Re: [tor-talk] Security update notice after new install
"Runa A. Sandvik": > On Fri, Sep 14, 2012 at 12:42 PM, wrote: > > This notice- "There is a security update available for the Tor > > Browser Bundle" appears after a installing Tor 0.2.2.39 > > > > Is this a cause for concern? > > I've noticed the same thing. The notice disappears if you extract the > package archive again. Bug, maybe? OK for me, working fine. But wondering: o Any reason why there was no testing via tor-qa? o Any reason why the release wasn't sent to tor-talk? o What was the reason for disabling random port selection? (I disable it anyway, but just wondering why in this case?) Thanks -- kat ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Security update notice after new install
On Sat, Sep 15, 2012 at 6:59 AM, Katya Titov wrote: > "Runa A. Sandvik": > >> On Fri, Sep 14, 2012 at 12:42 PM, wrote: >> > This notice- "There is a security update available for the Tor >> > Browser Bundle" appears after a installing Tor 0.2.2.39 >> > >> > Is this a cause for concern? >> >> I've noticed the same thing. The notice disappears if you extract the >> package archive again. Bug, maybe? > > OK for me, working fine. But wondering: > > o Any reason why there was no testing via tor-qa? Tor 0.2.2.39 was a security-fix release for a fairly severe bug and we wanted to get a new release out as soon as possible. > o Any reason why the release wasn't sent to tor-talk? We announce new Tor Browser Bundle releases on the blog. > o What was the reason for disabling random port selection? (I disable > it anyway, but just wondering why in this case?) Random port selection was disabled because of https://trac.torproject.org/projects/tor/ticket/6803 -- Runa A. Sandvik ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Security update notice after new install
"Runa A. Sandvik": >> o Any reason why there was no testing via tor-qa? > > Tor 0.2.2.39 was a security-fix release for a fairly severe bug and we > wanted to get a new release out as soon as possible. OK, understood. >> o Any reason why the release wasn't sent to tor-talk? > > We announce new Tor Browser Bundle releases on the blog. I've never actually realised this! Kudos that the other communications channels work so well. >> o What was the reason for disabling random port selection? (I >> disable it anyway, but just wondering why in this case?) > > Random port selection was disabled because of > https://trac.torproject.org/projects/tor/ticket/6803 Thanks -- kat ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
[tor-talk] onion id calculation
rend-spec... "permanent-id" is the permanent identifier of the hidden service, consisting of 80 bits. It can be calculated by computing the hash value of the public hidden service key and truncating after the first 80 bits: permanent-id = H(public-key)[:10] https://trac.torproject.org/projects/tor/wiki/doc/HiddenServiceNames To run a hidden service, Tor generates an RSA-1024 keypair. The .onion name is computed as follows: first the SHA1 hash of the DER-encoded ASN.1 public key is calculated. Afterwards the first half of the hash is encoded to Base32 and the suffix ".onion" is added. uokvcerylytn3y3p.onion -BEGIN RSA PRIVATE KEY- MIICXAIBAAKBgQDYbHtavI7ltBhWRTdpsFOYkPCKlmwOXlk0Bxw2B6diWvBvDtbI zNdIqN4HEs7Fgr32dsRjsigaQEeGRER6xgHgZ6WmupizyjBRFDt2GuNfw9neYq4v HoP9HCV/QE1tBTwo5WNm9IETpF3qRoJJlGR4x/SUN7IuFwutjnehP6s7YwIDAQAB AoGACc7QwEnvR+WjfLViT33YK//VhtJOT1BjRoJT+vbZ1RE9+Cp5/VubHgXZGgT2 LelA5px3RfVa7+Wd2C3b1JyIlSd/iWFL7XlrjDbof98bD0GtpeDcnXk/izlxZDpW mKp+abr8ZQiwanlRg3BXZxLb9XeTvFLGl7HfJMbxWqUxCEECQQD4oRLDERcf9xCu FrHEor7FuLsfWc121oBIpiEGciZy2fan7kEif9Dt/Avdh7mcdoCj3kZnLJbhUWiy 6oTcrhDRAkEA3tb9vi7v0DvecR11lqVyNhQTA6zJ9ot8ZXWR92pF9e6s3JA2GqD3 ZpEJ3XE3rpMXYjdpWlr4OcrvWC2kWxY18wJAUqVwUClpL3X4NHZUx1F16tG6WfSH CP7Ki9u1VKgzQbBUfoQDYM1uDP3gj9YjC/CUWGR1sKwwx1tBW1/7pEO0UQJAQkik 9Xs0rjYAtpjSr1rLHDbgaQlukb1v5SYRowyjfsHd/UWQMl+K96FQ0+OncnAiVn6x AcVpbJdmlk4NQ2LZ7QJBAIXnNVHHro3q0jhGt5kG1oiSj7k+zOVyeKFWdy73uPUF gDiBbJNxnEgdAumE29vdvmSDSKanDw3yus6wyF0YVs0= -END RSA PRIVATE KEY- openssl rsa -in private_key -pubout -outform DER | sha1 | cut -c 1-10 python -c "import base64, sys; print base64.b32encode(sys.stdin.readline().rstrip('\n')).lower()" gu4dsm3cmi3dkyzw What am I doing wrong besides being sleepy? Here also, using half(20 chars) of the hash would yield a 32 char onion id. ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] onion id calculation
On 9/15/12, grarpamp wrote: > openssl rsa -in private_key -pubout -outform DER | sha1 | cut -c 1-10 > python -c "import base64, sys; print > base64.b32encode(sys.stdin.readline().rstrip('\n')).lower()" > gu4dsm3cmi3dkyzw > > What am I doing wrong besides being sleepy? You're using the first quarter of the base16 encoding of the SHA-1 hash, instead of the first half of the SHA-1 hash itself. Robert Ransom ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
[tor-talk] How does Tor use my Computer?
I have noticed in recent months a change in the behavior of the exit relay I have set up on my computer. I often have the bandwidth usage graph visible on my desktop. In the "Olden Days" the incoming and outgoing traces generally followed each other pretty closely, but now there are "Bursts" of outgoing activity that are not matched to incoming traffic. They have recently become much more frequent. I try to update when new releases become available, and I am currently running Tor 0.2.3.22 rc on Windows 7. I do not have any local activity correlated to these bursts that I am aware of. Is this behavior expected or have I been infected by some botnet? David ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Logging on to Tor
Hugh, Find the file on your system named "Start Tor Browser.exe". Right-click it and pick "Send To". From that sub-menu pick "Desktop (Create Shortcut). that will, not surprisingly, add a shortcut to your desktop. Chris, assuming you're using Windows -- CTS MASTERING, affordable and professional mixing and mastering: http://www.ctsmastering.com Twitter: https://twitter.com/#!/CTSMASTERING BLOG: www.ctsmastering.com/blog Linked In: http://ca.linkedin.com/pub/chris-smart/46/824/536 ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] scaling .onion site?
> warms0x: >> There's a couple of problems with this approach: >> [...] >> * The amount of time required to negotiate an HTTP request being >> proxied >> from A.onion -> B.onion and then sending a request from B.onion -> >> A.onion -> Client would very likely brush up against HTTP timeouts >> (120s) > > I don't understand that concern. The client successfully connects to > A.onion (without timeout) and will be redirected to B.onion using the > browser redirection feature, also without timeout. It's similar to > visiting one .onion site and click on another .onion link. If you provided an HTTP redirect, that would work, but then I (as a consumer) would be very suspicious of the site, redirecting from one .onion to another is a little scary. The statement was regarding HTTP proxying, which is what we were referring to HAProxy doing for the multiple backend onions. In that case, the A.onion would act as the front-end and *only* interaction point with the client, the client would have no knowledge or exposure to the B and C.onion sites. - warms0x --- xmpp: warm...@riseup.net http: http://warms0x.github.com ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] onion id calculation
On 9/15/12, Robert Ransom wrote: > On 9/15/12, grarpamp wrote: > > > u...p.onion > > > > -BEGIN RSA PRIVATE KEY- > > ... > > -END RSA PRIVATE KEY- > > > > openssl rsa -in private_key -pubout -outform DER | sha1 | cut -c 1-10 > > python -c "import base64, sys; print > > base64.b32encode(sys.stdin.readline().rstrip('\n')).lower()" > > gu4dsm3cmi3dkyzw > > > > What am I doing wrong besides being sleepy? > > You're using the first quarter of the base16 encoding of the SHA-1 > hash, instead of the first half of the SHA-1 hash itself. Also, don't use a service whose private key you've exposed over email. I'd make a new hidden service for that. ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk