Re: [tor-talk] Implement JSONP interface for check.torproject.org

2011-11-06 Thread Jim 

Arturo Filastò wrote:

I have made a patch to check.torproject.org to expose a JSONP interface
that would allow people to have the user check client side if (s)he is
using Tor.


Is encouraging Java Script a good idea?


I must be getting crotchety in my old my age!


Jim
___
tor-talk mailing list
tor-talk@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Implement JSONP interface for check.torproject.org

2011-11-06 Thread Fabio Pietrosanti (naif) 
On 11/6/11 6:06 AM, Jim wrote:
> Arturo Filastò wrote:
>> I have made a patch to check.torproject.org to expose a JSONP interface
>> that would allow people to have the user check client side if (s)he is
>> using Tor.
> 
> Is encouraging Java Script a good idea?

a) Javascript is a de-facto Web Technology that you cannot live without
b) Tor Browser Bundle has Javascript enabled by default
c) Almost no website today can work with Javascript disabled
d) You cannot design any Web User Interface for use with Tor Hidden
Service without using Javascript (if you don't use javascript and
asynchronous IO the user-interface freeze very often giving the "White
Page effect")

So i would really encourage the use of smart Javascript in order to make
user interfaces more responsive and more usable with Tor and in
particular Tor HS.

That means also stopping mystification of "Javascript" like an
"insecurity feature", the world has changed, has become "web" and
javascript is part of the technological framework that we need to live with.

I absolutely like the idea of the JSONP interface, simple and effective.

-naif
___
tor-talk mailing list
tor-talk@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] [tor-dev] Implement JSONP interface for check.torproject.org

2011-11-06 Thread Runa A. Sandvik 
On Sun, Nov 6, 2011 at 1:26 AM, Arturo Filastò  wrote:
> This would allow people to embed a badge on their website
> (privacybadge.html) that congratulates the user of using Tor or warns
> him of non Tor usage with a link to torproject.org.

I think the badge looks good, but I think you should consider having
"You are not using Tor" or "Your traffic is not sent through Tor" on
the badge as well. Unless you plan to have this interface check for
more than just Tor traffic.

> I can imagine privacy advocates having this deployed on their websites
> or systems that engourage users to connect to them anonymously.

Yep, but are we talking Tor traffic only or will you add a check for
various other "anonymity" services? Having a link to the Tor Project
website would be good too.

> Also, the check.torproject repo should be moved to svn.

Do you mean Git? The repository is already in SVN:
https://svn.torproject.org/svn/check/trunk/.

-- 
Runa A. Sandvik
___
tor-talk mailing list
tor-talk@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Implement JSONP interface for check.torproject.org

2011-11-06 Thread Michael Zeltner 
Excerpts from Jim's message of 2011-11-06 06:06:39 +0100:
> Arturo Filastò wrote:
> > I have made a patch to check.torproject.org to expose a JSONP interface
> > that would allow people to have the user check client side if (s)he is
> > using Tor.
> 
> Is encouraging Java Script a good idea?

While I do like the idea, I agree with Jim here. How about this: 

Instead of serving JavaScript/JSONP, serving an image directly would make it
more compatible with some users' browser settings. A plain link to check.tp.o
or something similiar (geared more towards explaining what this is about
perhaps, instead of a simple check) could deal with the rest.

I just woke up but I'll submit a patch in a bit.

Michael
-- 
http://niij.org/


signature.asc
Description: PGP signature
___
tor-talk mailing list
tor-talk@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Implement JSONP interface for check.torproject.org

2011-11-06 Thread tor 
On 06/11/11 10:20, Fabio Pietrosanti (naif) wrote:

> c) Almost no website today can work with Javascript disabled

As a long time NoScript user, I completely disagree with this. Almost
every website today works completely fine without JavaScript. In fact,
most websites work *better* without JavaScript, as they pull in far
fewer unnecessary resources from third party domains.

> That means also stopping mystification of "Javascript" like an
> "insecurity feature", the world has changed, has become "web" and
> javascript is part of the technological framework that we need to live with.

JavaScript is useful, but browsing without it, and only turning it on
for a limited set of sites when absolutely necessary, is much much
safer, from both a security and privacy point of view. Hopefully
JavaScript will become safer to use over time with the addition and take
up of new tech like Content-Security-Policy. It certainly isn't safe at
the moment though.

> I absolutely like the idea of the JSONP interface, simple and effective.

As a web developer, I like the implementation. I wont use it on my site
though because I care about my visitors privacy and don't want to send
the IP addresses of *all* of my site users to some "untrusted" third
party. I also don't want to hand over the security of my website to said
third party, by allowing them to inject arbitrary javascript into my
pages and handing over complete control of the DOM. This isn't paranoid,
AD networks have been hacked in the past leading to the compromise of
lots of other websites because of this very problem.

Clearly a lot of people don't even consider these problems though. The
number of people using Google Analytics is proof enough of that.

Also, my website is 100% https, however there isn't a https version of
http://server.globaleaks.org/torcheck.php. Including non-ssl protected
javascript in my site would make it easy to MITM. An attacker could just
modify the javascript to read the contents of the DOM and then send it
wherever.

I would go so far as to say that the javascript returned by torcheck.php
should actually check to see if it was loaded from a https website, but
over http, and alert a warning if that happened. This would prevent
silly mistakes.

Also, there is a "vulnerability" in
http://server.globaleaks.org/torcheck.php. The callback parameter should
be extremely limited in what characters it accepts. For example,
letters, underscores and numbers only. You shouldn't be able to do stuff
like:

http://server.globaleaks.org/torcheck.php?callback=arbitrary.javascript;

Ouch, it's being returned with a content-type of text/html as well, so
you can generate arbitrary html pages on server.globaleaks.org,
containing javascript to steal cookies and such. XSS-tastic.

http://server.globaleaks.org/torcheck.php?callback=%3Cimg%20src=%22https://grepular.com/images/me.jpg%22%3E%3C!--

The content-type should be application/json or at the very least text/plain.

I'm available for website pen-testing by the way ;)

-- 
Mike Cardwell https://grepular.com/  https://twitter.com/mickeyc
Professional  http://cardwellit.com/ http://linkedin.com/in/mikecardwell
PGP.mit.edu   0018461F/35BC AF1D 3AA2 1F84 3DC3 B0CF 70A5 F512 0018 461F



signature.asc
Description: OpenPGP digital signature
___
tor-talk mailing list
tor-talk@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Implement JSONP interface for check.torproject.org

2011-11-06 Thread tor 
On 06/11/11 12:46, t...@lists.grepular.com wrote:

> The content-type should be application/json or at the very least text/plain.

I was clearly talking rubbish here; the content type should be a
javascript one. Still, I was completely correct about the danger of
using text/html and allowing arbitrary content for the callback parameter.

-- 
Mike Cardwell https://grepular.com/  https://twitter.com/mickeyc
Professional  http://cardwellit.com/ http://linkedin.com/in/mikecardwell
PGP.mit.edu   0018461F/35BC AF1D 3AA2 1F84 3DC3 B0CF 70A5 F512 0018 461F



signature.asc
Description: OpenPGP digital signature
___
tor-talk mailing list
tor-talk@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Implement JSONP interface for check.torproject.org

2011-11-06 Thread tor 
On 06/11/11 01:26, Arturo Filastò wrote:

> I have made a patch to check.torproject.org to expose a JSONP interface
> that would allow people to have the user check client side if (s)he is
> using Tor.

It would be safer to expose a JSON web service than a JSONP web service,
and use a wild "Access-Control-Allow-Origin" HTTP response header to
allow cross-site XMLHttpRequest. That way, people could pull the data
without suffering the risks of embeddeding third party JavaScript.
There's nothing stopping it from being provided as a secondary option.

-- 
Mike Cardwell https://grepular.com/  https://twitter.com/mickeyc
Professional  http://cardwellit.com/ http://linkedin.com/in/mikecardwell
PGP.mit.edu   0018461F/35BC AF1D 3AA2 1F84 3DC3 B0CF 70A5 F512 0018 461F



signature.asc
Description: OpenPGP digital signature
___
tor-talk mailing list
tor-talk@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

[tor-talk] BlackBeltPrivacy-Tor+WASTE darkNet()

2011-11-06 Thread M Robinson 
http://sourceforge.net/projects/blackbeltpriv/

Is anyone using this, it sounds interesting.

-- 
GnuPG is Free Software (meaning that it respects your freedom).

Extensible, customizable text editor---GNU Emacs; Where's yours?



signature.asc
Description: OpenPGP digital signature
___
tor-talk mailing list
tor-talk@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Implement JSONP interface for check.torproject.org

2011-11-06 Thread Fabio Pietrosanti (naif) 
On 11/6/11 1:46 PM, t...@lists.grepular.com wrote:
> Clearly a lot of people don't even consider these problems though. The
> number of people using Google Analytics is proof enough of that.

We should also consider that a lot of activism organizations promoting
freedom of expression are not technical and are mostly oriented on the
advocacy, marketing and communication skills maintaining multimedia
production tool and rich website.

A lot of such initiative run their "it infrastructure" as PHP web
hosting system + cloud tools (youtube for videos, twitters, etc), so
they cannot run on their servers a "Tor client".

Let's support that AccessNow https://www.accessnow.org/ would like to
implement the privacybadge web widget, they have several options:

a) Check IP with locally installed cached-descriptors of a Tor running
instance. While that's possible it require you to be able to run Tor on
your hosting server, using a local webapplication to make the check.

b) Check IP with remotely installed cached-descriptors, thus "checking
in-the-cloud" for Anonymous/NotAnonymous feedback:

b-1) You have a local webapplication that make a DNS query to a TorDNS BL

b-2) You can call a remote webservices as a web "widget" embedded into
your website like google Analytics, Twitter Widgets, Youtube Widgets

I expect that, because such kind of privacybadge would be useful to
create awareness by the web visitors of tor supporter website, it would
be a very cool way to diffuse and promote Tor and awareness on anonymity .

In such case having something that can be used like a "web widget" "in
the cloud" (so just including some code into your webpage) provide very
usable features.

So a standard "web widget" would be very effective for awareness
campaign diffused on tons of websites.

Additionally if you think web, webmaster could be able (knowing from the
DOM of a webpage if the user is anonymous or not) to even further
customize their web user experience.
They may provide specific Tips and Advice on using Tor, providing direct
download links, putting up a RED or GREEN Web elements (backgrounds,
div, etc) to inform even better the user about his status and conditions
(Not being anonymous or being anonymous).

In theory something like that could also be done by not using JSONP but
by just downloading an Image that represent Tor-OK, Tor-NOT-OK, so that
the webmaster can download it via " I'm available for website pen-testing by the way ;)

Man, that's no more than a concept prototype, but for sure a production
code would require some careful coding, even if very simple :-)

-naif
___
tor-talk mailing list
tor-talk@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Implement JSONP interface for check.torproject.org

2011-11-06 Thread Moritz Bartl 
I agree with Fabio on this one. A website explaining the badge should
also mention the controversy and offer simple guides for local badge
generation. You could also promote other sources for the badge, ie. the
CCC and Torservers could host one.

As for badge design, a script should support multiple designs (could be
as easy as to drop images into a directory, and use a GET/POST parameter
to select the images). Personally, I would like to see something as
simple as the Torbutton "broken onion" (no text), one at 88x33 and one
at 80x15.

Another paragraph should mention that it only compares your IP to a list
of exit IPs, so it can lead to false positives if you happen to use the
same IP for other purposes. The website should also clearly discourage that.

-- 
Moritz Bartl
https://www.torservers.net/
___
tor-talk mailing list
tor-talk@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Don't use Google as default search in Tor Browser?

2011-11-06 Thread Joe Btfsplk 

On 11/5/2011 12:47 PM, Christian Siefkes wrote:
"Avoid Google" is not among that warnings, as far as I can see. 
You are correct - not from Tor Project anyway.  They also don't say 
avoid robbing banks; don't stare at the sun, etc.  About all I can 
advise is, read Google's (lack of) privacy policy.  If you like it, use 
them.  If you'd rather not have your search terms recorded & also used 
for targeted advertising, then use another search engine that doesn't 
use those practices.  Your choice.  Aurora in it's default state doesn't 
prevent pop up advertising, in my experience.


As far I know, they offer to redirect your search to a different site 
if they detect that Google shows you a captcha.
Correct.  If you like Google's privacy policy & general business 
practices, use them.
...but I don't see a reason why they should make it difficult for 
people to google if they want to do so. Best regards Christian
You can use Google search if you want.  The captchas are presented by 
Google.  See this Tor FAQ 
  Tor provides a way 
around not having to enter the captcha (sometimes several times, if 
difficult to read), by offering a redirect.  In latest TBB 2.2.34, I 
don't know where alternate search engines for Google captchas are 
located in the bundle files.  I haven't yet been presented a Google 
captcha while using 2.2.34 - so don't know which default alternate 
search engine will be presented.  If you want to use Google when a 
captcha appears, don't click "redirect" & just enter the captcha.


FYI for others interested in changing the default alternate search 
engine on a google captcha redirect, in about:config, type 'redir' in 
search box.
The string:  extensions.torbutton.google_redir_url   will have a value 
like 5 (which is default for DuckDuckGo in mine).  Below this string are 
the other search engines w/ the numeric "url" values shown for each.  
You can change the value from 5 (or what ever it shows) to a numeric 
value corresponding to other search engines.


Mine shows the value '1' for Ixquick, etc.:  
extensions.torbutton.redir_url.1   
https://www.ixquick.com/do/metasearch.pl?query=


___
tor-talk mailing list
tor-talk@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Implement JSONP interface for check.torproject.org

2011-11-06 Thread Jacob Appelbaum 
On 11/06/2011 09:13 AM, Moritz Bartl wrote:
> I agree with Fabio on this one. A website explaining the badge should
> also mention the controversy and offer simple guides for local badge
> generation. You could also promote other sources for the badge, ie. the
> CCC and Torservers could host one.
> 

I guess? I think it's good to discuss the issues in the open but I think
it's overwhelming to average users. Offer it as a simple service,
explain the risk, make it easy to use, etc.

> As for badge design, a script should support multiple designs (could be
> as easy as to drop images into a directory, and use a GET/POST parameter
> to select the images). Personally, I would like to see something as
> simple as the Torbutton "broken onion" (no text), one at 88x33 and one
> at 80x15.
> 

I like the idea of everything being in a single script - to prevent hot
linking that falsely suggests someone is using Tor...

> Another paragraph should mention that it only compares your IP to a list
> of exit IPs, so it can lead to false positives if you happen to use the
> same IP for other purposes. The website should also clearly discourage that.
> 

Seems reasonable. Already too complicated.

All the best,
Jacob
___
tor-talk mailing list
tor-talk@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] BlackBeltPrivacy-Tor+WASTE darkNet()

2011-11-06 Thread Jacob Appelbaum 
On 11/06/2011 07:26 AM, M Robinson wrote:
> http://sourceforge.net/projects/blackbeltpriv/
> 
> Is anyone using this, it sounds interesting.
> 

I feel inspired to make a short Dr. Bronner's soap bottle parody about
anonymity after reading that website:

NOW UPDATED. ALL ONE ANONYMITY DARKNET WITH ROUND THE CLOCK
COMPUTABILITY WITH ALL BROWSERS THANKS TO KNOWN DEPRECATED HTTP PROXY.
TRUE {FRACTCAL,RABID}CURVE, HOTBAKE, DARKBIOS, DARKRENDEZVOUS. NOW
UPDATED. POWERED BY ONE TRUE ANONYMITY NETWORK Tor STRENGTHENED THROUGH
YOUR SOLIDARITY FOR BOOTSTRAPPING WASTE CONTROLS MEANS OF PRODUCTION.

Ahem. I cannot take this seriously at all when they don't even sign
their releases with PGP. Oh and the software itself it pretty
hilariously scary - I'd love to read some design documents on those
"improvements" they made.

I think it's a neat idea to Torify a WASTE implementation but that
sounds mostly like auditing work - Is there even a WASTE client that is
still maintained?

Yours in hilarity,
Jacob
___
tor-talk mailing list
tor-talk@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Don't use Google as default search in Tor Browser?

2011-11-06 Thread Julian Yon 
On 06/11/11 19:38, Joe Btfsplk wrote:
> About all I can advise is, read Google's (lack of) privacy policy.
> If you like it, use them.  If you'd rather not have your search terms
> recorded & also used for targeted advertising, then use another
> search engine that doesn't use those practices.

Google's tracking is of limited concern if you don't log in, and don't
keep a long running browser session open. It takes less time to
establish a Tor circuit over broadband than it used to take to connect
by modem. Shut down TBB when not in use and you should be fine. I'm not
saying there's no risk at all, but there's no reason why somebody who
understands the risks shouldn't be able to use Google carefully.

Personally I use DDG, partly because of privacy concerns and partly
because I don't like the new-look Google. You can always do a Google
search through DDG or Scroogle if you're feeling paranoid.

On topic, I'd prefer DDG or Ixquick as the default search in TBB but we
can't all have our preferences included.


Julian

-- 
3072D/D2DE707D Julian Yon (2011 General Use) 



signature.asc
Description: OpenPGP digital signature
___
tor-talk mailing list
tor-talk@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Implement JSONP interface for check.torproject.org

2011-11-06 Thread Julian Yon 
On 06/11/11 19:59, Jacob Appelbaum wrote:
> I like the idea of everything being in a single script - to prevent hot
> linking that falsely suggests someone is using Tor...

Preventing hot linking doesn't prevent deception. Mallory can just host
the image elsewhere.

-- 
3072D/D2DE707D Julian Yon (2011 General Use) 



signature.asc
Description: OpenPGP digital signature
___
tor-talk mailing list
tor-talk@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] BlackBeltPrivacy-Tor+WASTE darkNet()

2011-11-06 Thread M Robinson 
On 11/6/2011 2:26 PM, Jacob Appelbaum wrote:
> On 11/06/2011 07:26 AM, M Robinson wrote:
>> http://sourceforge.net/projects/blackbeltpriv/
>>
>> Is anyone using this, it sounds interesting.
>>
> 
> I feel inspired to make a short Dr. Bronner's soap bottle parody about
> anonymity after reading that website:
> 
> NOW UPDATED. ALL ONE ANONYMITY DARKNET WITH ROUND THE CLOCK
> COMPUTABILITY WITH ALL BROWSERS THANKS TO KNOWN DEPRECATED HTTP PROXY.
> TRUE {FRACTCAL,RABID}CURVE, HOTBAKE, DARKBIOS, DARKRENDEZVOUS. NOW
> UPDATED. POWERED BY ONE TRUE ANONYMITY NETWORK Tor STRENGTHENED THROUGH
> YOUR SOLIDARITY FOR BOOTSTRAPPING WASTE CONTROLS MEANS OF PRODUCTION.
> 
> Ahem. I cannot take this seriously at all when they don't even sign
> their releases with PGP. Oh and the software itself it pretty
> hilariously scary - I'd love to read some design documents on those
> "improvements" they made.
> 
> I think it's a neat idea to Torify a WASTE implementation but that
> sounds mostly like auditing work - Is there even a WASTE client that is
> still maintained?
> 
> Yours in hilarity,
> Jacob
> ___
> tor-talk mailing list
> tor-talk@lists.torproject.org
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Like I said, its _interesting_

You should thank me for trolling through 14 pages at time to bring it to
you. =]

-- 
GnuPG is Free Software (meaning that it respects your freedom).

Extensible, customizable text editor---GNU Emacs; Where's yours?



signature.asc
Description: OpenPGP digital signature
___
tor-talk mailing list
tor-talk@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Don't use Google as default search in Tor Browser?

2011-11-06 Thread audd 
I'm trying using yacy as a search distribuited engine, anyone knows 
something about it? does it works?
ixquick and duckduckgo are web search engine not tor net search 
engine...


bye
AdD

On Sun, 06 Nov 2011 13:38:55 -0600, Joe Btfsplk wrote:

On 11/5/2011 12:47 PM, Christian Siefkes wrote:
"Avoid Google" is not among that warnings, as far as I can see. You 
are correct - not from Tor Project anyway.  They also don't say avoid 
robbing banks; don't stare at the sun, etc.  About all I can advise 
is, read Google's (lack of) privacy policy.  If you like it, use them. 
If you'd rather not have your search terms recorded & also used for 
targeted advertising, then use another search engine that doesn't use 
those practices.  Your choice.  Aurora in it's default state doesn't 
prevent pop up advertising, in my experience.


As far I know, they offer to redirect your search to a different 
site if they detect that Google shows you a captcha.

Correct.  If you like Google's privacy policy & general business
practices, use them.
...but I don't see a reason why they should make it difficult for 
people to google if they want to do so. Best regards Christian

You can use Google search if you want.  The captchas are presented by
Google.  See this Tor FAQ
  Tor provides a
way around not having to enter the captcha (sometimes several times,
if difficult to read), by offering a redirect.  In latest TBB 2.2.34,
I don't know where alternate search engines for Google captchas are
located in the bundle files.  I haven't yet been presented a Google
captcha while using 2.2.34 - so don't know which default alternate
search engine will be presented.  If you want to use Google when a
captcha appears, don't click "redirect" & just enter the captcha.

FYI for others interested in changing the default alternate search
engine on a google captcha redirect, in about:config, type 'redir' in
search box.
The string:  extensions.torbutton.google_redir_url   will have a
value like 5 (which is default for DuckDuckGo in mine).  Below this
string are the other search engines w/ the numeric "url" values shown
for each.  You can change the value from 5 (or what ever it shows) to
a numeric value corresponding to other search engines.

Mine shows the value '1' for Ixquick, etc.:
extensions.torbutton.redir_url.1
https://www.ixquick.com/do/metasearch.pl?query=

___
tor-talk mailing list
tor-talk@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk


___
tor-talk mailing list
tor-talk@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] New Browser Bundle

2011-11-06 Thread Joe Btfsplk 

On 11/3/2011 8:46 PM, and...@torproject.org wrote:

On Thu, Nov 03, 2011 at 01:30:00AM -0400, zzretro...@email2me.net wrote 4.2K 
bytes in 100 lines about:
:  Any reason for this? Even after I unchecked "enable globally" I started to 
surf
:  and then noticed a different icon on the top of the window of Aurora where it
:  now shows an icon for 'Tor enabled" and 'NoScript'.

The current draft of the TBB design document is here,
https://www.torproject.org/projects/torbrowser/design/

It should help explain the choices made in TBB so far. Feedback is
welcome.
I can't imagine cookies or Javascript being enabled globally.  I won't 
leave those default settings.   Cookies from "regular old web sites" 
aren't necessarily the benign "little files a web site places on your 
computer to enhance the use of our site," that they used to be.  Maybe 
need to read up on what "little old cookies" from avg sites can do now.  
Having them enabled globally - in Tor or regular Firefox - doesn't seem 
like a good idea.  Nor does having Javascript globally enabled.

___
tor-talk mailing list
tor-talk@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Don't use Google as default search in Tor Browser?

2011-11-06 Thread Joe Btfsplk 

On 11/6/2011 2:05 PM, Julian Yon wrote:
Personally I use DDG, partly because of privacy concerns and partly 
because I don't like the new-look Google. You can always do a Google 
search through DDG or Scroogle if you're feeling paranoid. On topic, 
I'd prefer DDG or Ixquick as the default search in TBB but we can't 
all have our preferences included. Julian


I don't think Tor Project is going to make DDG or Ixquick the default 
search engine any more than Mozilla.org is.


As you know, users can easily change their default search engine in 
Aurora (or Firefox) through "manage search engines."  Can also add 
others or delete some included by default.  For any users that don't 
know how, there are tons of pages w/ detailed instructions (it's very 
easy).  Just search for "add [or delete] search engine +Firefox"

___
tor-talk mailing list
tor-talk@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Don't use Google as default search in Tor Browser?

2011-11-06 Thread Eugen Leitl 
On Sun, Nov 06, 2011 at 07:52:27PM +, audd wrote:
> I'm trying using yacy as a search distribuited engine, anyone knows  
> something about it? does it works?

It would be good to have yacy running in spider mode on as many
freedom boxes as possible. However, this is Java, so it's probably 
too bloated for PogoPlug/DreamPlug type of devices.

However, ARM embeddeds are making rapid progress in the performance
department, so another year or two home appliances should be able to 
handle Yacy & Co.

> ixquick and duckduckgo are web search engine not tor net search  
> engine...

-- 
Eugen* Leitl http://leitl.org";>leitl http://leitl.org
__
ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org
8B29F6BE: 099D 78BA 2FD3 B014 B08A  7779 75B0 2443 8B29 F6BE
___
tor-talk mailing list
tor-talk@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

[tor-talk] Tor and AES-NI acceleration , and Tor profiling

2011-11-06 Thread Moritz Bartl 
Hi,

Thanks to a new deal at www.axigy.com (Thanks! They're great!), we now
have a shiny dedicated Gbit/s exit with a Sandy Bridge CPU (Quad Xeon
E3-1230). Details on the setup steps I performed to enable AES-NI are
documented at
https://www.torservers.net/wiki/setup/server#aes-ni_crypto_acceleration

Decided to use Ubuntu because it comes with AES-NI kernel support and
patched OpenSSL. I had to enable AES-NI in the BIOS (disabled by default
on many motherboards) and load the module. Then put the relevant
switches in torrc to use it and restarted the processes.

[notice] Using OpenSSL engine Intel AES-NI engine [aesni] for AES

So my guess is that it is now being used, but I must say I would have
expected larger profit.

I am profiling that box as documented on
https://www.torservers.net/wiki/setup/profiling , so if you're
interested in more nasty details:

Every 10 minutes:
http://axigy1.torservers.net/vnstat.png
 /usr/bin/vnstati -vs -o /var/www/vnstat.png -i eth1 >/dev/null 2>&1
(daily/monthly vnstat_d.png and vnstat_m.png)

Every hour:
http://axigy1.torservers.net/opreport.txt
 /usr/bin/opreport -g -l /usr/sbin/tor
http://axigy1.torservers.net/opdump.txt
 /usr/bin/opcontrol --dump && /usr/bin/opreport -l
http://axigy1.torservers.net/dstat.txt
 dstat -tnl --tcp -N eth1 -cmdgirsy --fs -C total,0,1,2,3 3600

I hope this is useful to Tor devs.

-- 
Moritz Bartl
https://www.torservers.net/



signature.asc
Description: OpenPGP digital signature
___
tor-talk mailing list
tor-talk@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Implement JSONP interface for check.torproject.org

2011-11-06 Thread Andrew Lewman 
On Sunday, November 06, 2011 11:00:08 Fabio Pietrosanti (naif) wrote:
> Let's support that AccessNow https://www.accessnow.org/ would like to
> implement the privacybadge web widget, they have several options:

A word of caution about privacy badges, learning the history of TRUSTe is 
relevant, https://secure.wikimedia.org/wikipedia/en/wiki/TRUSTe#History.

Research shows that sites with the TRUSTe seal are the least likely to honor 
what you think of as privacy, http://www.benedelman.org/news/092506-1.html.

-- 
Andrew
pgp 0x74ED336B
___
tor-talk mailing list
tor-talk@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] New Browser Bundle

2011-11-06 Thread Andrew Lewman 
On Sunday, November 06, 2011 15:15:21 Joe Btfsplk wrote:
> I can't imagine cookies or Javascript being enabled globally.  I won't
> leave those default settings.   Cookies from "regular old web sites"
> aren't necessarily the benign "little files a web site places on your
> computer to enhance the use of our site," that they used to be.  Maybe
> need to read up on what "little old cookies" from avg sites can do now.
> Having them enabled globally - in Tor or regular Firefox - doesn't seem
> like a good idea.  Nor does having Javascript globally enabled.

I'd like to see someone do research that proves or disproves this fear that 
javascript and cookies everywhere is hazardous to the anonymity of a tor user. 
I don't know a better setting for noscript. I know what I use for settings 
when I use the default TBB setup.  

 If you use collusion with TBB, you'll see the various connections made to the 
current browsing session. http://collusion.toolness.org/. I frequently hit 
'new identity' to wipe the cache/cookies.

In my world, I'd replace noscript with requestpolicy. If you never request the 
3rd party sites, then you cut out lots of risks/cruft, in theory. This is the 
core idea behind requestpolicy.  Unfortunately, this breaks lots of websites 
and would freak out most tor users. However, this is another fine study to 
undertake.

Intuitevly it sounds bad, yes.  However, I'd like to see baseline research and 
then settings changes that are proven to improve anonymity for the user. Of 
course, 'improve anonymity' implies some sort of measurement, which ties into 
https://blog.torproject.org/blog/research-problem-measuring-safety-tor-network

-- 
Andrew
pgp 0x74ED336B
___
tor-talk mailing list
tor-talk@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Implement JSONP interface for check.torproject.org

2011-11-06 Thread Collin Anderson 
Tor would not be validating the nature or security of the hosted site,
rather the JSON would be confirming attributes of the visitor. I cannot
imagine many scenarios where a malicious party stands to benefit from
forging these credentials -- or for that matter a manner where they could
not fake a confirmation themselves without using the API.

On Sun, Nov 6, 2011 at 9:13 PM, Andrew Lewman  wrote:

> On Sunday, November 06, 2011 11:00:08 Fabio Pietrosanti (naif) wrote:
> > Let's support that AccessNow https://www.accessnow.org/ would like to
> > implement the privacybadge web widget, they have several options:
>
> A word of caution about privacy badges, learning the history of TRUSTe is
> relevant, https://secure.wikimedia.org/wikipedia/en/wiki/TRUSTe#History.
>
> Research shows that sites with the TRUSTe seal are the least likely to
> honor
> what you think of as privacy, http://www.benedelman.org/news/092506-1.html
> .
>
> --
> Andrew
> pgp 0x74ED336B
> ___
> tor-talk mailing list
> tor-talk@lists.torproject.org
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
>



-- 
*Collin David Anderson*
averysmallbird.com | @cda | Washington, D.C.
___
tor-talk mailing list
tor-talk@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk