Re: [tor-talk] WebGL forbidden in NoScript but Flash is not?
Joe Btfsplk: OK, thanks for detailed reply. Now that the adversary has a fingerprint of my machine (therein lies the problem - the data being given out), unless they're the gubment I'm a bad guy (or living in a represses society), what are they going to do w/ that info? This means that the anonymity is broken. Your browser can be uniquely identified among the others. In a repeated manner, accross Tor circuits, Tor Browser sessions and system reboots. -- Lunar lu...@torproject.org signature.asc Description: Digital signature ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] WebGL forbidden in NoScript but Flash is not?
On 08.05.2013 02:13, Joe Btfsplk wrote: OK, thanks for detailed reply. Now that the adversary has a fingerprint of my machine (therein lies the problem - the data being given out), unless they're the gubment I'm a bad guy (or living in a represses society), what are they going to do w/ that info? It's more about unlinkability being one of the required properties for anonymity. You don't want anyone to be able to link earlier sessions to future sessions. -- Moritz Bartl https://www.torservers.net/ ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Is using player like VLC safe alternative to Flash?
On 07.05.2013 19:51, Joe Btfsplk wrote: Question of playing Flash vids comes up constantly explanation given of why it can compromise anonymity in Tor Browser. Additionally to what Tom Ritter wrote: If you want to be safe, convert the .flv to a real video format first. I would say a toolchain like ffmpeg - h264, and then VLC to play it, is safer than directly playing the .flv. -- Moritz Bartl https://www.torservers.net/ ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] tor forum hosted as a hidden service
I can deploy one, I don't like Forums due to they are easy to SQLi. But if the community needs one I can deploy one by today or tomorrow. On Wed, May 8, 2013 at 1:50 AM, Juan Garofalo juan@gmail.com wrote: At 08:50 AM 5/8/2013 +0400, you wrote: Seems like you'd just end up with a kind of chicken and egg problem. Hehe. Yes, you're right in a way. But consider this : downloading the browser bundle and visiting an onion site is something almost anybody can do. But configuring a hidden service for instance isn't as easy. So if people wanted to anonymously discuss more advanced topics regarding Tor, then a hidden service might make sense. Or perhaps I'm overly paranoid =P On Tue, May 07, 2013 at 09:59:55PM -0300, Juan Garofalo wrote: Is there such a thing? A place to ask technical questions about tor, inside the .onion network? ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) iQEcBAEBAgAGBQJRidmvAAoJEAXQWoW8lug/zkcH/0bElfX9SG41gJfiCUPzHIh/ 5nWwF0d+ajYzzlqL+Hev6KbAWtxFMeVduQOSur6S6HXQdbpvV8/Kscxd7mqCi/K3 EQAkXXiaSsHzCampSIM1p4jBzmIO34BwaV6VdhHqImrdDJkcxU69Wz/iInMYsTBo 6Vl6ZZUEEtHhI05UwHb1PfO/BNvO+3+oCMybGq4XhsagVdrtWejW9E1mbt0RWUTG +WjiAUPJjuokqljmiBycF0Du7v7IJisk0cCbw5GkzZVlD966coHOR9Vk36DkXJ79 MazzhexT9zigPZnaEUklcex+nv8/SHb0+cI+47OdxQJ6V+JIT0Nfj9dFKk+lwLI= =uAn0 -END PGP SIGNATURE- ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] WebGL forbidden in NoScript but Flash is not?
Date: Wed, 8 May 2013 08:57:48 +0200 From: Lunar lu...@torproject.org To: tor-talk@lists.torproject.org Subject: Re: [tor-talk] WebGL forbidden in NoScript but Flash is not? Message-ID: 20130508065748.GA975@loar Content-Type: text/plain; charset=us-ascii Joe Btfsplk: OK, thanks for detailed reply. Now that the adversary has a fingerprint of my machine (therein lies the problem - the data being given out), unless they're the gubment I'm a bad guy (or living in a represses society), what are they going to do w/ that info? This means that the anonymity is broken. Your browser can be uniquely identified among the others. In a repeated manner, across Tor circuits, Tor Browser sessions and system reboots. -- Lunar Here's a likely example of what Lunar is talking about. If you visit this link you will be presented a survey form. http://survey.gci.uq.edu.au/survey.php?c=1R9YT8YMZTWF The javascript for that page creates a string listing: 1) every plugin for your browser 2) fonts that match his list of fonts. 3) The screen height of your system 4) the screen width of your system. 5) the timezone offset. 6) a timestamp:randomnumber string. These strings added to hidden input fields and submitted to the browser when someone agrees to participate. The person doing the survey is likely collecting browser fingerprints to identify duplicate entries by people using proxies. That person conducting the research is simultaneously the researcher and a blogger who has been known to express quite a bit of hostility toward category of human subjects he has invited to participate in his survey. Obviously, fingerprints when collected are used for whatever purpose the person collecting them wishes to use them form. ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] memory cached pages should reload instantly-but DON'T
On 5/7/2013 10:56 PM, David Vorick wrote: Are we sure this is a bug? Even when a page is in the cache doesn't it have to communicate with the server to verify that the cache hasn't expired? Perhaps this is what you are experiencing. Good question. What do YOU see, when hitting the back button, after having left the original page only 5, 15 or 30 sec ago? Does it take 30 - 60 sec to reload the original page? What if a page has ads (whether hidden, blocked or not), that changed every few sec? Would that force (dupe) TBB into completely reloading the page? Many pages have ads that change constantly. I use AdBlock Plus (yeah, I know) - but I'm not in a critical, my life depends on it anonymity situation. *Ads + Tor = VERY slow.* I brought this up a while ago we discussed it on this list, ad nauseam. Even EFF has ads, trackers, etc. Even though the ads are blocked, the scripts on page source have changed. But that means others NOT blocking ads, would STILL be forced to reload pages in TBB when hitting back button, because the page's *ads changed.* And it'd seem reloading the page WITH ads displayed would be *as slow or slower* than reloading it w/ ads blocked? But, reloading a TBB page from 30 sec ago is also mind numbingly slow. Those SAME pages with SAME ads (possibly blocked, that may be changing every few sec), still reload almost instantly in Fx. But... that's not going over Tor network. Back to square one. Do other Windows users w/ fast machines plenty of free bandwidth, if reloading TBB pages from 1 min ago, with or without ads displayed, see it taking 10, 20, 30 sec to reload? On a VERY consistent basis? Maybe there's an about:config entry - even if must manually add it - telling TBB not to reload pages when going back in history, unless... (it's certain age; or some other requirements)? ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] WebGL forbidden in NoScript but Flash is not?
On 5/8/2013 1:57 AM, Lunar wrote: Joe Btfsplk: OK, thanks for detailed reply. Now that the adversary has a fingerprint of my machine (therein lies the problem - the data being given out), unless they're the gubment I'm a bad guy (or living in a represses society), what are they going to do w/ that info? This means that the anonymity is broken. Your browser can be uniquely identified among the others. In a repeated manner, accross Tor circuits, Tor Browser sessions and system reboots. For NON gov't entities, in a NON repressed society, does the adversary having my unique browser identity, automatically get them anything? My anonymity is broken. Are they able to just call up my ISP demand to know who I am and / or that my ISP discontinue my service? (we didn't discuss if having my browser fingerprint means having my name, real location (home address), my ISP, my real IP address, etc.). I'm guessing no. If I lived in China or Iran, things would be much different. There should be REAL WORLD distinctions made on what an adversary can DO w/ the browser fingerprint, based on who the adversary is (that specific is always a black hole in Tor documents), where you live what, if anything, you've done that's illegal in your legal jurisdiction. How thick safe walls how complicated the lock system needs to be DOES depend on what's stored inside. ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Is using player like VLC safe alternative to Flash?
On 5/7/2013 8:46 PM, Tom Ritter wrote: VLC has a lot of stuff going on inside of it. I would not be surprised if there were proxy leaks that might be able to be forced by someone doing something tricky. Say you enter a url to a flash video and the content is intercepted and replaced with an RTSP stream that VLC somehow interprets, and due to a quirk of RTSP makes a request to a third party domain that isn't proxied? I have no idea if that's possible, but I wanted to give some strange example of something VLC supports that might have a proxy leak in some obscure component. Likewise, when discussing security vulnerabilities... VLC doesn't have the best track record. (See https://www.videolan.org/security/ ). I'm a big fan of VLC, but I put it in the same category as Pidgin when it comes to how far do I trust this program to not have bugs? I would love to see someone do an objective test of VLC as opposed to my subjective hand-waving, but I'm not aware of one. Fair enough. Thanks for your perspective. I'm just posing questions. I am a bit surprised that the issue of playing vids in Tor or TBB or Tor developed plugin, no matter their original format (or converting them), hasn't been addressed by Tor Project. I know... they're limited on resources. Here's an idea: take one of the well respected, open source, cross platform video players MAKE IT safe to use in TBB as a plugin, or as a stand alone? They're already developed, for the most part - already as safe as anything else. Why re invent the wheel? Lots of people in repressed societies would like to watch some political speech vids, for example. Not that big of an issue in the U.S., unless you're watching militia group vids. Unless the entire mission of Tor Project is to provide semi anonymous access to written word exclude video; that may well be the case have solid reasoning behind it. Also seems to me that there are PLENTY of talented Tor users that could would be willing to write patches or entire sections of code for this or anything else - for free, if they were allowed to. They do it ALL THE TIME for other open source apps. Tor is a non profit, but sometimes seems to be so tightly controlled, that progress moves at a snail's pace. ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Is using player like VLC safe alternative to Flash?
On 08.05.2013 10:58, Moritz Bartl wrote: Question of playing Flash vids comes up constantly explanation given of why it can compromise anonymity in Tor Browser. Additionally to what Tom Ritter wrote: If you want to be safe, convert the .flv to a real video format first. I would say a toolchain like ffmpeg - h264, and then VLC to play it, is safer than directly playing the .flv. I just learned that that statement is crap, because flash video is just a video format like the others. -- Moritz Bartl https://www.torservers.net/ ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] WebGL forbidden in NoScript but Flash is not?
On 5/8/2013 3:01 PM, lu...@rankexploits.com wrote: Here's a likely example of what Lunar is talking about. If you visit this link you will be presented a survey form. http://survey.gci.uq.edu.au/survey.php?c=1R9YT8YMZTWF The javascript for that page creates a string listing: 1) every plugin for your browser 2) fonts that match his list of fonts. 3) The screen height of your system 4) the screen width of your system. 5) the timezone offset. 6) a timestamp:randomnumber string. These strings added to hidden input fields and submitted to the browser when someone agrees to participate. The person doing the survey is likely collecting browser fingerprints to identify duplicate entries by people using proxies. That person conducting the research is simultaneously the researcher and a blogger who has been known to express quite a bit of hostility toward category of human subjects he has invited to participate in his survey. Obviously, fingerprints when collected are used for whatever purpose the person collecting them wishes to use them form. Thanks for your input, but this thread has gotten way off original spirit of the question. Has anyone / group (incl. Tor Project) researched using, or perhaps modifying, some open source media player to use in or with TBB. Or, maybe it should be a consideration for the future. For NON Tor use, playing flash content in a respected player is probably safer than using Flash Player. ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] memory cached pages should reload instantly-but DON'T
On 5/7/2013 10:56 PM, David Vorick wrote: Are we sure this is a bug? Even when a page is in the cache doesn't it have to communicate with the server to verify that the cache hasn't expired? Perhaps this is what you are experiencing. On Tue, May 7, 2013 at 9:41 PM, Tom Ritter t...@ritter.vg wrote: Hm, that's an tough question. TBB doesn't modify the FF code very much at all, and the patches are pretty lightweight - they're all listed here: https://gitweb.torproject.org/torbrowser.git/tree/HEAD:/src/current-patches/firefox although some of them do deal with caching. The about:config settings are all listed here (AFAIK): https://gitweb.torproject.org/torbrowser.git/blob/HEAD:/build-scripts/config/pound_tor.js so I wonder if there's anything in there you might recognize as causing a problem? I'm afraid I'm not quite sure that the issue could be, these types of bugs are pretty tricky to track down. I did want to point you in the right direction for maybe finding the culprit though. I looked at torbrowser.git from link above. One interesting thing. They show on line 16 pref(browser.cache.disk.enable, false); - but in my brand new extraction of TBB 2.3.25-6, in about:config, it has that as user set ENABLED. But, I didn't enable it. The last thing I'd want to do if looking for speed, is use disk cache. Didn't touch the setting in Options nor reset it in about:config; used a clean profile. Others might check their setting in about:config. This is kind of a big deal for not retaining TBB sessions on the machine. In my TBB about:config, browser.cache.memory.enable is also = true (by default). Only it has a much smaller max entry size than disk cache (which should be disabled): browser.cache.memory.max_entry_size;5120. So default memory max entry size is apparently 5.1 MB (kinda small if you have 8 or more GB RAM). I don't know what TBB is REALLY doing when I go back one page in history, but unless that page has expired, been purged from cache, etc., it shouldn't be reloading it. Maybe it has to do w/ how long I use TBB in a session - I only just opened it today. But today, going back a page or 2 in history is almost instant - as it should be. Yet I've seen the slow issue I've described over many versions. I hope it continues to make a liar out of me. I'm not an expert on pipelining. TBB sets network.http.pipelining.maxrequests = 12, though most documentation says #s higher than 8 will be treated as 8. Later TBB versions have network.http.pipelining.aggressive =true, while it's disabled by default in Fx 20. Some don't agree that it helps at all; in fact, just the opposite on some sites. http://www.guypo.com/technical/http-pipelining-not-so-fast-nor-slow/ The biggest impact, however, was the variance. Using aggressive pipelining made certain sites MUCH slower. For example, about.com was 2.5 times slower http://www.webpagetest.org/video/compare.php?tests=120725_BX_NF5-l:Pipelining+Off,120725_1J_NF4-l:Pipelining+On,120725_64_NF6-l:Aggressive+Pipelining with aggressive pipelining. Other sites balanced this effect by being faster, with good results being 10-15% faster... ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk