Re: [tor-dev] Request for feedback/victims: cfc-0.0.2
On Sat, 2 Apr 2016 18:14:26 -0400 Ian Goldbergwrote: > On Sat, Apr 02, 2016 at 07:19:30PM +, Yawning Angel wrote: > > It's not a request header set by the browser. archive.is is acting > > like a HTTP proxy and explicitly setting X-F-F. > > I wonder what would happen if the browser *also* set X-F-F...? Unfortunately, it appears that archive.is tramples over X-F-F if it is already set. Maybe others will have better luck engaging with the operator(s) of archive.is than I have. Regards, -- Yawning Angel pgpHSqIn1dO_s.pgp Description: OpenPGP digital signature ___ tor-dev mailing list tor-dev@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev
Re: [tor-dev] Request for feedback/victims: cfc-0.0.2
On Fri, 01 Apr 2016 18:21:10 +0200 Jeff Burdgeswrote: > Are there any more sites where CloudFalre appears on archive.is? > > https://www.aei.org/publication/gen-michael-hayden-on-apple-the-fbi-and-data-encryption/ > ​https://archive.is/7u5P8 > > It's some particularly harsh CloudFlare configuration perhaps? Without knowing how archive.is works, and how CloudFlare works, it's hard to tell. Since archive.is sets "X-Forwarded-For", it's not particularly hard to figure out if a Tor user is the one requesting a snapshot. I requested a new snapshot and the captcha error page in the archive shows that the IP of my exit, so part of the ClouldFlare infrastructure at least peeks at the header. I'll probably add support for other (user-configurable?) cached content providers when I have time. The archive.is person doesn't seem to want to respond to e-mail, so asking them to optionally not set X-F-F, seems like it'll go absolutely nowhere. Regards, -- Yawning Angel pgpbdDFFzx9_I.pgp Description: OpenPGP digital signature ___ tor-dev mailing list tor-dev@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev
Re: [tor-dev] Request for feedback/victims: cfc-0.0.2
I'm impressed with how much nicer the web gets with this. Thank you Yawning! :) On Sun, 2016-03-27 at 06:12 +, Yawning Angel wrote: >* (QoL) Skip useless landing pages (github.com/twitter.com will be > auto-redirected to the "search" pages). Ahh that's why that happened. lol >* (Privacy) Kill twitter's outbound link tracking (t.co URLs) by > rewriting the DOM to go to the actual URL when possible. Since > DOM changes made from content scripts are isolated from page > scripts, this shouldn't substantially alter behavior. Nice! > TODO: > > * Try to figure out a way to mitigate the ability for archive.is to >track you. The IFRAME based approach might work here, needs more >investigation. Interesting point. > * Handle custom CloudFlare captcha pages (In general my philosophy is >to minimize false positives, over avoiding false negatives). >Looking at the regexes in dcf's post, disabling the title check may >be all that's needed. I've noticed some hiccups with medium on the auto mode, like say https://medium.com/@octskyward/the-resolution-of-the-bitcoin-experiment-dabb30201f7 It sometimes works if you hit refresh though. > * Look into adding a "contact site owner" button as suggested by Jeff >Burdges et al (Difficult?). Just noticed this minimalist whois client in node.js : https://github.com/carlospaulino/node-whoisclient/blob/master/index.js > * Support a user specified "always use archive.is for these sites" >list. > > * UI improvements. A task bar icon might find several uses: - A "View this page through archive.is" button for when CFC misses a CAPTCHA, or even if the CAPTCHA is not CloudFlare. - A "contact site button" that worked even after passing to archive.is. - A "Give me the CAPTCHA" button for those who configure CFC to automatically load archive.is. I'm using another browser profile for this last point currently. In fact, it fit perfectly into my existing pattern of browser profiles. Yet, browser profiles are not user-friendly, especially in TBB, so this would benefit people who do not use profiles. Wonderful extension! Jeff signature.asc Description: This is a digitally signed message part ___ tor-dev mailing list tor-dev@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev
Re: [tor-dev] Request for feedback/victims: cfc-0.0.2
* Yawning Angel schrieb am 2016-03-27 um 08:12 Uhr: >* (QoL) Skip useless landing pages (github.com/twitter.com will be > auto-redirected to the "search" pages). When you're logged into Twitter, https://twitter.com/ shows you your stream of tweets. With the current version, a user can't see its own stream anymore. Can you redirect to the search page only for non-logged-in users? -- Jens Kubieziel http://www.kubieziel.de 21 ist nur die halbe Wahrheit signature.asc Description: Digital signature ___ tor-dev mailing list tor-dev@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev