Re: [tor-relays] Relay configuration for FreedomBox
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On 18/03/2014 7:59 PM, James Valleroy wrote: Do you see any vulnerabilities, attacks, or risks with the current configuration, and are there any changes that you would recommend? [1] https://wiki.debian.org/FreedomBox [2] https://www.torproject.org/docs/bridges#RunningABridge If you're going to be running these as bridges, it seems to make sense to include obfsproxy support, probably with obfs3 and scramblesuit [0] enabled right off the bat. Note that scramblesuit requires tor 0.2.5.1 or higher [1], and obfsproxy should be at 0.2.7 or higher [3]. Lines to add to the torrc: 1. ServerTransportPlugin obfs3,scramblesuit exec /usr/bin/obfsproxy managed ([0]) 2. ServerTransportListenAddr obfs3 0.0.0.0:port number (if you want to preset your obfs3 port, will be random otherwise) ([3]) 3. ServerTransportListenAddr scramblesuit 0.0.0.0:port number (if you want to preset your scramblesuit port, will be random otherwise) ([3]) 4. ExtORPort auto (used internally between tor and obfsproxy, does not need to be forwarded externally, so auto should be fine) ([4]) If I'm giving bad advice, somebody please speak up to correct me! -Lance [0] https://lists.torproject.org/pipermail/tor-relays/2014-February/003886.html [1] https://lists.torproject.org/pipermail/tor-relays/2014-February/003898.html [2] https://lists.torproject.org/pipermail/tor-relays/2014-March/004074.html [3] https://www.torproject.org/projects/obfsproxy-debian-instructions.html.en [4] https://lists.torproject.org/pipermail/tor-relays/2014-February/003962.html -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.22 (MingW32) iQIcBAEBCgAGBQJTKZrEAAoJEECmBqfoBgXnK+cP/RDhzkPBw33vW+VE1ro2QdPo DX6WOB8tiGhMdmOq0oakAqZj8x7nDXs5lO7EcYYzQ7Gnh+ghJVQVBwMzJwX614x9 Hmbk19gvUyf9+9Y9b3gEFQlab1pk3+T0gkOJXu6+6+qHIunoINwa4KrhAYM/h2Ll LzC+IL8IagO9GMGOMeSbqWyHmxHTaOWcZMGuAVZaQ7f07gY7sF/yxjCOuVuzseki QqWQl2gwrvIhyVa7ukEpx/iwY6/+5BokPHDwAzG0oSZwlQCfyvpcIVrPFSO6B6DG +jt4QGAsRKynNg5AaopHKi1F6SJ5ehWuvMOzPjWV8eDgqFimwHgSnRO0k2abwvat ufXcJjtxyvi3j4O3jmTh14768th7QiGB5lLfeg/b8owp+Bnx4hAK9+iQe8L/zWWD 1afQDUC2PHjvyUif0eJ4+rvaPSFxUrb0HNJPE5seVTMPOWtX+P0a2bwJU0Me/7aZ nqgCi7V0aqWjk/AegbkAwdLSHVHK8ChrJBlDsmYviwC8Psmhpkw2sCcJT2ki7mWS xuRqIyU0xugeYhUJSOOUYnmH5iyjsaj6CXEoLG7Jvtke5iSvENlhNeMOjoy4Ppu4 ziKMxozpS1dVprS8Qsbo8TOmrJN2LdcpSVQuXzYeTU0AKEqLSB4rOAws9Ny1t2PZ r/ww4J/SVK9+fgINSgOr =5c2j -END PGP SIGNATURE- ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] Exiting only port 8333
On 2014-03-18 21:20:37 (+0100), Mike Hearn wrote: The globe page for my node shows exit probability: 0 so I guess I'm indeed not being sent any. I saw that in my initial some ports allowed but no Exit flag period too. So I guess it's actually exit probability to 80/443/6667 destinations. -- David Serrano GnuPG id: 280A01F9 signature.asc Description: Digital signature ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
[tor-relays] Exit node re-writing PKI certificates?
Hey all, I use an email account from riseup.net, which I usually access via Thunderbird, running on a linux machine. My Thunderbird is configured to check mail via TOR. Earlier tonight I got a certificate warning message from thunderbird, saying that mail.riseup.net:465 was presenting a certificate that had been issued to cab.cabinethardwareparts.com on 03-01-2014, and expiring on 03-01-2015. Oddity among oddities, this does not match the issue dates of the other certificate reported below. Whois returns no match for cabinethardwareparts.com When I mentioned this on a Riseup IRC channel, I was told that there had previously (02-28-2014) been a help ticket from a riseup mail user, accessing their account via TOR, who had a certificate error involving a certificate issued to the same domain. So, I guess I just wanted to alert you all to the fact that this is happening. I'm not sure what it means. Is the exit node in question pointing my traffic at somewhere other than mail.riseup.net:465? Is the exit node re-writing the traffic to include the bad certificate? If so, why? If part of a MITM scheme, why not use a certificate issued to mall.riseup.net or mail.riseop.net, or something else less obvious than cab.cabinethardwareparts.com? I am more curious than anything, and any thoughts are appreciated. I'll paste the details from the previous help ticket below, since they actually captured more details about the bad certificate than I did. Kind Regards, -Iggy =-=-=-=-==-=-==-=- PASTED TEXT BEGINS =-=-==-=-=-=-=--=- Hi there wonderful riseup birds, Today I was attempting to sent a GPGd email to another riseup.net user but thunderbird flagged that a suspicious certificate was being served whose address did not match riseup.net. Its common name was: cab.cabinethardwareparts.com Serial 01:E3:94:E1:BD issued on: 05/03/13 expires: 05/03/14 organization: unknown The key was: Modulus (2048 bits): ba 29 4e f5 89 c8 4c 61 76 4c 08 fe 2e d9 4d af 8f 47 20 2b cb ee 00 56 d3 9b 4c 47 8c ee 75 f5 94 f8 65 f3 83 71 12 ed 32 ef 92 4e 25 90 ac df 4c 82 e6 6e 4e df b2 a9 48 f0 2a 7a 21 bd 10 01 7d fc 31 b4 93 ca ec ec 99 b2 91 e1 04 a7 5c 39 72 55 1f ee 74 49 4c e7 75 fe 84 67 a9 ff 81 74 e5 1e 35 db 2b 93 e1 f5 74 96 6b 19 3a 54 a3 0d 90 b1 8f 0c 2f e2 4f f1 13 5a ad c5 37 4e b5 93 54 70 54 7f 04 6b 30 58 fc f8 c8 15 04 c7 f6 90 25 9f 45 4b 38 9e 28 e8 ec df 7d 06 d4 0f d1 9c 2e 6c 9d ad 90 65 ce e4 de a0 5a 8a 14 fc b4 32 26 c9 2d 7e 91 fc c3 90 1c 52 9d 93 f0 47 38 d3 b1 66 27 38 0a 2f 2a 08 31 7c ea 62 fa 66 1d f2 90 4d 0f 8b 42 78 7b 69 00 c8 4a b3 84 4c c6 e0 a3 0d ce 91 b2 e7 75 6a c1 34 76 22 4e e4 df 85 1c d2 19 d5 2e ca 91 71 be 4e fd d3 81 2e e5 83 Exponent (24 bits): 65537 =-=-=-=-==-=-==-=- PASTED TEXT ENDS =-=-==-=-=-=-=--=- ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] Exit node re-writing PKI certificates?
I am assuming there is no way to tell this now, after the fact? -iggy On 03/19/2014 11:08 PM, Zack Weinberg wrote: Really useful to know at this point would be the complete suspicious certificate (which would e.g. tell us who signed it) and the exit node in use. On Wed, Mar 19, 2014 at 11:00 PM, Iggy igg...@riseup.net wrote: Hey all, I use an email account from riseup.net, which I usually access via Thunderbird, running on a linux machine. My Thunderbird is configured to check mail via TOR. Earlier tonight I got a certificate warning message from thunderbird, saying that mail.riseup.net:465 was presenting a certificate that had been issued to cab.cabinethardwareparts.com on 03-01-2014, and expiring on 03-01-2015. Oddity among oddities, this does not match the issue dates of the other certificate reported below. Whois returns no match for cabinethardwareparts.com When I mentioned this on a Riseup IRC channel, I was told that there had previously (02-28-2014) been a help ticket from a riseup mail user, accessing their account via TOR, who had a certificate error involving a certificate issued to the same domain. So, I guess I just wanted to alert you all to the fact that this is happening. I'm not sure what it means. Is the exit node in question pointing my traffic at somewhere other than mail.riseup.net:465? Is the exit node re-writing the traffic to include the bad certificate? If so, why? If part of a MITM scheme, why not use a certificate issued to mall.riseup.net or mail.riseop.net, or something else less obvious than cab.cabinethardwareparts.com? I am more curious than anything, and any thoughts are appreciated. I'll paste the details from the previous help ticket below, since they actually captured more details about the bad certificate than I did. Kind Regards, -Iggy =-=-=-=-==-=-==-=- PASTED TEXT BEGINS =-=-==-=-=-=-=--=- Hi there wonderful riseup birds, Today I was attempting to sent a GPGd email to another riseup.net user but thunderbird flagged that a suspicious certificate was being served whose address did not match riseup.net. Its common name was: cab.cabinethardwareparts.com Serial 01:E3:94:E1:BD issued on: 05/03/13 expires: 05/03/14 organization: unknown The key was: Modulus (2048 bits): ba 29 4e f5 89 c8 4c 61 76 4c 08 fe 2e d9 4d af 8f 47 20 2b cb ee 00 56 d3 9b 4c 47 8c ee 75 f5 94 f8 65 f3 83 71 12 ed 32 ef 92 4e 25 90 ac df 4c 82 e6 6e 4e df b2 a9 48 f0 2a 7a 21 bd 10 01 7d fc 31 b4 93 ca ec ec 99 b2 91 e1 04 a7 5c 39 72 55 1f ee 74 49 4c e7 75 fe 84 67 a9 ff 81 74 e5 1e 35 db 2b 93 e1 f5 74 96 6b 19 3a 54 a3 0d 90 b1 8f 0c 2f e2 4f f1 13 5a ad c5 37 4e b5 93 54 70 54 7f 04 6b 30 58 fc f8 c8 15 04 c7 f6 90 25 9f 45 4b 38 9e 28 e8 ec df 7d 06 d4 0f d1 9c 2e 6c 9d ad 90 65 ce e4 de a0 5a 8a 14 fc b4 32 26 c9 2d 7e 91 fc c3 90 1c 52 9d 93 f0 47 38 d3 b1 66 27 38 0a 2f 2a 08 31 7c ea 62 fa 66 1d f2 90 4d 0f 8b 42 78 7b 69 00 c8 4a b3 84 4c c6 e0 a3 0d ce 91 b2 e7 75 6a c1 34 76 22 4e e4 df 85 1c d2 19 d5 2e ca 91 71 be 4e fd d3 81 2e e5 83 Exponent (24 bits): 65537 =-=-=-=-==-=-==-=- PASTED TEXT ENDS =-=-==-=-=-=-=--=- ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] Why would consensus weight would be declining like this?
Anyone? Several days ago, both relays had roughly the same consensus weight. On 03/18/2014 05:02 PM, Tora Tora Tora wrote: Declining dramatically https://atlas.torproject.org/#details/90743CFA1B93295B9334CC0C625D22990AABA25F vs https://atlas.torproject.org/#details/CC2F7C6ED12B67CB3882B98213E02DEF2CB82293 that is holding steady ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays