Re: [tor-talk] New Tool Keeps Censors in the Dark - mentions Tor.

[Jimmy Richardson]

On 8/8/2011 12:48 AM, Joe Btfsplk wrote:

On 8/6/2011 10:56 AM, Jimmy Richardson wrote:

This won't work well seeing Google is already kicked out of China.

Exactly.
You lost me at "If google were to..."  Google & privacy is the 
definition of an oxymoron.  They're way down the list of 
organizations many users would want having any role in some anonymity 
endeavor.




This is not about privacy, it's about anti-censorship, and Google is 
a good resource in terms of anti-censorship.
How so - other than not wanting their corporation to be censored?  Do 
they have a record of refusing to give data to gov'ts?


Google AppEngine provides a platform which can be used to run your own 
proxy servers for free, Gtalk supports XMPP which can also be used to 
circumvent censorship.




Privacy, anonymity & anti-censorship seem interrelated.  Anonymity 
implies privacy.


I don't think there is a direct relationship, the two concerns 
(privacy/anonymity and anti-censorship) can be separated. They only come 
together in some use cases, for example if you want to speak up against 
the censoring government; but in a lot of other use cases they are 
unrelated, for example if the user just want to view a video totally 
unrelated to politics on youtube.


  Google is in business to make money, not promote anti-censorship or 
free speech.  Censoring them cuts into their earnings, so yes, they 
are against censorship - * involving their corporation. *


True, but I don't see anything wrong with this, we can leverage their 
desire for profit for other purposes.


  IMO, if I lived in a country where my life or possible imprisonment 
depended on internet anonymity / security, I wouldn't trust Google to 
keep me safe.  I'm quite sure other entities eventually could provide 
some service / method to access banned sites, w/o $ being the main 
objective.


I think we may have different assumptions here. You're assuming the user 
may face imprisonment if they break the censorship and access blocked 
content, my assumption is the censoring government will not bother to 
catch people who circumvent censorship as long as they don't actively go 
against the government.




Forget Telex or Tor for the moment.  Eventually, individuals or groups 
have always found an "underground" way around censorship (if they 
wanted to) during wars, etc., sans the internet.  The answer to avoid 
censorship may not involve the internet at all.


Yes, but internet has some huge advantage over other methods, that is 
why censoring governments are afraid of it.


  Ultimately, passing or accessing censored or what gov'ts consider 
subversive info * through any ISP,* that keeps records & is legally 
bound to cooperate w/ govt's doesn't seem like the best idea.  I 
wouldn't go to the NSA's office to have a secret phone conversation.  
Just my opinion.


No, it's certainly not the best idea, but life doesn't always give you 
the best tool for the job, sometimes you just have to use whatever is handy.



___
tor-talk mailing list
tor-talk@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk


___
tor-talk mailing list
tor-talk@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Designing a secure "Tor box" for safe web browsing?

[Håken Hveem]

On Sun, 7 Aug 2011 23:29:21 +0200
Robin Kipp  wrote:

> Hi Gozu-san,
> thanks for the links! They seem like good starting points for such a
> project. Such a box would be, when designed and fully configured, a
> good and stable way for people wanting to give their machines secure
> www access. Other than the software config, I could also imagine
> certain hardware precautions that could be made. For example, such a
> device could, in theory, come with a static ROM that contains the
> software in a way which can't be altered. The dynamic info required
> to run Tor could then be stored in a RAM (e.g. directory / cirquit
> info, logs, etc) and would be discarded immediately once the device
> is disconnected from the power source. The advantage of such a setup
> would be that it wouldn't store more data than required for sure.
> However, I guess updating Tor, or any other packages, would be
> impossible in that case. Still, I do like the idea of having a black
> box that takes care of anon web resource access and privacy control.
> Guess I'll keep researching and working on th is, and see what I come
> up with! If anyone would like to help, suggest ideas or thinks this
> would be total nonsense, please let me know! I'm new to working on
> such projects and have some general ideas at the moment, so this is
> also kind of exciting for me. Robin
> ___ tor-talk mailing list
> tor-talk@lists.torproject.org
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
> 
> 

take a look at:
http://isprins.blogspot.com/2011/03/excitos-b3-and-tor.html
http://forum.excito.net/viewtopic.php?f=9&t=2898
The software upgrade with tor included is coming soon.



-- 
PGP KEY ID 2D22D97B
Håken Hveem
Norway

___
tor-talk mailing list
tor-talk@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Hijacking Advertising to give a Tor Exit node economic sustainability?

[Fabio Pietrosanti (naif)]

On 8/7/11 10:02 PM, Jim wrote:
> IMNSHO, as far as "official discussion" (at least as "official" as this
> mailing list ;-) goes, the answer to the question of it being an
> acceptable idea dictates whether it even makes sense to consider
> spreadsheets.  Of course, doing any kind of arbitrary spreadsheet
> analysis, purely for private amusement, is up to the individual!

I made some brief analysis and it seems to be more complicated for the
following reasons:

a) Not all advertising is served with a dedicated DNS hostname

or example facebook serve it on http://facebook.com domain.

b) It's not easy to catch all URL and to modify content without breaking
everything

Implementing a transparent proxy server for exit traffic only, without
breaking tor traffic would require such feature we discussed some time
ago:
https://lists.torproject.org/pipermail/tor-talk/2011-March/thread.html#19765

However i am now making a 1 week collection of dns query and url requests.
After would check that lists against adzap and other ad filtering
software that include list of hostname, urls and pattern.

That way we can use an advertising blocking software to check how many
ad traffic was here.

So we will have some numbers, purely for private amusement, to be used
for calculation into a spreadsheet to be shared.

> 
> As far as I am concerned, if such hijacking did not immediately lead to
> bad exit designations, then Tor would no longer be suitable for anything
> w/o end-to-end encryption.  (Of course, some feel it already is
> unsuitable for clear text ... :-)

I do very often proposal that could lead to 'bad exit designations' :P

-naif
___
tor-talk mailing list
tor-talk@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Designing a secure "Tor box" for safe web browsing?

[Robin Kipp]

Hi Gozu-san,
thanks for the links! They seem like good starting points for such a project. 
Such a box would be, when designed and fully configured, a good and stable way 
for people wanting to give their machines secure www access. Other than the 
software config, I could also imagine certain hardware precautions that could 
be made. For example, such a device could, in theory, come with a static ROM 
that contains the software in a way which can't be altered. The dynamic info 
required to run Tor could then be stored in a RAM (e.g. directory / cirquit 
info, logs, etc) and would be discarded immediately once the device is 
disconnected from the power source. The advantage of such a setup would be that 
it wouldn't store more data than required for sure. However, I guess updating 
Tor, or any other packages, would be impossible in that case. Still, I do like 
the idea of having a black box that takes care of anon web resource access and 
privacy control. Guess I'll keep researching and working on th
 is, and see what I come up with! If anyone would like to help, suggest ideas 
or thinks this would be total nonsense, please let me know! I'm new to working 
on such projects and have some general ideas at the moment, so this is also 
kind of exciting for me.
Robin
___
tor-talk mailing list
tor-talk@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Designing a secure "Tor box" for safe web browsing?

[Gozu-san]

As the router for a VirtualBox internal network, ra's Tor gateway VM
 does basically what you describe.  You could route
that to a physical NIC on the host.  Or you could replicate the setup in
a Soekris etc box.  JanusVM  might also work for
you.  Basically, it's a VM running Tor that you access through an
OpenVPN tunnel.

On 07/08/11 12:47, Robin Kipp wrote:

> Hi all,
> so, I've been browsing the web using Tor for some time now, and I have to say 
> that, at least with the cir quid I am currently using, I'm quite impressed 
> with the performance, especially since I'm only connected through a 3g ap at 
> the moment! So, I've had a look around the Torproject site and reading up on 
> how it all works and what safeguarding should be performed in order to stay 
> secure. So, I was thinking, how could I get all the systems that are part of 
> my own home network to access the web securely and anonymously? Well, I came 
> up with the following idea, and since some of you guys may have tried this, 
> was wondering if this would be practicable:
> on my network, all devices are behind a hardware firewall that performs NAT 
> and packet filtering for viruses and other malicious stuff (UTM). The 
> firewall acts as the DHCP within the network, and its WAN port is connected 
> to my router which only handles internet connections. So far for my current 
> network topology. Now, I was thinking of adding another gateway here. My idea 
> was to take an embedded PC (e.g. a Soekris box) and installing a distribution 
> such as Debian on its memory. Then, a DHCP could first be set up on this box. 
> Using iptables, network interface routing could be configured, so that 
> traffic arriving at the LAN network interfaces would be routed to one exit 
> point, the WAN interface. So, at this stage, the DHCP on the Debian machine 
> would assign IPs to clients connected to the LAN ports, and all traffic 
> arriving at these ports would be redirected to one port which would be the 
> WAN. Now, this box could, for example, be connected in between the firewall 
> and the rou
te
>  r. So, the firewall would receive an IP from the Debian box, and all network 
> clients would still be behind the firewall. So then, when a client wants to 
> access the internet, it would first go through the firewall, from the 
> firewall to the Debian box and from there to the router and the web. Now, the 
> Debian box would have to route all connections through the Tor network. I 
> guess Polipo could be set up on the Debian box so that it will route all 
> outgoing connections through the Tor network. In this case, all traffic 
> passing through the box would be anonymized on the fly. However, some other 
> steps would have to be taken. For example, I guess it would be wise to 
> implement functionality such as offered by the SSL Everywhere Firefox 
> extension, so that SSL would automatically be enabled on as many sites as 
> possible. Also, it probably would be better to configure Polipo to reject any 
> Cookies, Java Applets, Flash and anything else that could compromise 
> security. As such limitations
 w
>  ould also limit "comfortable" browsing, I guess various modes could be 
> designed, such as a safe mode (fully anonymized), a restrictive mode (not 
> everything is blocked, thus potential security risks exist) and a 
> non-restrictive mode (all traffic is routed through Tor, however no packet 
> filtering is performed - most convenient but also most insecure). Also, both 
> safe and restrictive mode could perform things such as browser-header 
> obfuscation, geo-data obfuscation, etc. Sure, such concepts would probably 
> take some time and work in order to make everything work. Therefore, I 
> wondered if someone might be working on such a task already and if not, if 
> this would be a project which would make sense, and which would be worth 
> putting some effort into. I guess my idea probably isn't new to most people 
> dealing with Tor and secure networking, but I'm wondering if such a platform 
> already exists. I definitely will be working on this once I get back home, as 
> I think such an undertake wou
ld
>   be quite useful to me personally!
> Robin
> ___
> tor-talk mailing list
> tor-talk@lists.torproject.org
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

___
tor-talk mailing list
tor-talk@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Hijacking Advertising to give a Tor Exit node economic sustainability?

[Jim]

Fabio Pietrosanti (naif) wrote:
> So i am not pointing out if "it's good to do it or not" but if it would
> be "feasible or not" and in which proportion .
> 
> Let's make some hobbyist study on it and evaluate how 'an adv based tor
> sustainability model' would work on a spreadsheet :-)

IMNSHO, as far as "official discussion" (at least as "official" as this
mailing list ;-) goes, the answer to the question of it being an
acceptable idea dictates whether it even makes sense to consider
spreadsheets.  Of course, doing any kind of arbitrary spreadsheet
analysis, purely for private amusement, is up to the individual!

As far as I am concerned, if such hijacking did not immediately lead to
bad exit designations, then Tor would no longer be suitable for anything
w/o end-to-end encryption.  (Of course, some feel it already is
unsuitable for clear text ... :-)

Jim
___
tor-talk mailing list
tor-talk@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] New Tool Keeps Censors in the Dark - mentions Tor.

[Joe Btfsplk]

On 8/6/2011 10:56 AM, Jimmy Richardson wrote:

This won't work well seeing Google is already kicked out of China.

Exactly.
You lost me at "If google were to..."  Google & privacy is the 
definition of an oxymoron.  They're way down the list of organizations 
many users would want having any role in some anonymity endeavor.




This is not about privacy, it's about anti-censorship, and Google is a 
good resource in terms of anti-censorship.
How so - other than not wanting their corporation to be censored?  Do 
they have a record of refusing to give data to gov'ts?


Privacy, anonymity & anti-censorship seem interrelated.  Anonymity 
implies privacy.  Google is in business to make money, not promote 
anti-censorship or free speech.  Censoring them cuts into their 
earnings, so yes, they are against censorship - * involving their 
corporation. *  IMO, if I lived in a country where my life or possible 
imprisonment depended on internet anonymity / security, I wouldn't trust 
Google to keep me safe.  I'm quite sure other entities eventually could 
provide some service / method to access banned sites, w/o $ being the 
main objective.


Forget Telex or Tor for the moment.  Eventually, individuals or groups 
have always found an "underground" way around censorship (if they wanted 
to) during wars, etc., sans the internet.  The answer to avoid 
censorship may not involve the internet at all.  Ultimately, passing or 
accessing censored or what gov'ts consider subversive info * through any 
ISP,* that keeps records & is legally bound to cooperate w/ govt's 
doesn't seem like the best idea.  I wouldn't go to the NSA's office to 
have a secret phone conversation.  Just my opinion.

___
tor-talk mailing list
tor-talk@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Hijacking Advertising to give a Tor Exit node economic sustainability?

[Fabio Pietrosanti (naif)]

On 8/7/11 3:11 PM, Moritz Bartl wrote:
> Hi Fabio,
> 
> Before you (or someone else) start to even think about hijacking
> traffic, which is against mostly everything the Tor project stands for,
> apply or help us apply for grants. There is a large number of grants a
> Tor exit node operator, especially if it's an officially registered
> non-profit organization like ours, could apply for. We just don't do so
> at the moment for lack of time.

I agree, but the premise of that thread was that this approach could:
a) leverage ethical and legal issues
b) could be unfeasible

So i am not pointing out if "it's good to do it or not" but if it would
be "feasible or not" and in which proportion .

Let's make some hobbyist study on it and evaluate how 'an adv based tor
sustainability model' would work on a spreadsheet :-)

At least to know the hypothetical cost/return ratio:
With 100GB of tor traffic, how much GB of additional Tor traffic you
could buy?

-naif

p.s. see you at ccc camp, i am at Italian Embassy in front of French Embassy
___
tor-talk mailing list
tor-talk@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Hijacking Advertising to give a Tor Exit node economic sustainability?

[Moritz Bartl]

Hi Fabio,

Before you (or someone else) start to even think about hijacking
traffic, which is against mostly everything the Tor project stands for,
apply or help us apply for grants. There is a large number of grants a
Tor exit node operator, especially if it's an officially registered
non-profit organization like ours, could apply for. We just don't do so
at the moment for lack of time.

Also, a model we at the moment don't announce widely: Offer
organizations and individuals to run a node for them with a name and
(R)DNS entry of their chosing. I could guess several NGOs would like to
see their names on a large node, but don't want to get involved in the
legal stuff.

Another way to go with Tor, as with most other open source projects:
Offer professional help and consulting; for example (try to) sell
private bridges or Torouters.

-- 
Moritz Bartl
https://www.torservers.net/
___
tor-talk mailing list
tor-talk@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

[tor-talk] Designing a secure "Tor box" for safe web browsing?

[Robin Kipp]

Hi all,
so, I've been browsing the web using Tor for some time now, and I have to say 
that, at least with the cir quid I am currently using, I'm quite impressed with 
the performance, especially since I'm only connected through a 3g ap at the 
moment! So, I've had a look around the Torproject site and reading up on how it 
all works and what safeguarding should be performed in order to stay secure. 
So, I was thinking, how could I get all the systems that are part of my own 
home network to access the web securely and anonymously? Well, I came up with 
the following idea, and since some of you guys may have tried this, was 
wondering if this would be practicable:
on my network, all devices are behind a hardware firewall that performs NAT and 
packet filtering for viruses and other malicious stuff (UTM). The firewall acts 
as the DHCP within the network, and its WAN port is connected to my router 
which only handles internet connections. So far for my current network 
topology. Now, I was thinking of adding another gateway here. My idea was to 
take an embedded PC (e.g. a Soekris box) and installing a distribution such as 
Debian on its memory. Then, a DHCP could first be set up on this box. Using 
iptables, network interface routing could be configured, so that traffic 
arriving at the LAN network interfaces would be routed to one exit point, the 
WAN interface. So, at this stage, the DHCP on the Debian machine would assign 
IPs to clients connected to the LAN ports, and all traffic arriving at these 
ports would be redirected to one port which would be the WAN. Now, this box 
could, for example, be connected in between the firewall and the route
 r. So, the firewall would receive an IP from the Debian box, and all network 
clients would still be behind the firewall. So then, when a client wants to 
access the internet, it would first go through the firewall, from the firewall 
to the Debian box and from there to the router and the web. Now, the Debian box 
would have to route all connections through the Tor network. I guess Polipo 
could be set up on the Debian box so that it will route all outgoing 
connections through the Tor network. In this case, all traffic passing through 
the box would be anonymized on the fly. However, some other steps would have to 
be taken. For example, I guess it would be wise to implement functionality such 
as offered by the SSL Everywhere Firefox extension, so that SSL would 
automatically be enabled on as many sites as possible. Also, it probably would 
be better to configure Polipo to reject any Cookies, Java Applets, Flash and 
anything else that could compromise security. As such limitations w
 ould also limit "comfortable" browsing, I guess various modes could be 
designed, such as a safe mode (fully anonymized), a restrictive mode (not 
everything is blocked, thus potential security risks exist) and a 
non-restrictive mode (all traffic is routed through Tor, however no packet 
filtering is performed - most convenient but also most insecure). Also, both 
safe and restrictive mode could perform things such as browser-header 
obfuscation, geo-data obfuscation, etc. Sure, such concepts would probably take 
some time and work in order to make everything work. Therefore, I wondered if 
someone might be working on such a task already and if not, if this would be a 
project which would make sense, and which would be worth putting some effort 
into. I guess my idea probably isn't new to most people dealing with Tor and 
secure networking, but I'm wondering if such a platform already exists. I 
definitely will be working on this once I get back home, as I think such an 
undertake would
  be quite useful to me personally!
Robin
___
tor-talk mailing list
tor-talk@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Connection / socket issues with Tor on Mac OS

[Robin Kipp]

Hi Geoff,
yes… That was exactly the problem! I falsely assumed that Polipo would 
automatically read the config file from that directory, but that obviously 
wasn't right. Now it's also clear why Vidalia worked whereas my shell commands 
didn't, as Vidalia perhaps calls Polipo with the right parameters. Well, sorry 
for this - this probably happens when you try to use software that you don't 
fully understand! :-)
Robin
___
tor-talk mailing list
tor-talk@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Hijacking Advertising to give a Tor Exit node economic sustainability?

[Fabio Pietrosanti (naif)]

Well,

the advertising could be provided in several way:

a) Charity based advertisement
   Replace most ADV (facebook, google, linkedin, tom, baidu, etc) with
boxes inviting the user to provide donation tor Tor Project, Eff or to a
specific Tor Servers project (such as torservers.net).

b) Automatic Tor Servers network billing/management
   An interesting way would be to ask for donation trough paypal and
other electronic payment systems with the 'fees' going directly into an
account that is used to pay for Tor Servers.
   An automatic system would also be able to 'setup' new Tor Servers if
there is enough credit, or to shutdown Tor Servers if the monthly credit
is not enough.
   That way a proportional increase of Tor Traffic would allow automatic
setup of new Tor Servers, while a reduction of traffic would reduce the
number of Tor Servers (for example using Amazon EC2 or RackSpace Cloud
servers)

c) Referral based advertisement
   Replace most ADV (facebook, google, linkedin, tom, baidu, etc)) with
promotion to buy goods and services related to Privacy and/or Freedom of
speech (Amazon's books, Disk encryption software, PC/Mac/Mobile Security
Suite).


Such approaches could avoid:
- The effort to 'recruit' publisher like Anchror Free is doing
- The problem of unique IP addresses of Tor Exit Nodes (that would
appear like a fraud to most)
- The problem of user profiling (the ADV would not be based on
User-Content-Behaviour, so it would not be a privacy invasion)

The hijacking could be done on the basis of DNS without parsing web
content. Tor has a DNS cache of 5 minutes, it could be lowered to manage
specifically that requests.

However it would be much more efficient is it would be done at least by
looking at the Language of the user, to serve ADV in the right user
language.

On my tor exit node node i would like to reduce the Tor DNS cache from 5
minutes to 5 seconds and log all DNS requests to do proper ADV
capability profiling:

- Given sample of 100GB of Tor Exit Traffic how many ADV could be served
(by hijacking ADV providing url) ?

With such answer it would be possible at least to understand the
economical feasibility of it.

-naif

On 8/7/11 4:08 AM, Collin Anderson wrote:
> For whatever it's worth, this seems to be a common model for a number of
> free VPN and Glype-style Web-based providers, who cater to clients
> attempting to get around content filtering. I've been interested in the
> mechanics and economics of the approach, but haven't yet had time to do
> any investigation.
> 
> *CDA*
___
tor-talk mailing list
tor-talk@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

[tor-talk] Problem with Linux Version

[kamyar fils]

Hi all,
just DLed "Linux Bundle" version of TOR ,when running bundle in my Linux  ,
getting "Unexpectedly error" and the following is generated log:



Aug 07 14:48:12.863 [Notice] Tor v0.2.2.30-rc (git-085c9754ccae6cae). This
is experimental software. Do not rely on it for strong anonymity. (Running
on Linux i686)
Aug 07 14:48:12.943 [Notice] Initialized libevent version 2.0.12-stable
using method epoll. Good.
Aug 07 14:48:12.943 [Notice] Opening Socks listener on 127.0.0.1:9050
Aug 07 14:48:12.944 [Notice] Opening Control listener on 127.0.0.1:9051
Aug 07 14:48:12.944 [Warning] ./Data/Tor is not owned by this user (root, 0)
but by  (2011). Perhaps you are running Tor as the wrong user?
Aug 07 14:48:12.944 [Warning] Failed to parse/validate config: Couldn't
access/create private data directory "./Data/Tor"
Aug 07 14:48:12.945 [Error] Reading config failed--see warnings above.





Should i configure something especial in my "Vidalia" Settings or "Linux"
itself?

Your help would be greatly appreciated,
Best,
Kamyar
___
tor-talk mailing list
tor-talk@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] reddit.com wants EFF to disable HTTPS???

[Mike Perry]

Uh, woops. Checked my tor inbox before checking my main inbox. The
main issue appears to be debugging CDN support for HTTPS for all urls
rather than any particular opposition to allowing anonymous access to
encrypted content.

Sorry for the noise.

Thus spake Mike Perry (mikepe...@fscked.org):

> Thus spake grarpamp (grarp...@gmail.com):
> 
> > > The bug is that its probably overloading their site, and/or pushing
> > > traffic onto very expensive specialized hosting.
> > >
> > >> Removing/Disabling the whole site (when it is working) goes against
> > >> all the principles that EFF stands for. Unless it doesn't work it
> > >> should not be removed.
> > >
> > > I think this position is silly. If HTTPS everywhere says no to
> > > reddit's request, the site will just make it not work.
> > 
> > How does HTTPSE stack up against the various illegal
> > access/use of computer/resource laws. After all, the sites may
> > not intend for that to be the general access method. Of course
> > HTTPSE is just an agnostic tool and the user would be
> > to blame. But it does strike rather silly that a site would
> > complain when they enable HTTPS over whatever portions
> > of their site they chose... and a user uses it as such. Oh wait,
> > that's the 'he said she said' illegal access thing again :)
> 
> Speaking as one of N authors of this addon**, my stance is:
> "Lolwut? Sounds liek g8 PR 4 U. I tink u shud soo every1 U can!"*
> 
> * Note1: I have no direct affiliation with the EFF. I'm sure the 
> official legal opinion on this matter is slightly more nuanced. I'm
> guessing it balances on the fact that the EFF is acting as a publisher
> of rules that others submit and does not exercise editorial control.
> I've personally argued that the addon should provide an arbitary
> subscription model to avoid editorial liability entirely, but
> apprently this is not necessary?
> 
> ** Note2: I do not review rules, and I did not write this particular
> rule.
> 
> P.S. HTTPS-Everywhere seems to only ship with a subset of reddit rules
> enforced by default. Is this the "wrong" subset? Why is is "our"
> responsibility to determine the "right" subset? Can't u jis fix ur
> shit, reddit?
> 
> 
> -- 
> Mike Perry
> Mad Computer Scientist
> fscked.org evil labs



> ___
> tor-talk mailing list
> tor-talk@lists.torproject.org
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk


-- 
Mike Perry
Mad Computer Scientist
fscked.org evil labs


pgpjeSRqkBhA3.pgp
Description: PGP signature
___
tor-talk mailing list
tor-talk@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] reddit.com wants EFF to disable HTTPS???

[Mike Perry]

Thus spake grarpamp (grarp...@gmail.com):

> > The bug is that its probably overloading their site, and/or pushing
> > traffic onto very expensive specialized hosting.
> >
> >> Removing/Disabling the whole site (when it is working) goes against
> >> all the principles that EFF stands for. Unless it doesn't work it
> >> should not be removed.
> >
> > I think this position is silly. If HTTPS everywhere says no to
> > reddit's request, the site will just make it not work.
> 
> How does HTTPSE stack up against the various illegal
> access/use of computer/resource laws. After all, the sites may
> not intend for that to be the general access method. Of course
> HTTPSE is just an agnostic tool and the user would be
> to blame. But it does strike rather silly that a site would
> complain when they enable HTTPS over whatever portions
> of their site they chose... and a user uses it as such. Oh wait,
> that's the 'he said she said' illegal access thing again :)

Speaking as one of N authors of this addon**, my stance is:
"Lolwut? Sounds liek g8 PR 4 U. I tink u shud soo every1 U can!"*

* Note1: I have no direct affiliation with the EFF. I'm sure the 
official legal opinion on this matter is slightly more nuanced. I'm
guessing it balances on the fact that the EFF is acting as a publisher
of rules that others submit and does not exercise editorial control.
I've personally argued that the addon should provide an arbitary
subscription model to avoid editorial liability entirely, but
apprently this is not necessary?

** Note2: I do not review rules, and I did not write this particular
rule.

P.S. HTTPS-Everywhere seems to only ship with a subset of reddit rules
enforced by default. Is this the "wrong" subset? Why is is "our"
responsibility to determine the "right" subset? Can't u jis fix ur
shit, reddit?


-- 
Mike Perry
Mad Computer Scientist
fscked.org evil labs


pgpg1GEDRZ5LV.pgp
Description: PGP signature
___
tor-talk mailing list
tor-talk@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

[tor-talk] reddit.com wants EFF to disable HTTPS???

[Victor Garin]

 Please copy replies to https-everywhere-ru...@eff.org,
https-everywh...@eff.org, tor-talk@lists.torproject.org 

Neil, can you please post to the Rules Mailing List next time, i.e.
https-everywhere-ru...@eff.org...I almost missed this because it was
not copied to the Rules Set's mailing list which I frequent...

pay.reddit.com works fine for me

www.reddit.com == pay.reddit.com same content in HTTPS.

Can you also point out where exactly (which URL) there is a bug when
the current ruleset is used?

I don't see it. Which URLs so we can exclude them specifically.

This is what the extension does. It redirected for example:
en.wikipedia.org to secure.wikimedia.org

The reasons for using HTTPS are many including to prevent snooping on
the TOR Network.


Am I misreading something, or Peter are you planning to disable Reddit
just because someone says so?

This is a slippery slope...Next thing you know all websites will want out...

Removing/Disabling the whole site (when it is working) goes against
all the principles that EFF stands for. Unless it doesn't work it
should not be removed.




On Sat Aug 6 15:18:45 PDT 2011, Peter Eckersley wrote:

Hi Neil,

Thanks for the bug report!  We'll push an update shortly to disable the Reddit
ruleset for the time being.  Let us know when Reddit has HTTPS for real.

(As an aside, a contributor submitted a more radical proposed ruleset for
Reddit.com to our git master repository.  We have not shipped it and
won't do so unless you ask us to:

https://gitweb.torproject.org/https-everywhere.git/blob/72056be0dcf2d74e23fac9feff798e1bb841b670:/src/chrome/content/rules/Reddit.xml
)

On Fri, Aug 05, 2011 at 12:31:22PM -0700, Neil Williams wrote:
> Hi there,
>
> We noticed that you added reddit to the HTTPS Everywhere extension
> using pay.reddit.com. This is causing a lot of issues for users
> because our certificates aren't set up for general purpose use (Akamai
> issues etc.). We don't support HTTPS at the moment for anywhere on the
> site except the self-serve advertising purchase pages. I love your
> extension and we will be upgrading reddit to fully support HTTPS, but
> that's not the case right now :( Is there anything you can do to stop
> them from using pay.reddit.com from your extension?
>
> Thanks,
> Neil
> ___
> HTTPS-everywhere mailing list
> HTTPS-everywhere at mail1.eff.org
> https://mail1.eff.org/mailman/listinfo/https-everywhere

-- 
Peter Eckersleypde at eff.org
Senior Staff Technologist Tel  +1 415 436 9333 x131
Electronic Frontier FoundationFax  +1 415 436 9993
___
tor-talk mailing list
tor-talk@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] reddit.com wants EFF to disable HTTPS???

[Victor Garin]

As of this time, its working for me.

I can access Reddit via https://pay.reddit.com/ with out any Cert errors.

I even signed up for an account right now there, and was able to use
Reddit perfectly fine using https://pay.reddit.com/ server.

I also used Tor, Exit Nodes located in different countries, and was
still NOT able to reproduce the error.

Have you been in touch with Akamai regarding this issue? What did they say?

They are considered 'premium' for a reason I hope.

On Sat, Aug 6, 2011 at 11:38 PM, Neil Williams  wrote:
> Two additional reports, this time specifically of cert errors:
>
> http://redd.it/jak59
> http://redd.it/jb27e
>
> On Sat, Aug 6, 2011 at 11:32 PM, Neil Williams  wrote:
>>> Neil, can you please post to the Rules Mailing List next time
>>
>> My apologies.
>>
>>>
>>> pay.reddit.com works fine for me
>>>
>>> www.reddit.com == pay.reddit.com same content in HTTPS.
>>>
>>> Can you also point out where exactly (which URL) there is a bug when
>>> the current ruleset is used?
>>>
>>
>> There have been a flood of reports of SSL certificate issues when
>> using pay.reddit.com in the last few days. In most of the cases I've
>> seen, it's because they're using HTTPS Everywhere and it's using
>> pay.reddit.com. You can see the reports here:
>>
>> http://www.reddit.com/search?q=pay.reddit.com
>>
>> My understanding is that it's related to our CDN, Akamai, and so it
>> may vary based on which edge server you get and whether or not you're
>> logged in.
>>
>>> The reasons for using HTTPS are many including to prevent snooping on
>>> the TOR Network.
>>
>> I completely agree that HTTPS is the way to go and we will make it
>> available to all as soon as our infrastructure is configured to do it
>> without causing issues for our users. At the moment, it only works on
>> a subset of pages that are disallowed from using edge-caching (the pay
>> pages which are used for credit card processing).
>>
>>> Removing/Disabling the whole site (when it is working) goes against
>>> all the principles that EFF stands for. Unless it doesn't work it
>>> should not be removed.
>>
>> I'm asking for the rules to be disabled because it's causing issues
>> for our users as is amply supported by the many complaints on our
>> site, not because we disagree with the use of HTTPS.
>>
>
___
tor-talk mailing list
tor-talk@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk