Re: [tor-talk] Rumors of Tor's compromise
On Wed, Oct 26, 2011 at 07:28:24PM +, Orionjur Tor-admin wrote: > It is very interesting for me, if I run hidden service on my remote > server not for hiding it from external world but for increasing my > anonymity in matter of managing that server (I usually connect to them > using hidden service runnig on ssh-port), is it possible todeanonymize > me if my server (any soft on it) will be compromised?! Not of > localiztion of my server but loclization of me, its admin? I recommend running a somewhat hardened operating system (Linux, *BSD, especially, virtualized (jails, virtual guests) to compartmentalize services and contain potential compromises) and use low-resource high-performance web servers (e.g. nginx) and also offer hardened web services (e.g. anything PHP is terribly difficult to make water-tight, and many PHP developers are completely threat-ignorant, so caveat emptor). There should be a FAQ/HOWTO for something like that. -- Eugen* Leitl http://leitl.org";>leitl http://leitl.org __ ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] youtube & rapidshare with TOR
On 27/10/11 05:45, Mine Yahah wrote: > thank you but in tor you can't see the flash videos from youtube and you > can't download them too.so: You should be able to download from Youtube over Tor using youtube-dl and polipo. Bear in mind that it might be very slow, and using large amounts of relay bandwidth if you don't have to could be considered antisocial. http://rg3.github.com/youtube-dl/ Julian -- 3072D/D2DE707D Julian Yon (2011 General Use) signature.asc Description: OpenPGP digital signature ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] tor http proxy
Thanks a lot! I will test it. On 2011-10-27 12:59, Roger Dingledine wrote: On Thu, Oct 27, 2011 at 08:52:02AM +0800, Gaofeng HE wrote: I have used the kingate tool to setup a proxy server, including a Socks and Http proxy. When I configured tor to use the socks proxy, everything is OK. But when the http proxy is used, it is neglected by the tor. Your http proxy needs to accept CONNECT requests. That means it should be what many people would call an 'https proxy'. Also, when you configure Tor to use it, you need to use the httpsproxy directive in your torrc, not the httpproxy directive. If you're configuring via Vidalia, that means you need to set your proxy as "HTTP / HTTPS", not "HTTP". (Using only a plain http proxy means you only proxy your unencrypted directory fetches, which isn't very useful, especially now that Tor tunnels its directory fetches over the TLS (https) connection by default.) Hope that helps, --Roger ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] tor http proxy
On Thu, Oct 27, 2011 at 12:59:58AM -0400, a...@mit.edu wrote 1.0K bytes in 24 lines about: : (Using only a plain http proxy means you only proxy your unencrypted : directory fetches, which isn't very useful, especially now that Tor : tunnels its directory fetches over the TLS (https) connection by default.) The HTTP option is still in vidalia. Nothing explains why it is there. Perhaps we should remove it? Is there any valid reason to leave HTTP only proxy options in Vidalia? If not, I'll open a ticket to remove HTTP only option from Vidalia. -- Andrew pgp key: 0x74ED336B ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] tor http proxy
From: > On Thu, Oct 27, 2011 at 12:59:58AM -0400, a...@mit.edu wrote 1.0K bytes in 24 > lines about: > : (Using only a plain http proxy means you only proxy your unencrypted > : directory fetches, which isn't very useful, especially now that Tor > : tunnels its directory fetches over the TLS (https) connection by default.) > > The HTTP option is still in vidalia. Nothing explains why it is there. > Perhaps we should remove it? Is there any valid reason to leave HTTP > only proxy options in Vidalia? > > If not, I'll open a ticket to remove HTTP only option from Vidalia. > Remove it. ;-) -- Dave Multi-AV Scanning Tool - http://multi-av.thespykiller.co.uk http://www.pctipp.ch/downloads/dl/35905.asp ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Anybody else having problems with Hushmail via Tor?
On 10/21/2011 11:52 PM, Jim wrote: Hi All, Perhaps a few days ago when I was trying to access Hushmail via Tor I was told my "computer" was blocked, possibly because of abuse. A quick modification of torrc to exlcude a few particular exit nodes let me access Hushmail. Afterwards, I reverted torrc, removing the exclusions, and I have subsequently used Hushmail several times w/o problems. Tonight I am having problems again and this time I am seeing the problems on a number of different exit nodes. I am wondering if essentially the whole Tor network has become poisoned as far as Hushmail is concerned. Is anybody else seeing any problems? Don't know for sure, but it's possible for a given time period / day, if Hushmail gets X people trying to access accts from same (Tor) addresses, they perceive it as possible hacking attempt or other malicious activity. They may not know it's a Tor address / node, just that they're getting multiple requests to access diff accts from same IP address. Just a guess. How many, if any, users access Hushmail via Tor on a given day from same IP address could vary day to day. Some email servers also don't like it if you use an exit node in foreign countries, diff from one used to set up the acct. ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] tor http proxy
On Thu, Oct 27, 2011 at 07:30:42AM -0400, and...@torproject.org wrote: > On Thu, Oct 27, 2011 at 12:59:58AM -0400, a...@mit.edu wrote 1.0K bytes in 24 > lines about: > : (Using only a plain http proxy means you only proxy your unencrypted > : directory fetches, which isn't very useful, especially now that Tor > : tunnels its directory fetches over the TLS (https) connection by default.) > > The HTTP option is still in vidalia. Nothing explains why it is there. > Perhaps we should remove it? Is there any valid reason to leave HTTP > only proxy options in Vidalia? > > If not, I'll open a ticket to remove HTTP only option from Vidalia. Good idea. https://trac.torproject.org/projects/tor/ticket/4326 --Roger ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] youtube & rapidshare with TOR
hello... how to download this software??? i tried to download it from the site but nothing is downloading Date: Thu, 27 Oct 2011 09:15:40 +0100 From: jul...@yon.org.uk To: tor-talk@lists.torproject.org Subject: Re: [tor-talk] youtube & rapidshare with TOR On 27/10/11 05:45, Mine Yahah wrote: > thank you but in tor you can't see the flash videos from youtube and you > can't download them too.so: You should be able to download from Youtube over Tor using youtube-dl and polipo. Bear in mind that it might be very slow, and using large amounts of relay bandwidth if you don't have to could be considered antisocial. http://rg3.github.com/youtube-dl/ Julian -- 3072D/D2DE707D Julian Yon (2011 General Use) ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
[tor-talk] Tor 0.2.3.6-alpha is out (security patches)
Tor 0.2.3.6-alpha includes the fix from 0.2.2.34 for a critical anonymity vulnerability where an attacker can deanonymize Tor users: https://lists.torproject.org/pipermail/tor-announce/2011-October/82.html Everybody should upgrade. This release also features support for a new v3 connection handshake protocol, and fixes to make hidden service connections more robust. https://www.torproject.org/download/download Changes in version 0.2.3.6-alpha - 2011-10-26 o Major features: - Implement a new handshake protocol (v3) for authenticating Tors to each other over TLS. It should be more resistant to fingerprinting than previous protocols, and should require less TLS hacking for future Tor implementations. Implements proposal 185. - Allow variable-length padding cells to disguise the length of Tor's TLS records. Implements part of proposal 184. o Privacy/anonymity fixes (clients): - Clients and bridges no longer send TLS certificate chains on outgoing OR connections. Previously, each client or bridge would use the same cert chain for all outgoing OR connections until its IP address changes, which allowed any relay that the client or bridge contacted to determine which entry guards it is using. Fixes CVE-2011-2768. Bugfix on 0.0.9pre5; found by "frosty_un". - If a relay receives a CREATE_FAST cell on a TLS connection, it no longer considers that connection as suitable for satisfying a circuit EXTEND request. Now relays can protect clients from the CVE-2011-2768 issue even if the clients haven't upgraded yet. - Directory authorities no longer assign the Guard flag to relays that haven't upgraded to the above "refuse EXTEND requests to client connections" fix. Now directory authorities can protect clients from the CVE-2011-2768 issue even if neither the clients nor the relays have upgraded yet. There's a new "GiveGuardFlagTo_CVE_2011_2768_VulnerableRelays" config option to let us transition smoothly, else tomorrow there would be no guard relays. o Major bugfixes (hidden services): - Improve hidden service robustness: when an attempt to connect to a hidden service ends, be willing to refetch its hidden service descriptors from each of the HSDir relays responsible for them immediately. Previously, we would not consider refetching the service's descriptors from each HSDir for 15 minutes after the last fetch, which was inconvenient if the hidden service was not running during the first attempt. Bugfix on 0.2.0.18-alpha; fixes bug 3335. - When one of a hidden service's introduction points appears to be unreachable, stop trying it. Previously, we would keep trying to build circuits to the introduction point until we lost the descriptor, usually because the user gave up and restarted Tor. Partly fixes bug 3825. - Don't launch a useless circuit after failing to use one of a hidden service's introduction points. Previously, we would launch a new introduction circuit, but not set the hidden service which that circuit was intended to connect to, so it would never actually be used. A different piece of code would then create a new introduction circuit correctly. Bug reported by katmagic and found by Sebastian Hahn. Bugfix on 0.2.1.13-alpha; fixes bug 4212. o Major bugfixes (other): - Bridges now refuse CREATE or CREATE_FAST cells on OR connections that they initiated. Relays could distinguish incoming bridge connections from client connections, creating another avenue for enumerating bridges. Fixes CVE-2011-2769. Bugfix on 0.2.0.3-alpha. Found by "frosty_un". - Don't update the AccountingSoftLimitHitAt state file entry whenever tor gets started. This prevents a wrong average bandwidth estimate, which would cause relays to always start a new accounting interval at the earliest possible moment. Fixes bug 2003; bugfix on 0.2.2.7-alpha. Reported by BryonEldridge, who also helped immensely in tracking this bug down. - Fix a crash bug when changing node restrictions while a DNS lookup is in-progress. Fixes bug 4259; bugfix on 0.2.2.25-alpha. Bugfix by "Tey'". o Minor bugfixes (on 0.2.2.x and earlier): - When a hidden service turns an extra service-side introduction circuit into a general-purpose circuit, free the rend_data and intro_key fields first, so we won't leak memory if the circuit is cannibalized for use as another service-side introduction circuit. Bugfix on 0.2.1.7-alpha; fixes bug 4251. - Rephrase the log message emitted if the TestSocks check is successful. Patch from Fabian Keil; fixes bug 4094. - Bridges now skip DNS self-tests, to act a little more stealthily. Fixes bug 4201; bugfix on 0.2.0.3-alpha, which first introduced bridges.
Re: [tor-talk] Tor 0.2.3.6-alpha is out (security patches)
On Thursday, October 27, 2011 8:43 PM, "Roger Dingledine" wrote: > Tor 0.2.3.6-alpha includes the fix from 0.2.2.34 for a critical > anonymity vulnerability where an attacker can deanonymize Tor > users: > https://lists.torproject.org/pipermail/tor-announce/2011-October/82.html > > Everybody should upgrade. Do you have an OSX10.3 PPC build machine yet? GD -- http://www.fastmail.fm - Choose from over 50 domains or use your own ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] youtube & rapidshare with TOR
On Thu, Oct 27, 2011 at 9:16 PM, Zaher F. wrote: > hello... > how to download this software??? > > > > i tried to download it from the site but nothing is downloading Are you trying to download Tor? -- Runa A. Sandvik ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] youtube & rapidshare with TOR
On Thu, Oct 27, 2011 at 5:45 AM, Mine Yahah wrote: > > Dear Runa, Hi, > thank you but in tor you can't see the flash videos from youtube and you > can't download them too.so: > 1-) Is there any solution for this big problems? We are aware that some users can not view HTML5 videos on YouTube with the latest Tor Browser Bundle. See https://trac.torproject.org/projects/tor/ticket/4328 for details. -- Runa A. Sandvik ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
[tor-talk] Fw: youtube & rapidshare with TOR
Dear TOR Specialists ,please: 2-) how about Rapidshare and megaupload ? what do you think if I say that with combination of a vpn and tor you can download the videos as before best regards, m.y - Forwarded Message - From: Mine Yahah To: "tor-talk@lists.torproject.org" Sent: Thursday, October 27, 2011 8:15 AM Subject: youtube & rapidshare with TOR Dear Runa, thank you but in tor you can't see the flash videos from youtube and you can't download them too.so: 1-) Is there any solution for this big problems? 2-) how about Rapidshare and megaupload ? what do you think if I say that with combination of a vpn and tor you can download the videos as before best regards, m.y _ Message: 1 Date: Fri, 7 Oct 2011 21:01:35 +0100 From: "Runa A. Sandvik" Subject: Re: [tor-talk] down loding from youtube with tor on To: tor-talk@lists.torproject.org Message-ID: Content-Type: text/plain; charset=ISO-8859-1 On Fri, Oct 7, 2011 at 8:26 PM, Mine Yahah wrote: > Dears Hi, > my atube catcher dosen't work normaly with tor (it worked with other VPNs > like fastvpn or ...)? also the rapidshare download bottom dosen't work with > tor . > do you know what's the problem,please? For security reasons, Flash, Java, and other plugins are currently disabled for Tor. These can be used to track users and compromise their anonymity in other ways. Some Youtube videos work with HTML5, and it is possible to see them using Tor by opting in at YouTube: http://www.youtube.com/html5 More information can be found by visiting https://www.torproject.org/torbutton/torbutton-faq.html.en#noflash -- Runa A. Sandvik___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
