Re: [tor-talk] "Invalid Server Certificate" accessing torproject.org on Chrome/Windows
I tried to attach a screenshot, but that put my message over the 50KB needs-approval limit. See my message below (minus the attachment). 2012/1/4 Greg : > Hi Andrew, > Thank you for taking a stab at this issue! I just tried this now, and > it still doesn't work. I don't remember precisely what the chain > looked, so I can't be sure I'm seeing anything different at all. I > restarted Chrome (but not Windows). Both www.torproject.org and > trac.torproject.org show the same error. > The chain that I see now is: > *.torproject.org --> DigiCert High Assurance CA-3 --> DigiCert > (i've attached a screen shot of this.) > > Thanks, > Greg > > 2012/1/4 Andrew Lewman : >> I think this is fixed for www.torproject.org now. Digicert apparently >> updated their ca chained certs at some point. I've put the updated >> ca-certs on the www servers. If this works, we can update them on all >> torproject servers. >> >> And for fun, I've attached the gnutls-cli output of the old cert in >> place and the new cert in place. >> >> tl;dr we went from: >> our cert -> DigiCert High Assurance CA-3 >> >> to now: >> cert -> DigiCert High Assurance CA-3 -> DigiCert High Assurance EV Root >> CA >> >> I couldn't replicate the problem in Chromium, FF9, nor whatever version >> of android i have on an obsolete phone. ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] "Invalid Server Certificate" accessing torproject.org on Chrome/Windows
Hi Andrew, Thank you for taking a stab at this issue! I just tried this now, and it still doesn't work. I don't remember precisely what the chain looked, so I can't be sure I'm seeing anything different at all. I restarted Chrome (but not Windows). Both www.torproject.org and trac.torproject.org show the same error. The chain that I see now is: *.torproject.org --> DigiCert High Assurance CA-3 --> DigiCert (i've attached a screen shot of this.) Thanks, Greg 2012/1/4 Andrew Lewman : > I think this is fixed for www.torproject.org now. Digicert apparently > updated their ca chained certs at some point. I've put the updated > ca-certs on the www servers. If this works, we can update them on all > torproject servers. > > And for fun, I've attached the gnutls-cli output of the old cert in > place and the new cert in place. > > tl;dr we went from: > our cert -> DigiCert High Assurance CA-3 > > to now: > cert -> DigiCert High Assurance CA-3 -> DigiCert High Assurance EV Root > CA > > I couldn't replicate the problem in Chromium, FF9, nor whatever version > of android i have on an obsolete phone. > > -- > Andrew > http://tpo.is/contact > pgp 0x74ED336B > > ___ > tor-talk mailing list > tor-talk@lists.torproject.org > https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk > ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] "Invalid Server Certificate" accessing torproject.org on Chrome/Windows
I think this is fixed for www.torproject.org now. Digicert apparently updated their ca chained certs at some point. I've put the updated ca-certs on the www servers. If this works, we can update them on all torproject servers. And for fun, I've attached the gnutls-cli output of the old cert in place and the new cert in place. tl;dr we went from: our cert -> DigiCert High Assurance CA-3 to now: cert -> DigiCert High Assurance CA-3 -> DigiCert High Assurance EV Root CA I couldn't replicate the problem in Chromium, FF9, nor whatever version of android i have on an obsolete phone. -- Andrew http://tpo.is/contact pgp 0x74ED336B gnutls-cli www.torproject.org Resolving 'www.torproject.org'... Connecting to '38.229.72.14:443'... - Session ID: 57:5F:06:07:51:0A:04:4E:4E:27:EC:7F:FB:E3:FF:3C:CA:8D:A2:93:43:92:4B:09:20:34:64:B7:01:59:D8:FE - Certificate type: X.509 - Got a certificate list of 3 certificates. - Certificate[0] info: - subject `C=US,ST=Massachusetts,L=Walpole,O=The Tor Project\, Inc.,CN=*.torproject.org', issuer `C=US,O=DigiCert Inc,OU=www.digicert.com,CN=DigiCert High Assurance CA-3', RSA key 2048 bits, signed using RSA-SHA256, activated `2011-02-15 00:00:00 UTC', expires `2013-04-19 23:59:59 UTC', SHA-1 fingerprint `a7e70f8a648fe04a9677f13eedf6f91b5f7f2e25' - Certificate[1] info: - subject `C=US,O=DigiCert Inc,OU=www.digicert.com,CN=DigiCert High Assurance CA-3', issuer `C=US,O=DigiCert Inc,OU=www.digicert.com,CN=DigiCert High Assurance EV Root CA', RSA key 2048 bits, signed using RSA-SHA1, activated `2007-04-03 00:00:00 UTC', expires `2022-04-03 00:00:00 UTC', SHA-1 fingerprint `a2e32a1a2e9fab6ead6b05f64ea0641339e10011' - Certificate[2] info: - subject `C=US,O=DigiCert Inc,OU=www.digicert.com,CN=DigiCert High Assurance EV Root CA', issuer `C=US,O=Entrust.net,OU=www.entrust.net/CPS incorp. by ref. (limits liab.),OU=(c) 1999 Entrust.net Limited,CN=Entrust.net Secure Server Certification Authority', RSA key 2048 bits, signed using RSA-SHA1, activated `2006-10-01 05:00:00 UTC', expires `2014-07-26 18:15:15 UTC', SHA-1 fingerprint `918da5e499c15f7c6275b124fede53357c34bd36' - The hostname in the certificate matches 'www.torproject.org'. - Peer's certificate issuer is unknown - Peer's certificate is NOT trusted - Ephemeral Diffie-Hellman parameters - Using prime: 1024 bits - Secret key: 1016 bits - Peer's public key: 1019 bits - Version: TLS1.0 - Key Exchange: DHE-RSA - Cipher: AES-128-CBC - MAC: SHA1 - Compression: NULL - Handshake was completed gnutls-cli www.torproject.org Resolving 'www.torproject.org'... Connecting to '38.229.72.14:443'... - Session ID: FE:5A:D0:67:F9:7C:2D:03:E8:F0:E2:35:38:2D:F4:D0:D9:32:F7:95:B1:D6:E6:2F:78:F2:2B:D8:64:EB:2E:D1 - Certificate type: X.509 - Got a certificate list of 2 certificates. - Certificate[0] info: - subject `C=US,ST=Massachusetts,L=Walpole,O=The Tor Project\, Inc.,CN=*.torproject.org', issuer `C=US,O=DigiCert Inc,OU=www.digicert.com,CN=DigiCert High Assurance CA-3', RSA key 2048 bits, signed using RSA-SHA256, activated `2011-02-15 00:00:00 UTC', expires `2013-04-19 23:59:59 UTC', SHA-1 fingerprint `a7e70f8a648fe04a9677f13eedf6f91b5f7f2e25' - Certificate[1] info: - subject `C=US,O=DigiCert Inc,OU=www.digicert.com,CN=DigiCert High Assurance CA-3', issuer `C=US,O=DigiCert Inc,OU=www.digicert.com,CN=DigiCert High Assurance EV Root CA', RSA key 2048 bits, signed using RSA-SHA1, activated `2007-04-03 00:00:00 UTC', expires `2022-04-03 00:00:00 UTC', SHA-1 fingerprint `a2e32a1a2e9fab6ead6b05f64ea0641339e10011' - The hostname in the certificate matches 'www.torproject.org'. - Peer's certificate issuer is unknown - Peer's certificate is NOT trusted - Ephemeral Diffie-Hellman parameters - Using prime: 1024 bits - Secret key: 1023 bits - Peer's public key: 1019 bits - Version: TLS1.0 - Key Exchange: DHE-RSA - Cipher: AES-128-CBC - MAC: SHA1 - Compression: NULL - Handshake was completed ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Hoax?
On Thu, Jan 5, 2012, at 12:14 AM, Gozu-san wrote: > On 04/01/12 19:24, Geoff Down wrote: > > > Let's try that again... > > http://pastebin.com/jBPFsUSg > > "We did crack Tor's encryption to reveal 190 IP addresses of individuals > > using Tor for Child Pornography" > > They didn't "crack Tor's encryption". They posted a fake "Tor security > update" on one of the Hidden Wiki pages. It was actually malware that > sent true IP addresses to their server(s) when Tor wasn't running. > TAILS would have prevented that, because there's no history. Using a > Tor gateway VM would have prevented that, because there's never Internet > connectivity except through Tor. Connecting to Tor through a VPN > service would have provided a safety net (to the extent that the VPN > provider protects users' privacy). > ___ Thanks - I thought this was probably old news, but it was a recent pasting. And anyone can use a real Symantec employee's name. GD -- http://www.fastmail.fm - A no graphics, no pop-ups email service ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Hoax?
On 04/01/12 19:24, Geoff Down wrote: > Let's try that again... > http://pastebin.com/jBPFsUSg > "We did crack Tor's encryption to reveal 190 IP addresses of individuals > using Tor for Child Pornography" They didn't "crack Tor's encryption". They posted a fake "Tor security update" on one of the Hidden Wiki pages. It was actually malware that sent true IP addresses to their server(s) when Tor wasn't running. TAILS would have prevented that, because there's no history. Using a Tor gateway VM would have prevented that, because there's never Internet connectivity except through Tor. Connecting to Tor through a VPN service would have provided a safety net (to the extent that the VPN provider protects users' privacy). ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] "Invalid Server Certificate" accessing torproject.org on Chrome/Windows
well, this is certainly beyond my certificate debugging skill level. Would engaging a Chrome mailing list be helpful? Thanks for all the info so far, Greg 2012/1/4 Ondrej Mikle : > On 01/04/12 21:30, Pascal wrote: >> >> Running www.digicert.com through that tool shows the 2nd intermediate >> certificate that needs to be included. > > > Their tool is quite good, but not all-powerful. The suggested "2nd > intermediate certificate" must have subject CN="DigiCert High Assurance EV > Root CA". That can be either self-signed root certificate or a > cross-certificate (one cross-cert is issued by GTE CyberTrust and one by > Entrust). The "DigiCert High Assurance EV Root CA" is trusted by Windows > (that's why it appears at the top of the chain shown by Chrome). > > But it really seems the issue is at the client's side (which is frankly > rare). > > The real point is, why does MS CryptoAPI think that the signature > www.torproject.org is invalid (openssl and gnutls don't object)? BTW, the > reason Chrome sees different cert for "DigiCert High Assurance CA-3" than > the one sent by www.torproject.org is because CryptoAPI engages in "AIA > chasing" and downloads the intermediate cert from the URL it finds in > Authority Information Access of torproject.org's cert (but even that chain > should validate). > > > Ondrej > ___ > tor-talk mailing list > tor-talk@lists.torproject.org > https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Hoax?
On Wed, Jan 4, 2012 at 21:24, Geoff Down wrote: > http://pastebin.com/jBPFsUSg > "We did crack Tor's encryption to reveal 190 IP addresses of individuals > using Tor for Child Pornography" How can one even begin to assess a press-release that's essentially an incomprehensible diatribe? Are these kids writing in their native language? If the anti-pedophilia hysteria in the USA (relying on “Patriot to the USA” statement in the text here) is sufficiently strong to produce this kind of erratic vigilantism, surely the activists are capable of finding a pro bono editor that would assist them in properly conveying their message. -- Maxim Kammerer Liberté Linux (discussion / support: http://dee.su/liberte-contribute) ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Hoax?
On Wed, 04 Jan 2012 19:24:56 + "Geoff Down" wrote: > Let's try that again... > http://pastebin.com/jBPFsUSg > "We did crack Tor's encryption to reveal 190 IP addresses of > individuals using Tor for Child Pornography" "There are two recent stories claiming the Tor network is compromised. It seems it is easier to get press than to publish research, work with us on the details, and propose solutions. Our comments here are based upon the same stories you are reading. We have no insider information. The first story has been around 'Freedom Hosting' and their hosting of child abuse materials as exposed by Anonymous Operation Darknet. We're reading the press articles, pastebin urls, and talking to the same people as you. It appears 'Anonymous' cracked the Apache/PHP/MySQL setup at Freedom Hosting and published some, or all, of their users in the database. These sites happened to be hosted on a Tor hidden service. Further, 'Anonymous' used a somewhat recent RAM-exhaustion denial of service attack on the 'Freedom Hosting' Apache server. It's a simple resource starvation attack that can be conducted over low bandwidth, low resource requirement connections to individual hosts. This isn't an attack on Tor, but rather an attack on some software behind a Tor hidden service. This attack was discussed in a thread on the tor-talk mailing list starting October 19th." >From 24 October 2011: https://blog.torproject.org/blog/rumors-tors-compromise-are-greatly-exaggerated -- Andrew http://tpo.is/contact pgp 0x74ED336B ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] "Invalid Server Certificate" accessing torproject.org on Chrome/Windows
On 01/04/12 21:30, Pascal wrote: Running www.digicert.com through that tool shows the 2nd intermediate certificate that needs to be included. Their tool is quite good, but not all-powerful. The suggested "2nd intermediate certificate" must have subject CN="DigiCert High Assurance EV Root CA". That can be either self-signed root certificate or a cross-certificate (one cross-cert is issued by GTE CyberTrust and one by Entrust). The "DigiCert High Assurance EV Root CA" is trusted by Windows (that's why it appears at the top of the chain shown by Chrome). But it really seems the issue is at the client's side (which is frankly rare). The real point is, why does MS CryptoAPI think that the signature www.torproject.org is invalid (openssl and gnutls don't object)? BTW, the reason Chrome sees different cert for "DigiCert High Assurance CA-3" than the one sent by www.torproject.org is because CryptoAPI engages in "AIA chasing" and downloads the intermediate cert from the URL it finds in Authority Information Access of torproject.org's cert (but even that chain should validate). Ondrej ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] "Invalid Server Certificate" accessing torproject.org on Chrome/Windows
The tool at http://www.digicert.com/help/ does a good job of showing what is going on with a web site's certs. Traditionally a website is expected to send its own server cert and all intermediate certs, but not the root cert. You can run www.google.com through that tool to see how this looks. Running freenet.us.to through that tool shows how a site including the root cert looks. Running www.torproject.org through there shows that there are actually 2 intermediate certs required for the server cert used, but only 1 of them is being included. -Pascal On 1/4/2012 2:10 PM, Ondrej Mikle wrote: 2. Since www.torproject.org does not send DigiCert root CA cert in handshake, each browser builds yet another chain to root. Though it might be helpful if www.torproject.org sent whole chain (up to Digicert root). Ondrej ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] "Invalid Server Certificate" accessing torproject.org on Chrome/Windows
On 01/04/12 07:40, Greg wrote: Hi, I searched google for people having problems accessing torproject.org from Chrome on Windows, but I didn't see much besides a discussion on December 21 about an outage (http://comments.gmane.org/gmane.network.tor.general/2514). I can access torproject.org from Firefox on my windows (server 2003) machine, but not from Chrome. I get an "Invalid Server Certificate" error and it doesn't let me continue. Any ideas what might be wrong with my Chrome/Windows setup? I can reproduce it on WinXP/Chrome. This seems to be a bug in Microsoft CryptoAPI (unless I am missing something). So what's going on here (amazing case of "cooperation paradox"): 1. Firefox and Chrome on Windows see different chains. Specifically Chrome sees different intermediate certificate for "DigiCert High Assurance CA-3" than the certificate sent by www.torproject.org server. 2. Since www.torproject.org does not send DigiCert root CA cert in handshake, each browser builds yet another chain to root. 3. I've verified the chain seen by Chrome with gnutls, then looked at the certificate differences by hand (checks out fine in both cases). I can't see why MS CryptoAPI thinks the signature is invalid: it's not revoked and validity period, extensions, etc. seem fine as well. Though it might be helpful if www.torproject.org sent whole chain (up to Digicert root). If anyone wants to dig into it, three different chains are attached (one from Chrome 16.0.912.63 m/Win, two from Firefox 9.0.1/Linux - yes, it's possible to get two chains on different profiles). Ondrej -BEGIN CERTIFICATE- MIIHhjCCBm6gAwIBAgIQAtpBBIml/aK129v47RUNvjANBgkqhkiG9w0BAQsFADBm MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3 d3cuZGlnaWNlcnQuY29tMSUwIwYDVQQDExxEaWdpQ2VydCBIaWdoIEFzc3VyYW5j ZSBDQS0zMB4XDTExMDIxNTAwMDAwMFoXDTEzMDQxOTIzNTk1OVowcjELMAkGA1UE BhMCVVMxFjAUBgNVBAgTDU1hc3NhY2h1c2V0dHMxEDAOBgNVBAcTB1dhbHBvbGUx HjAcBgNVBAoTFVRoZSBUb3IgUHJvamVjdCwgSW5jLjEZMBcGA1UEAxQQKi50b3Jw cm9qZWN0Lm9yZzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKTChm3+ lhckkH9wvP81UISmwogGBAp5bzDJ7UWTt1GRa0XocErDTFK5Ea2UcookbWxuWmbX 9s8XKIuQIlXNRarcNwAbRNKR7k3bQ7SDwud/vJTEzycka50mXaf9MWXSDPxs9DT5 BdbslrN/RbSQuxWKJs61PqU9QY4ODSbyeaYEkaJ3t+VUZfK6eO+Vc0Jf6GSVnrxb zmN65edEO43oYnf1UX8v/joWOXFoHMhY0TqcOYviXqzAXbRvJ0cX16sVHPNQf5F7 +zYCHP75HJw1OqYiTwLq3CGqfhBLErxgTlh5Lv2nD4YNtbg7N/V1z5x0L05602Fr dGvSg6Sv9XANV0cCAwEAAaOCBCIwggQeMB8GA1UdIwQYMBaAFFDqc4nbKfsQj57l ASDU3nmZSIP3MB0GA1UdDgQWBBRerYspXs8v3hRPAp6uQXwjzWLngjCB8gYDVR0R BIHqMIHnghAqLnRvcnByb2plY3Qub3Jngg50b3Jwcm9qZWN0Lm9yZ4ISc3ZuLnRv cnByb2plY3Qub3JnghVnaXR3ZWIudG9ycHJvamVjdC5vcmeCE3RyYWMudG9ycHJv amVjdC5vcmeCFm1ldHJpY3MudG9ycHJvamVjdC5vcmeCEnd3dy50b3Jwcm9qZWN0 Lm9yZ4ITYmxvZy50b3Jwcm9qZWN0Lm9yZ4IUY2hlY2sudG9ycHJvamVjdC5vcmeC FmJyaWRnZXMudG9ycHJvamVjdC5vcmeCFGxpc3RzLnRvcnByb2plY3Qub3JnMIIB xAYDVR0gBIIBuzCCAbcwggGzBglghkgBhv1sAQEwggGkMDoGCCsGAQUFBwIBFi5o dHRwOi8vd3d3LmRpZ2ljZXJ0LmNvbS9zc2wtY3BzLXJlcG9zaXRvcnkuaHRtMIIB ZAYIKwYBBQUHAgIwggFWHoIBUgBBAG4AeQAgAHUAcwBlACAAbwBmACAAdABoAGkA cwAgAEMAZQByAHQAaQBmAGkAYwBhAHQAZQAgAGMAbwBuAHMAdABpAHQAdQB0AGUA cwAgAGEAYwBjAGUAcAB0AGEAbgBjAGUAIABvAGYAIAB0AGgAZQAgAEQAaQBnAGkA QwBlAHIAdAAgAEMAUAAvAEMAUABTACAAYQBuAGQAIAB0AGgAZQAgAFIAZQBsAHkA aQBuAGcAIABQAGEAcgB0AHkAIABBAGcAcgBlAGUAbQBlAG4AdAAgAHcAaABpAGMA aAAgAGwAaQBtAGkAdAAgAGwAaQBhAGIAaQBsAGkAdAB5ACAAYQBuAGQAIABhAHIA ZQAgAGkAbgBjAG8AcgBwAG8AcgBhAHQAZQBkACAAaABlAHIAZQBpAG4AIABiAHkA IAByAGUAZgBlAHIAZQBuAGMAZQAuMHsGCCsGAQUFBwEBBG8wbTAkBggrBgEFBQcw AYYYaHR0cDovL29jc3AuZGlnaWNlcnQuY29tMEUGCCsGAQUFBzAChjlodHRwOi8v Y2FjZXJ0cy5kaWdpY2VydC5jb20vRGlnaUNlcnRIaWdoQXNzdXJhbmNlQ0EtMy5j cnQwDAYDVR0TAQH/BAIwADBlBgNVHR8EXjBcMCygKqAohiZodHRwOi8vY3JsMy5k aWdpY2VydC5jb20vY2EzLTIwMTFiLmNybDAsoCqgKIYmaHR0cDovL2NybDQuZGln aWNlcnQuY29tL2NhMy0yMDExYi5jcmwwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsG AQUFBwMCMA4GA1UdDwEB/wQEAwIFoDANBgkqhkiG9w0BAQsFAAOCAQEALN6NOyyl SjSwsqCFpwJSGk6uovoyO2HYOyMnhHNDaIwB0dxL6q1i5uCpcbWBSiU/qjb+Rqml lWmWSiF9LshsFaTn0SYV6ZQDlt4/XS1sbL+qRRXSgJ4gLRrEg78YtgP4GFsBxbln aiwAAj3MppuVduCu4URxyJ/s+NjedtzdjXznbQsQS61U1Pz0gg3blSVf4J63KN+W JyT5M2mHa6ZWD9x7u+T2+cAf9No358jLhE6p9STyPQ4QYkmuGWZ5ldmDdaErRg8Z 1oqRH4evzc1x+FW8XUmAKDFdlbj4AUBvh5B2F4gzfS5toB3T3jMhu8x9H/I/l+yx HGyGpiDynkExtA== -END CERTIFICATE- -BEGIN CERTIFICATE- MIIGWDCCBUCgAwIBAgIQCl8RTQNbF5EX0u/UA4w/OzANBgkqhkiG9w0BAQUFADBs MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3 d3cuZGlnaWNlcnQuY29tMSswKQYDVQQDEyJEaWdpQ2VydCBIaWdoIEFzc3VyYW5j ZSBFViBSb290IENBMB4XDTA4MDQwMjEyMDAwMFoXDTIyMDQwMzAwMDAwMFowZjEL MAkGA1UEBhMCVVMxFTATBgNVBAoTDERpZ2lDZXJ0IEluYzEZMBcGA1UECxMQd3d3 LmRpZ2ljZXJ0LmNvbTElMCMGA1UEAxMcRGlnaUNlcnQgSGlnaCBBc3N1cmFuY2Ug Q0EtMzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAL9hCikQH17+NDdR CPge+yLtYb4LDXBMUGMmdRW5QYiXtvCgFbsIYOBC6AUpEIc2iihlqO8xB3RtNpcv KEZmBMcqeSZ6mdWOw21PoF6tvD2Rwll7XjZswFPPAAgyPhBkWBATaccM7pxCUQD5 BUTuJM56H+2MEb0SqPMV9Bx6MWkBG6fmXcCabH4JnudSREoQOiPkm7YDr6ictFuf 1EutkozOtREqqjcYjbTCuNhcBoz4/yO9NV7UfD5+gw6R
Re: [tor-talk] "Invalid Server Certificate" accessing torproject.org on Chrome/Windows
Running www.digicert.com through that tool shows the 2nd intermediate certificate that needs to be included. -Pascal On 1/4/2012 2:21 PM, Pascal wrote: The tool at http://www.digicert.com/help/ does a good job of showing what is going on with a web site's certs. Traditionally a website is expected to send its own server cert and all intermediate certs, but not the root cert. You can run www.google.com through that tool to see how this looks. Running freenet.us.to through that tool shows how a site including the root cert looks. Running www.torproject.org through there shows that there are actually 2 intermediate certs required for the server cert used, but only 1 of them is being included. -Pascal On 1/4/2012 2:10 PM, Ondrej Mikle wrote: 2. Since www.torproject.org does not send DigiCert root CA cert in handshake, each browser builds yet another chain to root. Though it might be helpful if www.torproject.org sent whole chain (up to Digicert root). Ondrej ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
[tor-talk] Hoax?
-- http://www.fastmail.fm - mmm... Fastmail... ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
[tor-talk] Hoax?
Let's try that again... http://pastebin.com/jBPFsUSg "We did crack Tor's encryption to reveal 190 IP addresses of individuals using Tor for Child Pornography" -- http://www.fastmail.fm - Or how I learned to stop worrying and love email again ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Linux TransparentProxy setup and IPv6
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 > If you have a Linux machine with an IPv6 address, and you're using > the iptables technique described on that page, then you're going to > leak. "iptables" only applies to IPv4 traffic. You need to put in > an explicit rule using "ip6tables" to block all IPv6 traffic. > > Alternatively, just disable IPv6 support on your machine. > > Maybe the documentation should be updated with this information? ip6tables -t filter -A OUTPUT -m owner --uid-owner anonymous -j DROP ..if you are (ab)using the username anonymous and your IPv4 iptables firewall is setup to do -m owner --uid-owner anonymous rules. -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.17 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk8En28ACgkQNBSJHnwv/KrLJQCbBtVThhcdwrZzRlTF300zWapO V14AoImif1PSKZflpFVDs6OKgk4+bvXb =cxj/ -END PGP SIGNATURE- ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Linux TransparentProxy setup and IPv6
On 04/01/12 14:19, h...@safe-mail.net wrote: > https://trac.torproject.org/projects/tor/wiki/doc/TransparentProxy > > Since Tor does not support IPv6 yet... > > What about IPv6 traffic? Is it blocked when following these instructions? > > If not, how to do so? If you have a Linux machine with an IPv6 address, and you're using the iptables technique described on that page, then you're going to leak. "iptables" only applies to IPv4 traffic. You need to put in an explicit rule using "ip6tables" to block all IPv6 traffic. Alternatively, just disable IPv6 support on your machine. Maybe the documentation should be updated with this information? -- Mike Cardwell https://grepular.com/ http://cardwellit.com/ OpenPGP Key35BC AF1D 3AA2 1F84 3DC3 B0CF 70A5 F512 0018 461F XMPP OTR Key 8924 B06A 7917 AAF3 DBB1 BF1B 295C 3C78 3EF1 46B4 signature.asc Description: OpenPGP digital signature ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
[tor-talk] Linux TransparentProxy setup and IPv6
https://trac.torproject.org/projects/tor/wiki/doc/TransparentProxy Since Tor does not support IPv6 yet... What about IPv6 traffic? Is it blocked when following these instructions? If not, how to do so? ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
[tor-talk] about TOR
An article about TOR, *Project Vigilant and BBHC Global* in french by Primavera De Filippi: http://adam.hypotheses.org/1149 Best regards. -- François Huguet Doctorant | Telecom ParisTech Dépt. Sc. Economiques et Sociales | UMR CNRS LTCI 46, Rue Barrault - 75634 PARIS Cedex 13 ✉ francois.hug...@telecom-paristech.fr ✆ +33 6 65 40 23 60 | +33 1 45 81 79 41 http://codesignlab.wp.institut-telecom.fr ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
[tor-talk] which
which ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk