Re: [tor-talk] Added a tor node
On Sun, Feb 12, 2012 at 3:30 AM, Michael Van Veen mich...@mvanveen.net wrote: Hello! Hi, I just followed the directions on this page: https://lists.torproject.org/pipermail/tor-talk/2012-February/023070.html, having first picked up the link on hacker news. I had to tweak things a little bit to work, but the ticket here has helped tremendously: https://trac.torproject.org/projects/tor/ticket/5009#comment:17 I believe my tor node is up and running, but I have no way to verify. Is there an easy way to determine if I have configured my tor bridge correctly? Thanks for running a bridge! Please email the ip:port to tor-assista...@torproject.org and we'll confirm and add it to our list. -- Runa A. Sandvik ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Increasing obfsproxies with the cloud
On Sun, Feb 12, 2012 at 4:12 AM, Michael J.J. Tiffany michael.tiff...@gmail.com wrote: Would a tremendous number of new nodes with the obfsproxy code, running on EC2/Rackspace/random-cloud-provider, be helpful at this point? If so, how much is too much? Hi, We have a lot of obfsproxy bridges running at the moment. We need stable, high-bandwidth bridges. I don't think setting up a tremendous number of bridges in the cloud will help much at this point. When obfsproxy is more stable and maintaining an obfsproxy bridge does not require too much manual intervention, I will build obfsproxy bridge images for cloud.torproject.org. -- Runa A. Sandvik ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
[tor-talk] Adblock Plus and Ghostery should be included in Tor bundle
Adblock Plus and Ghostery should be included in Tor bundle Two reasons 1. Privacy. Fairly obvious why we do this. Stopping ads and ad tracking is consistent with the privacy mission of the Tor Project. 2. Network health. Congestion has always been a problem on Tor. Installing these plugins to stop HTTP requests which don't help the user reduces congestion on the network and speeds up page loads for each user and everybody else. Browsers won't be slowed down loading tons of ads and ad scripts and the network won't have to process many requests for junk. I think we can save a ton of bandwidth by stopping the junk requests. While we are at it we should enable Firefox's do not track header. It won't help the network speed but it will marginally increase privacy for those who have it set. It will also protect the privacy of people who enable it manually if all Tor bundle installations are sending the same headers. It also increases the use of the header in the wild because the more browsers that send it the more advertisers and governments have to take notice of our desire for privacy. The Tor project can make a big contribution to making this header more widely used. The Adblock should be configured to work and not need setup. Select a few good lists and have them automatically in. This will save users the time of doing it themselves and help people who don't know how. Ghostery has to be configured to block tracking scripts and cookies before first use. The Tor project should have that done automatically. If anybody doesn't want to use Adblock they can disable it with one click. I don't know why anybody who goes to the trouble of using Tor would want to be tracked by ads but to each his own. Disabling it takes 2 seconds if somebody want's to. ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Adblock Plus and Ghostery should be included in Tor bundle
RefControl set to spoof referrer as host webroot is also useful, I think. - Original Message - From: Brian Franklin Sent: 02/12/12 09:53 AM To: tor-talk@lists.torproject.org Subject: [tor-talk] Adblock Plus and Ghostery should be included in Tor bundle Adblock Plus and Ghostery should be included in Tor bundle Two reasons 1. Privacy. Fairly obvious why we do this. Stopping ads and ad tracking is consistent with the privacy mission of the Tor Project. 2. Network health. Congestion has always been a problem on Tor. Installing these plugins to stop HTTP requests which don't help the user reduces congestion on the network and speeds up page loads for each user and everybody else. Browsers won't be slowed down loading tons of ads and ad scripts and the network won't have to process many requests for junk. I think we can save a ton of bandwidth by stopping the junk requests. While we are at it we should enable Firefox's do not track header. It won't help the network speed but it will marginally increase privacy for those who have it set. It will also protect the privacy of people who enable it manually if all Tor bundle installations are sending the same headers. It also increases the use of the header in the wild because the mo re browsers that send it the more advertisers and governments have to take notice of our desire for privacy. The Tor project can make a big contribution to making this header more widely used. The Adblock should be configured to work and not need setup. Select a few good lists and have them automatically in. This will save users the time of doing it themselves and help people who don't know how. Ghostery has to be configured to block tracking scripts and cookies before first use. The Tor project should have that done automatically. If anybody doesn't want to use Adblock they can disable it with one click. I don't know why anybody who goes to the trouble of using Tor would want to be tracked by ads but to each his own. Disabling it takes 2 seconds if somebody want's to. ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Adblock Plus and Ghostery should be included in Tor bundle
On Sun, 12 Feb 2012 17:00:59 +0100 Martin Hubbard martin.hubb...@gmx.us wrote: RefControl set to spoof referrer as host webroot is also useful, I think. - Original Message - From: Brian Franklin Sent: 02/12/12 09:53 AM To: tor-talk@lists.torproject.org Subject: [tor-talk] Adblock Plus and Ghostery should be included in Tor bundle Adblock Plus and Ghostery should be included in Tor bundle Two reasons 1. Exit nodes and sites can make a traffic analysis based on unique profiles of banned urls. Malicious exits nodes even can inject invisible blocked patterns to make this analysis more active. Adblock and other similar user-tunable plugins should be avoided. Check https://www.torproject.org/projects/torbrowser/design/ The Design and Implementation of the Tor Browser [DRAFT] ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Adblock Plus and Ghostery should be included in Tor bundle
i tend to agree, but i guess theres several things to keep in mind: - Usability. Ghostery is _very_ user friendly, but still it can break widget based sites, e.g. iGoogle. - Endorsement. If a Plugin is included into the TBB, that may be considered as the Tor guys think this is very safe! i run NoScript, RequestPolicy, Convergence.io and Ghostery together, and that breaks like 90% of sites to some degree. i know what is going on and i want it like this. someone who gets the same browsing experience from TBB fresh out of the box might just assume the browser to be broken and abandon it. thats not what we want. just imagine you switch out the default browser of $elderly_person_you_know... if they notice anything besides the internet is slower lately, they might freak out. thats the kind of user that wont install AdBlock and Ghostery themselves and may benefit from a default installation. it has to work smoothly for all their use cases. i'm not sure how to adress the second concern i raised above, but if thats a non-issue, maybe a little text on the TBB default homepage educating users about those plugins might do the trick as well? all the best -k On 02/12/2012 04:53 PM, Brian Franklin wrote: Adblock Plus and Ghostery should be included in Tor bundle Two reasons 1. Privacy. Fairly obvious why we do this. Stopping ads and ad tracking is consistent with the privacy mission of the Tor Project. 2. Network health. Congestion has always been a problem on Tor. Installing these plugins to stop HTTP requests which don't help the user reduces congestion on the network and speeds up page loads for each user and everybody else. Browsers won't be slowed down loading tons of ads and ad scripts and the network won't have to process many requests for junk. I think we can save a ton of bandwidth by stopping the junk requests. While we are at it we should enable Firefox's do not track header. It won't help the network speed but it will marginally increase privacy for those who have it set. It will also protect the privacy of people who enable it manually if all Tor bundle installations are sending the same headers. It also increases the use of the header in the wild because the more browsers that send it the more advertisers and governments have to take notice of our desire for privacy. The Tor project can make a big contribution to making this header more widely used. The Adblock should be configured to work and not need setup. Select a few good lists and have them automatically in. This will save users the time of doing it themselves and help people who don't know how. Ghostery has to be configured to block tracking scripts and cookies before first use. The Tor project should have that done automatically. If anybody doesn't want to use Adblock they can disable it with one click. I don't know why anybody who goes to the trouble of using Tor would want to be tracked by ads but to each his own. Disabling it takes 2 seconds if somebody want's to. ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Help users in Iran reach the internet
I'm running into an issue involving obfsproxy. I've followed the instructions provided by Jacob. From a friend's machine at a different IP address, if I use Vidalia and point the bridge and the ORPort at 9001, it works without any issues. However, if I point the bridge to the port setup by obfsproxy, I run into the following problem with Vidalia: Establishing an encrypted directory connection failed (done). When running Tor with the logging set to debug on my bridge, I've come across the following which I believe to be the culprit: Feb 12 13:06:36.000 [debug] tor_tls_handshake(): About to call SSL_accept on 0x7f51fda2ca80 (unknown state) Feb 12 13:06:36.000 [info] TLS error: unexpected close while handshaking (unknown state) Feb 12 13:06:36.000 [info] connection_tls_continue_handshake(): tls error [unexpected close]. breaking connection. Am I missing a particular package? Has anyone else run into this problem? Thanks, C303 ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Adblock Plus and Ghostery should be included in Tor bundle
On 2/12/2012 10:41 AM, Brian Franklin wrote: Unknown makes a good point. The options should be set globally for all users of the Tor Bundle to avoid any profiling. Those who have a need for further configuration do so at their own risk. Good point. Originally, at least part of the Tor design was users couldn't be tracked from end to end - period. Nothing about profiling based on customization. Now things have changed - obviously. A lot of users (apparently) don't want to use TBB in its current default state. That may / may not be good for the crowd and / or them. I don't have enough deep, technical knowledge to say. One thing I do know, is the internet, trackers, hackers, gov'ts, etc., keep discovering new tools refining ways to track Tor NON - Tor users. Tor devs constantly have to keep up try to stay even, if not ahead of the adversaries. Overall, they do a good job I'm pretty sure all but experienced software devs w/ an excellent knowledge of security issues, have no idea how hard this is for Tor devs. That still leaves the question, should TBB users install addons that haven't been explicitly tested proclaimed safe to use w/ TBB (as safe as the internet or TBB can reasonably be - NOTHING is or ever will be 100%). I don't know, but topic probably deserves more official discussion. Now that Tor / TBB has become internationally well known, to extent some countries already ban it U.S. ( others) has considered legislation that would affect its overall use, the big problem for users may soon be, are you using Tor _at all_, not just, could someone profile you from browser / addon settings? One big question - is it a necessity (no way around it) for sites or traffic monitors to see what extensions are installed or other non - default TBB settings (other than bare minimum, like browser ver., OS, etc.). I don't understand the problems involved, so I'm asking the stupid questions on others' behalf. Why is it necessary that data like Ghostery (or many other) extensions are installed, be made available to sites from TBB? Why is it necessary (or is it?) for extension devs to write them so that the extension(s) installed are made known to sites? [I'm basing the question on many posts to the list about if users use xyz addon, or change TBB default settings, it's possible to fingerprint them]. Why does a site have to know WHAT is blocking a tracker beacon or an ad, rather than just they ARE blocked? NoScript is included in TBB w/ all scripts allowed in default settings. So every user has it enabled (by default). There must be an extraordinary # of customization possibilities w/ that one extension. If users blacklist one site in NoScript, they're automatically different. Cookies are globally enabled by default in TBB, so those blocking them are automatically different. Is there more risk to users being profiled as unique, by blacklisting ONE site in NoScript (or any other routine changes) than there is by installing Ghostery, AdBlock Plus, etc? Admittedly, I may not fully understand the problems here. When any of many cookie managers / blockers (aside from native Firefox / Aurora) blocks cookies, I don't think the site knows Cookie Monster is blocking cookies, does it? It just says, Your browser isn't accepting cookies. Maybe I'm wrong sites DO know it's Cookie Monster?? But if not, seems the same principle would (often) apply to blocking beacons, ads many other things using extensions, would it not? Using TBB, sites don't have your true IP address, true geographical location, etc. Why do they need to know which extensions are installed or the settings of them? Don't shoot the messenger - I'm just asking some questions that I haven't seen discussed - here - in detail. ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
[tor-talk] Do You Like Online Privacy? You May Be a Terrorist
From an article at: http://publicintelligence.net/do-you-like-online-privacy-you-may-be-a-terrorist/ February 1, 2012 in News Public Intelligence A flyer [1] designed by the FBI and the Department of Justice to promote suspicious activity reporting in internet cafes lists basic tools used for online privacy as potential signs of terrorist activity. The document, part of a program called “Communities Against Terrorism”, lists the use of “anonymizers, portals, or other means to shield IP address” as a sign that a person could be engaged in or supporting terrorist activity. The use of encryption is also listed as a suspicious activity along with steganography, the practice of using “software to hide encrypted data in digital photos” or other media. In fact, the flyer recommends that anyone “overly concerned about privacy” or attempting to “shield the screen from view of others” should be considered suspicious and potentially engaged in terrorist activities. Logging into an account associated with a residential internet service provider (such as Comcast or AOL), an activity that could simply indicate that you are on a trip, is also considered a suspicious activity. Viewing any content related to “military tactics” including manuals or “revolutionary literature” is also considered a potential indicator of terrorist activity. This would mean that viewing a number of websites, including the one you are on right now, could be construed by a hapless employee as an highly suspicious activity potentially linking you to terrorism. The “Potential Indicators of Terrorist Activities” contained in the flyer are not to be construed alone as a sign of terrorist activity and the document notes that “just because someone’s speech, actions, beliefs, appearance, or way of life is different; it does not mean that he or she is suspicious.” However, many of the activities described in the document are basic practices of any individual concerned with security or privacy online. The use of PGP, VPNs, Tor or any of the many other technologies for anonymity and privacy online are directly targeted by the flyer, which is distributed to businesses in an effort to promote the reporting of these activities. [1]http://publicintelligence.net/fbi-suspicious-activity-reporting-flyers/ Does anyone have any opinions on how this will impact Tor and it's users in the United States? It seems to me that anyone wishing to use Tor to protect themselves, especially at cafes, would start being unnecessarily harassed. Take care, Chris -- -- Christopher A. Lindsey Garuda LLC PGP Key: AFD4E820 signature.asc Description: This is a digitally signed message part ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Help users in Iran reach the internet
On Sun, Feb 12, 2012 at 6:22 PM, Low-Key² cryptic...@yahoo.com wrote: I'm running into an issue involving obfsproxy. I've followed the instructions provided by Jacob. From a friend's machine at a different IP address, if I use Vidalia and point the bridge and the ORPort at 9001, it works without any issues. However, if I point the bridge to the port setup by obfsproxy, I run into the following problem with Vidalia: Establishing an encrypted directory connection failed (done). When running Tor with the logging set to debug on my bridge, I've come across the following which I believe to be the culprit: Feb 12 13:06:36.000 [debug] tor_tls_handshake(): About to call SSL_accept on 0x7f51fda2ca80 (unknown state) Feb 12 13:06:36.000 [info] TLS error: unexpected close while handshaking (unknown state) Feb 12 13:06:36.000 [info] connection_tls_continue_handshake(): tls error [unexpected close]. breaking connection. Am I missing a particular package? Has anyone else run into this problem? Have you tried the client instructions (Step 2a) on https://www.torproject.org/projects/obfsproxy-instructions.html.en ? -- Runa A. Sandvik ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] where did Aurora go
On Fri Feb 10 21:05:59 UTC 2012 Sebastian Hahn wrote: On Feb 10, 2012, at 9:47 PM, eliaz wrote: Upon the last TBB update, Aurora 9 was replaced by FFox 10, the same FFox that I use for my clear browsing. Both have the same icon, which makes it a bother to be sure I'm in the correct browser (while I'm still running Vidalia from the same HD as I run the regular FFox). Things would be a little easier to have a different icon for the TBB implementation of the browser. Can that be done? - eliaz That's a bug that we're attempting to fix soon. Ok, thanks. For now if I leave the tor check tab up I can easily keep track of which browser I'm in. ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
[tor-talk] obfuscated bridge running
___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Help users in Iran reach the internet
--- On Sun, 2/12/12, Runa A. Sandvik runa.sand...@gmail.com wrote: Have you tried the client instructions (Step 2a) on https://www.torproject.org/projects/obfsproxy-instructions.html.en ? Yes. I found the issue. Wrong version of Tor daemon was still running. Thanks for the quick reply. ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
[tor-talk] Tor Browser Bundle 2.2.x Ubuntu AppArmor Profile
Hello, I've spent some time creating Ubuntu AppArmor profiles for the Tor Browser Bundle and its components and related apps. I've based them upon publicly available profiles that needed some dusting off, updating, and adapting to Tor. For the unfamiliar, AppArmor is a least privilege access control system that attempts to prevent exploited applications from accessing system resources that they shouldn't normally need. It is similar to SELinux, but it is much easier to create, understand and modify AppArmor profiles than SELinux policies. The profiles are not perfect, and they really need the new features in the AppArmor dev series to make them awesome. In my opinion, the biggest advantage of non-dev AppArmor right now is that it gives you the ability to watch your logs for audit messages that could indicate botched+blocked exploit attempts or bad behavior, and to protect your personal files from exploited applications. For information on working with AppArmor in Ubuntu (including how to load these profiles), see: https://help.ubuntu.com/community/AppArmor Here's a rundown of the policies I've created and their security properties. The profiles themselves are at the pastebin links. 1. Tor Browser Bundle 2.2.x Profile: http://pastebin.com/La6C8tZJ This profile isolates Tor, Vidalia, and Firefox to least privilege. However, some AppArmor shortcomings mean that it is not as good as it could be. According to the AppArmor wiki, it looks like the features we really want won't be available until AppArmor 2.8 or 3.0. In particular, the profile will *not* have the ability to restrict connections from Firefox to prevent non-Tor connections until AppArmor supports more rule commands. Obviously this is a big issue if the prime goal of an exploit is to learn your IP address, and if bugs of this sort still exist in Firefox. Until AppArmor provides the ability to write rules like 'network tcp connect from 127.0.0.1 on lo to 127.0.1:9050' or even just 'network tcp dst 127.0.0.1', any arbitrary code exploit against Vidalia or Firefox can still connect to arbitrary IPs outside of Tor :/. See http://wiki.apparmor.net/index.php/AppArmor_Core_Policy_Reference#Note:_about_AppArmor_2.3__2.6_network_rules for more details. Additionally, Tor and Firefox are still free to perform UDP datagram traffic, due to the desire on my part to squelch the audit log traffic down to a minimum. (The AppArmor in Ubuntu currently has a bug that causes it to always log UDP violations, even if you tell it to silence with a 'deny'). Since I think watching audit logs closely is one of the most useful properties of AppArmor, and since noise makes this substantially harder, the profiles currently allow UDP. Despite these major issues, the profile is significantly better than nothing. The main benefit you get is that all file read and write access is restricted to ~/Downloads and ~/Public, and TBB can't launch outside apps, use ptrace, access /dev/, /tmp/, or interact with the desktop. As a result, you will get a lot of permission denied errors from Firefox when trying to download and upload files, because the TBB folder defaults are screwy. Click through the errors and navigate to ~/Downloads/. Or change the directory in the AppArmor profile to something you like. 2. Tor Profile: http://pastebin.com/u2AXYWLJ A separate profile for the system Tor binary, which some might find useful for proxying non-browser activity. 3. Vidalia Profile: http://pastebin.com/4ZKHnVRY Same deal for the system Vidalia binary. 4. Pidgin Profile: http://pastebin.com/0Ycn4Bgy This profile is based on the profile at http://bazaar.launchpad.net/~jpds/apparmor/pidgin-profile/view/head:/usr.bin.pidgin but with some additional restrictions. In particular, I forbid ptrace. It was explicitly allowed by the profile and still occasionally attempted by my client, but did not seem needed to load plugins or otherwise function. I also removed access to a lot of X window resources, and restricted homedir access in a similar manner as to the TBB Firefox profile. If you're interested in editing these profiles, see http://wiki.apparmor.net/index.php/QuickProfileLanguage and http://wiki.apparmor.net/index.php/AppArmor_Core_Policy_Reference. If you know basic UNIX, AppArmor is surprisingly easy to pick up and customize with the documentation in-hand. Please let me know if you make any improvements or figure out workarounds for current limitations. -- Number Six numb...@elitemail.org -- http://www.fastmail.fm - Send your email first class ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
[tor-talk] Trying to build the TOR Obsfproxy
Howdy? I just started in trying to build this and am getting errors that indicate problems with SSL: $ git clone https://git.torproject.org/obfsproxy.git Cloning into obfsproxy... error: SSL certificate problem, verify that the CA cert is OK. Details: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed while accessing https://git.torproject.org/obfsproxy.git/info/refs Similarly with libevent: $ wget https://github.com/downloads/libevent/libevent/libevent-2.0.16-stable.tar.gz --2012-02-12 16:05:44-- https://github.com/downloads/libevent/libevent/libevent-2.0.16-stable.tar.gz Resolving github.com (github.com)... 207.97.227.239 Connecting to github.com (github.com)|207.97.227.239|:443... connected. ERROR: cannot verify github.com's certificate, issued by `/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance EV CA-1': Unable to locally verify the issuer's authority. To connect to github.com insecurely, use `--no-check-certificate'. I'm running OpenBSD 4.9 on this system, sooon to be upgraded to 5.x. Any help would be appreciated. Thanks, Duncan (Dhu) Campbell ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
[tor-talk] Adblock Plus and Ghostery should be included in Tor bundle
Ghostery should not be added to TBB, it's not Free Software. No source code available. TBB would rely on a single company. If all that would not be the case, and if it's safe to implement, I'd be happy to see it in TBB. Same goes for Adblock Plus. If it's safe, it should come preinstalled with TBB. Ads over Tor make no sense, you can not buy those things anonymously and ads and tracking waste Tor's and users bandwidth. The next version of TBB really should have Do-Not-Track enabled. If all TBB users have it activated by default, there are no fingerprinting issues. DNT is an opinion which all Tor users express by using Tor. I see no disadvantages by activating DNT by default. ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Adblock Plus and Ghostery should be included in Tor bundle
On 2/12/2012 3:00 PM, Patrick Mézard wrote: For me, a more basic question is whether installing extensions from a fresh Tor installed is (sufficiently) safe. I do not know the details of the process but it probably involves some HTTPS connections to addons.mozilla.org. If the exit node can perform MITM attacks on SSL you may end up installing something unwanted. Could the initial setup be made safer, for instance by storing digests of addons.mozilla.org certificate in Tor bundles at build time and *warn* if they do not match (like a specialized Certificate Patrol would do)? Is it already addressed in Firefox? -- Can't checking for addons' check for updates be unchecked in Aurora / Firefox Options? As well as for the browser search plugins? Does that not solve the problem of some addon connecting to MAO during a Tor session? ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Trying to build the TOR Obsfproxy
On 2012-02-12, Duncan Patton a Campbell campb...@neotext.ca wrote: Howdy? I just started in trying to build this and am getting errors that indicate problems with SSL: $ git clone https://git.torproject.org/obfsproxy.git Cloning into obfsproxy... error: SSL certificate problem, verify that the CA cert is OK. Details: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed while accessing https://git.torproject.org/obfsproxy.git/info/refs Similarly with libevent: $ wget https://github.com/downloads/libevent/libevent/libevent-2.0.16-stable.tar.gz --2012-02-12 16:05:44-- https://github.com/downloads/libevent/libevent/libevent-2.0.16-stable.tar.gz Resolving github.com (github.com)... 207.97.227.239 Connecting to github.com (github.com)|207.97.227.239|:443... connected. ERROR: cannot verify github.com's certificate, issued by `/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance EV CA-1': Unable to locally verify the issuer's authority. To connect to github.com insecurely, use `--no-check-certificate'. I'm running OpenBSD 4.9 on this system, sooon to be upgraded to 5.x. Install a CA certificate bundle. Robert Ransom ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Adblock Plus and Ghostery should be included in Tor bundle
Agreed about the dangers of add-ons and info here https://www.torproject.org/projects/torbrowser/design/ The Design and Implementation of the Tor Browser [DRAFT] not sure if maintaining ghostery or adblock via Tor is worth the trouble as they might/might not improve the user experience but they don't from my standpoint push forward the design and implementation goals. I would say a first consideration might be to address mitm attacks. We have seen major problems with certificate authorities and most governments can write certificates. Tor has a vulnerability with mitm attacks. (everyone does) A migration towards a system like convergence (convergence.io) with a decentralized trust of SSL would probably be a good thing. Currently there are some conflicts between Tor and the convergence add-on working together but if this could be addressed or the process was internalized and if Tor was shipped with a large number of notaries (or approach this in the same way as bridges...not sure on this) then you would have a pretty complete solution. my 2 cents E75A7CF4 On 2/12/2012 10:29 AM, unknown wrote: On Sun, 12 Feb 2012 17:00:59 +0100 Martin Hubbard martin.hubb...@gmx.us wrote: RefControl set to spoof referrer as host webroot is also useful, I think. - Original Message - From: Brian Franklin Sent: 02/12/12 09:53 AM To: tor-talk@lists.torproject.org Subject: [tor-talk] Adblock Plus and Ghostery should be included in Tor bundle Adblock Plus and Ghostery should be included in Tor bundle Two reasons 1. Exit nodes and sites can make a traffic analysis based on unique profiles of banned urls. Malicious exits nodes even can inject invisible blocked patterns to make this analysis more active. Adblock and other similar user-tunable plugins should be avoided. Check https://www.torproject.org/projects/torbrowser/design/ The Design and Implementation of the Tor Browser [DRAFT] ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Adblock Plus and Ghostery should be included in Tor bundle
I think Ghostery + Adblock Plus + No Script is overkill. Choose one. They all pretty much do the same thing. Block nasty javascript. No Script seems appropriate for the Tor Browser due to it's default aggressive stance on any javascript. But just curious, which part of Ghostery is closed source, because when I open up the xpi I don't see any binaries, but haven't looked at everything. On Sun, Feb 12, 2012 at 6:24 PM, Andrew Lewman and...@torproject.orgwrote: On Mon, 13 Feb 2012 00:31:28 - pro...@tormail.net wrote: Same goes for Adblock Plus. If it's safe, it should come preinstalled with TBB. Ads over Tor make no sense, you can not buy those things anonymously and ads and tracking waste Tor's and users bandwidth. Actually, you can buy stuff from ads through Tor. I've done it, works fine. The next version of TBB really should have Do-Not-Track enabled. If all TBB users have it activated by default, there are no fingerprinting issues. DNT is an opinion which all Tor users express by using Tor. I see no disadvantages by activating DNT by default. Sounds correct, but needs more research into anonymity set reduction, partitioning of those with or without DNT set, and does DNT reveal more info than the lack of tracking via torbutton now? -- Andrew http://tpo.is/contact pgp 0x74ED336B ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Adblock Plus and Ghostery should be included in Tor bundle
On Sun, 2012-02-12 at 07:53 -0800, Brian Franklin wrote: The Adblock should be configured to work and not need setup. Select a few good lists and have them automatically in. This will save users the time of doing it themselves and help people who don't know how. For on this list who are not familiar with AdBlock, it is an advertisement blocking program that downloads pattern blacklists. Any URL that would be requested matching a pattern is not requested (to the best of my understanding). These blacklists are updated automatically on some regular schedule. The problem I see in Tor adopting AdBlock as a default-installed plugin is that it allows the controller of that list to censor websites without oversight. I think if AdBlock is installed by default in the Tor Browser Bundle, the list configured should be run by the Tor Project, since we have to trust it anyway if we're using its software. signature.asc Description: This is a digitally signed message part ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Adblock Plus and Ghostery should be included in Tor bundle
On Sun, 12 Feb 2012 07:53:17 -0800 (PST) Brian Franklin bfranklin74...@yahoo.com wrote: 1. Privacy. Fairly obvious why we do this. Stopping ads and ad tracking is consistent with the privacy mission of the Tor Project. In general, I'm going to defer to Mike Perry, as he's our expert here. Stopping ads is not the goal of Tor. Stopping tracking is one goal of tor. We already defang and stop tracking by ads and ad networks through torbutton. Adblock will just make things more of a mess, and possibly undo the protections built into torbutton. See https://www.torproject.org/projects/torbrowser/design/ for the full details. 2. Network health. Congestion has always been a problem on Tor. Actually, the likely problem is cryptographic overload on relays. We seem to have a decent amount of unused bandwidth, https://metrics.torproject.org/network.html#bandwidth. Installing these plugins to stop HTTP requests which don't help the user reduces congestion on the network and speeds up page loads for each user and everybody else. Browsers won't be slowed down loading tons of ads and ad scripts and the network won't have to process many requests for junk. I think we can save a ton of bandwidth by stopping the junk requests. Sounds like interesting research. I look forward to the results and data. Here's an informal set of research and data, https://trac.torproject.org/projects/tor/ticket/3461 Ghostery has to be configured to block tracking scripts and cookies before first use. The Tor project should have that done automatically. Ghostery is closed-source software. If we cannot see the source code, we cannot evaluate it for privacy threats. -- Andrew http://tpo.is/contact pgp 0x74ED336B ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
[tor-talk] some clarifications on hidden services ...
I've read through /docs/hidden-services.html.en a few times over and I need some points clarified, if someone would be so kind ... - Can I choose more than 3 random relays to announce my hidden service to ? These are the entry guards that the doc refers to later, right ? - If all of the random relays that I announce to initially go away, will I see that in logs/errors/messages, or be alerted in some way ? I assume I'd need to reintroduce the service, but I could keep the same .onion address, right ? - Other than losing my own keys, is there anything else that would force me to use a new .onion addre ? Or can those stay persistent indefinitely ? - Can I move my hidden service around, physically, from network to network, and just reintroduce myself with each move ? I assume this adds to my risks, since each reintroduction tells three more organizations the real IP of my hidden service, yes ? Thanks you. ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Adblock Plus and Ghostery should be included in Tor bundle
On 2/12/2012 6:53 PM, Ted Smith wrote: The problem I see in Tor adopting AdBlock as a default-installed plugin is that it allows the controller of that list to censor websites without oversight. I think if AdBlock is installed by default in the Tor Browser Bundle, the list configured should be run by the Tor Project, since we have to trust it anyway if we're using its software. Good point, but that would result in another project for Tor Project to develop maintain. Many would agree w/ you some of Tor devs * might * (in theory), but I wonder how realistic that undertaking is currently? Perhaps if funding for Tor Project were much larger there were many more developers. Right now, many AdBlock users are upset because it's developers have decided to allow some non intrusive advertising, by default (though users can opt out). If Tor Project DID develop something like this, it'd probably be better for Tor users than installing untested addons. I have no idea if this is feasible, but could someone from Tor Project approach (any) appropriate developers about developing (or allowing branches of) these or any other addons that Tor Project thinks are truly useful? It's true these 2 aren't open source. The issue of these 2 addons needing to update lists (during an anonymous TBB session) can be solved by turning off automatic updates in the addons' options - yes? ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] some clarifications on hidden services ...
2012/2/13 John Case c...@sdf.org: These are the entry guards that the doc refers to later, right ? No, these are called Introduction points, entry guards are something else. - If all of the random relays that I announce to initially go away, will I see that in logs/errors/messages, or be alerted in some way ? I assume I'd need to reintroduce the service, but I could keep the same .onion address, right ? If it loses connection to an introducton point it will immediately choose a new random node to use and once the circuit to the new introduction point is established it will announce it. - Other than losing my own keys, is there anything else that would force me to use a new .onion addre ? Or can those stay persistent indefinitely ? If you lose them or if someone managed to steal them (because then the thief with your key can impersonate your service) - Can I move my hidden service around, physically, from network to network, and just reintroduce myself with each move ? Yes, absolutely. only a dew minutes and you are online again at your new location with the same .onion address I assume this adds to my risks, since each reintroduction tells three more organizations the real IP of my hidden service, yes ? No. Nobody knows the IP address of your service because you only connect via 3 tor hops to the Introducton points (and to the rendezvouz points), none of them ever learns where the service is located. Bernd ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] bridge up down times
On Feb 12, 2012, at 11:38 PM, eliaz wrote: I have a few novice questions about a normal bridge I've set up. I've not found answers in the documentation. * Opposite the one country that's so far listed in the usage summary, the #Client column shows 1-8. What does this mean exactly? 1 client? eight? 1 client eight times? between 1 and 8 clients. We don't give more accurate statistics for safety reasons. * When I do have to shut down my machine or stop Tor I'd like to do it when no clients are using the bridge. The bandwidth graph spikes every few minutes, hard to predict from it when there might be no traffic. Is there an app from which over time I could get an idea of when it's least disruptive to stop Tor? Can't use Arm; I'm running on windows. I can log onto shell accounts via ssh in PuTTY/pageant, if that's any help. Thanks You can set the ShutdownWaitLength tor configuration option to something very high, like half an hour or so. That means Tor will continue servicing ongoing connections, but not accept new ones. Once there are no more ongoing connections or 30 minutes are up, Tor will exit. ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk