through private ways. Tor traffic through bridges vs. public relays is the same. There is not a special bridge connection. See https://www.torproject.org/faq#RelayOrBridge, also that text needs to be updated to reflect China's uniqueness in filtering Tor public relays. : the general protocol could be https which is encryption protected; It is already. What may be unique is we start the connection with a TLS renegotiation. This is probably starting to stand out as unique now that OpenSSL decided to everyone used renegotiation incorrectly and almost all operating systems have erroneously disabled this functionality by default. See https://www.torproject.org/faq#KeyManagement Perhaps other ways of hiding it are needed. As it is, it would be trivial to connect via ssl and verify if a machine talks onion router. It might be harder if there were multiple protocol paths into it. What if I connect on port 25 and get a normal mail server, then start tls from within protocol and use a command to switch to onion routing. I connect on port 636 and its ldap first. 993 and its IMAP over ssl. Perhaps the secret command to initiate the protocol could be part of the bridge description? -Steve *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Re: Re: Bridges and China (new thread)
hi andrew, thanks a lot for your prompt reply. In torrc, see https://trac.torproject.org/projects/tor/wiki/TheOnionRouter/TorFAQ#MyInternetconnectionrequiresanHTTPproxy. ok, got it, I prefer this way, thanks a lot. sincerely, frank 2010-05-27 - sender: andrew sending date: 2010-05-27 11:42:55 receiver: or-talk cc: subject: Re: Bridges and China (new thread) On Thu, May 27, 2010 at 11:21:50AM +0800, for.tor.bri...@gmail.com wrote 2.7K bytes in 67 lines about: : I've been told if you search on baidu, you can find such bridge addresses. : bridge addresses are being released by blog posts, BBS posts, qq, and ads on taobao. : then bad guys can get and block them too through baidu searching, : and more, qq is totally under control of bad guys, we can't trust qq, believe me, I know the truth. The point of releasing the bridge addresses this way is to see how long it takes to go from public publishing to blocking in the GFW. : Tor supports 3rd party http/https proxies : could you kindly tell me how to use tor above 3rd party https/http proxies? what's the config? There are two ways to do this, through Vidalia or editing your torrc. In Vidalia, go to Settings, Network, and click I use a proxy to access the Internet, then enter your proxy details. In torrc, see https://trac.torproject.org/projects/tor/wiki/TheOnionRouter/TorFAQ#MyInternetconnectionrequiresanHTTPproxy. -- Andrew Lewman The Tor Project pgp 0x31B0974B Website: https://www.torproject.org/ Blog: https://blog.torproject.org/ Identi.ca: torproject *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/ *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Re: Re: Bridges and China (new thread)
hi, andrew ##You will need an http proxy for doing GET requests to fetch the Tor directory, ##and you will need an https proxy for doing CONNECT requests to get to Tor relays. ##(It's fine if they're the same proxy.) #HttpProxy IP:port #HttpsProxy IP:port my question: why not put the tor directory server in https mode too? sincerely, frank 2010-05-27 - sender: andrew sending date: 2010-05-27 11:42:55 receiver: or-talk cc: subject: Re: Bridges and China (new thread) On Thu, May 27, 2010 at 11:21:50AM +0800, for.tor.bri...@gmail.com wrote 2.7K bytes in 67 lines about: : I've been told if you search on baidu, you can find such bridge addresses. : bridge addresses are being released by blog posts, BBS posts, qq, and ads on taobao. : then bad guys can get and block them too through baidu searching, : and more, qq is totally under control of bad guys, we can't trust qq, believe me, I know the truth. The point of releasing the bridge addresses this way is to see how long it takes to go from public publishing to blocking in the GFW. : Tor supports 3rd party http/https proxies : could you kindly tell me how to use tor above 3rd party https/http proxies? what's the config? There are two ways to do this, through Vidalia or editing your torrc. In Vidalia, go to Settings, Network, and click I use a proxy to access the Internet, then enter your proxy details. In torrc, see https://trac.torproject.org/projects/tor/wiki/TheOnionRouter/TorFAQ#MyInternetconnectionrequiresanHTTPproxy. -- Andrew Lewman The Tor Project pgp 0x31B0974B Website: https://www.torproject.org/ Blog: https://blog.torproject.org/ Identi.ca: torproject *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/ *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/