Re: [tor-dev] Request for feedback/victims: cfc-0.0.2

[Yawning Angel]

On Sat, 2 Apr 2016 18:14:26 -0400
Ian Goldberg  wrote:

> On Sat, Apr 02, 2016 at 07:19:30PM +, Yawning Angel wrote:
> > It's not a request header set by the browser.  archive.is is acting
> > like a HTTP proxy and explicitly setting X-F-F.  
> 
> I wonder what would happen if the browser *also* set X-F-F...?

Unfortunately, it appears that archive.is tramples over X-F-F if it is
already set.  Maybe others will have better luck engaging with the
operator(s) of archive.is than I have.

Regards,

-- 
Yawning Angel


pgpHSqIn1dO_s.pgp
Description: OpenPGP digital signature
___
tor-dev mailing list
tor-dev@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev

Re: [tor-dev] Request for feedback/victims: cfc-0.0.2

[Yawning Angel]

On Fri, 01 Apr 2016 18:21:10 +0200
Jeff Burdges  wrote:

> Are there any more sites where CloudFalre appears on archive.is?
> 
> https://www.aei.org/publication/gen-michael-hayden-on-apple-the-fbi-and-data-encryption/
> ​https://archive.is/7u5P8
>
> It's some particularly harsh CloudFlare configuration perhaps? 

Without knowing how archive.is works, and how CloudFlare works, it's
hard to tell.

Since archive.is sets "X-Forwarded-For", it's not particularly hard to
figure out if a Tor user is the one requesting a snapshot.  I requested
a new snapshot and the captcha error page in the archive shows that
the IP of my exit, so part of the ClouldFlare infrastructure at least
peeks at the header.

I'll probably add support for other (user-configurable?) cached content
providers when I have time.  The archive.is person doesn't seem to want
to respond to e-mail, so asking them to optionally not set X-F-F, seems
like it'll go absolutely nowhere.

Regards,

-- 
Yawning Angel


pgpbdDFFzx9_I.pgp
Description: OpenPGP digital signature
___
tor-dev mailing list
tor-dev@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev

Re: [tor-dev] Request for feedback/victims: cfc-0.0.2

[Jeff Burdges]

I'm impressed with how much nicer the web gets with this. Thank you
Yawning!  :) 

On Sun, 2016-03-27 at 06:12 +, Yawning Angel wrote:

>* (QoL) Skip useless landing pages (github.com/twitter.com will be
>  auto-redirected to the "search" pages).

Ahh that's why that happened.  lol

>* (Privacy) Kill twitter's outbound link tracking (t.co URLs) by
>  rewriting the DOM to go to the actual URL when possible.  Since
>  DOM changes made from content scripts are isolated from page
>  scripts, this shouldn't substantially alter behavior.

Nice!

> TODO:
> 
>  * Try to figure out a way to mitigate the ability for archive.is to
>track you.  The IFRAME based approach might work here, needs more
>investigation.

Interesting point.

>  * Handle custom CloudFlare captcha pages (In general my philosophy is
>to minimize false positives, over avoiding false negatives).
>Looking at the regexes in dcf's post, disabling the title check may
>be all that's needed.

I've noticed some hiccups with medium on the auto mode, like say
https://medium.com/@octskyward/the-resolution-of-the-bitcoin-experiment-dabb30201f7
It sometimes works if you hit refresh though.

>  * Look into adding a "contact site owner" button as suggested by Jeff
>Burdges et al (Difficult?).

Just noticed this minimalist whois client in node.js : 
https://github.com/carlospaulino/node-whoisclient/blob/master/index.js 

>  * Support a user specified "always use archive.is for these sites"
>list.
> 
>  * UI improvements.

A task bar icon might find several uses:
- A "View this page through archive.is" button for when CFC misses a
CAPTCHA, or even if the CAPTCHA is not CloudFlare.
- A "contact site button" that worked even after passing to archive.is.
- A "Give me the CAPTCHA" button for those who configure CFC to
automatically load archive.is.  

I'm using another browser profile for this last point currently.  In
fact, it fit perfectly into my existing pattern of browser profiles.
Yet, browser profiles are not user-friendly, especially in TBB, so this
would benefit people who do not use profiles. 

Wonderful extension!
Jeff




signature.asc
Description: This is a digitally signed message part
___
tor-dev mailing list
tor-dev@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev

Re: [tor-dev] Request for feedback/victims: cfc-0.0.2

[Jens Kubieziel]

* Yawning Angel schrieb am 2016-03-27 um 08:12 Uhr:
>* (QoL) Skip useless landing pages (github.com/twitter.com will be
>  auto-redirected to the "search" pages).

When you're logged into Twitter, https://twitter.com/ shows you your
stream of tweets. With the current version, a user can't see its own
stream anymore. Can you redirect to the search page only for
non-logged-in users?

-- 
Jens Kubieziel   http://www.kubieziel.de
21 ist nur die halbe Wahrheit


signature.asc
Description: Digital signature
___
tor-dev mailing list
tor-dev@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev