Re: [tor-talk] Can I set multiple socks5 proxies within torrc for my tor?
On 2/28/14 6:12 AM, Hongyi Zhao wrote: If I have more than one socks5 proxies and I want to let use them for the purpose of load-balance in the torrc or by othere methods. Is this possible or not? No, not possible out of the box. It's quite hard to define what 'load-balance' would actually entail here. It would probably be something along the lines of what Multipath TCP does. You could use the Tor API to periodically reset the value of the socks proxy. That's probably a different kind of load-balancing than you had in mind. Regards, Gerard -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Using HTTPS Everywhere to redirect to .onion
On 2/28/14 2:25 AM, Roger Dingledine wrote: I don't really want to get into the business of writing an /etc/hosts file for public website - hidden service mappings. Maybe an option to avoid that would be to do something along the lines of HSTS. A Tor-Transport-Security header, that would specify the hidden service that corresponds to the clearnet website being reached, only when reaching the clearnet website over authenticated TLS. After receiving such a header, the TBB would refuse to load the clearnet website, and instead reach the .onion site for the specified max-age. The .onion site would (have the authority to) update the max-age too. If would change browser behavior based on past user behavior, which allows for (some limited?) fingerprinting attacks. Also, like with HSTS, you are still trusting the TLS PKI for the first connection if you don't preload the list. Though, without this you would need to trust the TLS PKI anyway, so there is not much to lose. Regards, Gerard -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] about circuit management
On 2/27/14 9:24 PM, s7r wrote: I have remained with Vidalia and installed it as standalone in order to be able to use it with newer Tor Browser Bundles releases and I am watching circuits to have an understanding about how they work. I have some basic questions, please and thank you in advance: For 1), read https://www.torproject.org/docs/faq.html.en#EntryGuards and the question below that about path 'refresh'. Your point in 2) that AOL would be able to detect you're using an anonymizer is moot, as they can simply check against the public exit-node database that you're using Tor. Also, read about IsolateDest* here: https://www.torproject.org/docs/tor-manual.html.en . All those options are disabled by default. 3) No, it was introduced quite recently into mainline Tor if I recall correctly; some months ago. 4) No, there is no maximum lifetime. Not only for hidden services; all TCP sessions persist until they are closed or broken. Regards, Gerard -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
[tor-talk] My solution to Tor Browser remember password bug
I've complained here before that the remember password feature in some long previous versions of Tor Browser no longer works. I've accepted it will likely never come back. So I've found the following solution. Maybe it will also work for others, discussion welcome. In summary, I've installed a password manager, which I've gotten to work with the latest TBB, and also not compromise security. Recall that I have been running TBB in a PGPdisk on-the-fly encrypted partition, with a highly secure hard-to-guess passphrase. I have confidence, absent the passphrase, that the NSA, FBI, KGB, etc. cannot decrypt a PGP disk. It's not immune to rubber-hose cryptanalysis, obtaining the passphrase via torture. Maybe also not black-bag cryptanalysis or exploiting security holes in Windows XP or covert installation of keyloggers, etc. Use of Truecrypt, with its hidden disk, and stress passphrase, might address some of that. I have not gone there. The password manager I chose was RoboForm. I first tried Kaspersky's password manager, but could not find one that did not have all text in Russian, so useless to me. Roboform can be obtained legitimately at Roboform.com. It can also be obtained for free, with a crack, at torrent sites. Free versions of PGP do not support PGP disks, but PGP AKA Symantec Encrypted Desktop, version 10.3.0 does, and also supports both Windows XP and Windows 7. There are also free versions, with instructions on registering it for free, thus activating features like PGP Disk, available on torrent sites. Roboform had one (to me) serious flaw, the password data location is always located in Window's My Document folder, which I had not been encrypting. I dealt with this by moving my PGD file to another partition and enlarging it, then moving the old encrypted partition to the new one, deleting the old partition, and assigning the same disk letter to the new encrypted partition. Then I re-allocated the My Document folder to a new directory in the new encrypted partition. To do this, right-click on the My Documents icon on the desktop, then click Properties, then click move and select a location in a new folder on the new encrypted partition. Now the Roboform password data is on My Documents on an encrypted partition. The long passphrase need be entered only after a re-boot or manual dismount of the encrypted partition. Security between re-boots is provided by a moderately long passphrase to unlock Windows from the screen saver, which is activated by inactivity. Or Windows can be manually locked via the using 2 keys, the Windows logo key present on most keyboards, then the letter L. At present, Roboform does not install automatically on TBB, however it can be manually activated by clicking on the Roboform logo in the task area, clicking on browsers, then selecting the currently active TBB from the list. A Roboform bar will appear in the browser, and Roboform will prompt if you want to save the logon/password on any website where any are present. Roboform will make up a name based on the URL, but this can be renamed after the fact, and multiple logon entries can be organized into folders. The password data can also be edited after the fact. Note that if a Captcha is included in the logon, Roboform will save that also. Since it's different for each logon, you would want to manually remove that from the password entry. Roboform supports automatically FireFox and Chrome outside of Tor. I've found that the built-in password features of those browsers don't work on more and more websites that attempt to force you to enter passwords manually each logon. Roboform attempts to provide some security for the password data by prompting for creation/use of a Master Password. But it will allow you to create new logon entries without one. Just click cancel when prompted for the master passphrase. It will then ask if you want to store the data entry without one. Since the password data itself is on an encrypted partition, you don't need another passphrase. I also store my PGP keyrings on this encrypted partition, so my secret PGP keys don't have passphrases either. For future possibilities, both Truecrypt and PGP 10.3 support encrypting the boot partition. PGP also supports encrypting disks with a PGP key, rather than a passphrase. So if the keyring were moved to the boot disk, and other encrypted partitions were changed from passphrase to PGP key unlocking, this could stop bad guys at an even earlier stage, and Truecrypt's stress passphrase and hidden volume feature could provide added security in stress situations, such as passing through customs, where I was threatened with confiscation of my laptop if I didn't provide the passphrase to my encrypted partition. What I should have done was disable the automatic prompt for the passphrase, possibly rename the PGD files to something else, like random.dat, and the Customs goon wouldn't have
Re: [tor-talk] Using HTTPS Everywhere to redirect to .onion
Roger Dingledine: That said, the question in my mind is how to move this from if you're very smart, you can write your own https-everywhere rule for yourself to ordinary TBB users get this benefit. I don't really want to get into the business of writing an /etc/hosts file for public website - hidden service mappings. Would make Tor Project a domain registrar. Sure, the Tor Project obviously should stay neutral here and not be doing that. Since EFF develops HTTPS Everywhere, it's also up to them. Or better, if we have this domain registrar running the browser, can we make it decentralized? -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] My solution to Tor Browser remember password bug
On 2/28/2014 11:25 AM, Edgar S wrote: I've complained here before that the remember password feature in some long previous versions of Tor Browser no longer works. I've accepted it will likely never come back. So I've found the following solution. Maybe it will also work for others, discussion welcome. In summary, I've installed a password manager, which I've gotten to work with the latest TBB, and also not compromise security. The password manager I chose was RoboForm. You could just try open source, well tested password managers that have excellent reps. I'm not sure Robo (full, uncrippled) can be had for free. But... Keepass Password mgr Password Safe are both open source, maintained, excellent reps. Keepass may be a bit more secure, but not by much. Both are on Sourceforge. -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Orbot on an Android 4.4.2 rooted device
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 01/31/2014 02:33 PM, Patrick ZAJDA wrote: If I enable the transparent proxy for Wi-fi and USB, I cannot use Tor anymore from others apps on the phone. Is tor disabled for others connections than wi-fi and USB when tethering Tor is enabled? Not intentionally... does it block your phone's normal traffic, or does it just not route it through Tor? Or is it because it tryes to use wi-fi to connect so I should only use other connection than wi-fi? Well that might be - you can use 3G on your phone still through Tor, ideally, while other devices connect to your Wifi-tether, which is also sent through Tor. I though I could enable this option and use Tor as usual with the phone too. But maybe I made a bad supposition? In theory, but it starts to get pretty complicated with all the iptables rules. We also have not done indepth testing of TransProxy+Tethering on 4.4. We can take a better look in our next testing go around. +n -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBAgAGBQJTEPPXAAoJEKgBGD5ps3qpnFgP/36TUF3AqKUAbE0MgnN1Icyj 7EWhe5VUlMnQiM1FyAfCEufyNtUjfjAisn94ZeIXPMDp0vhFSnfexuKZ6dU1jsHU YQBEr9EmrtT1nFfkSkVrlUeobkoPmsUC+gRL6YUgD6v0DMO11m969nZNhm8lV8PZ +R6H5nmO4+yLDbXfAgj+lj4YscJPlZNNnF3yFiXXwY7n5qablFXth5FcAGsgEX5m TnO/S0iitNGwzRPP51E+YwyKvoFysSVyLzA1DLFc72F7N1lqBTICZU9scT++iYCp 1Jb1V10sk4g8RlMez/6/29Ybc1extL8DF+tP46FOTOXb/brGxnq9dZSXcvJbCMAY Y+IW/D1fKEslStgkLpIFXfFJa5GbUc7+iibUxIF9QuL0orBSviD4tGfP9ZpFj9fM 71BSonCQBKwrOpfJHM6htUnREtnUBPxkDOxoGpOeC/GF4OFbmGaCn9fWvi50u+Qk eweUVGEgNIVYvEZUlSMM5hGifJZbwWgBhEb/AbaRngm/uzxSb7WjwoskN5cb6r3F mDLwwagUg33GtNIN1oE3Djl9wh5HCifEduN9wecgVl8sz7RN/lcbk476VbNDhLv/ PE+2bnrsfRHu4Y4vbiRN7BYADLVnRtB0ZzoeJME/6AK2dr1Um7wOKM2Q/Uwa94nm tBlJ3ehc+MrzUahl832h =/TCQ -END PGP SIGNATURE- -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
