Re: [tor-talk] Revisiting youtube blocking TBB, virtually all 1st attempts to load YT

[joebtfsplk]

On 3/9/20 12:49 PM, nusenu wrote:


Mirimir:

On 03/08/2020 02:40 PM, nusenu wrote:

What would stop a bad actor from creating a bunch of new circuits and
making all Tor IPs look bad if they were so inclined?

yes there are distribution strategies that can prevent that
or make that very expensive (an /48 IPv6 block has a **lot** of IP addresses)

Sure, but wouldn't sites start blocking at /48, /64, etc levels?

the feature is primarily targeted towards reputation systems that look at the
specific IP address only. Maybe some will move to prefix based reputation but
the assumption is that not all will.


This is all very interesting.  I read several of the links (bugs & some
non-tor-talk forum questions on this general subject.

I've now had more time + paying more attention to my procedures &
typical results on youtube.
I can't explain what I'm seeing, since apparently in theory (unless it's
outdated info), getting a new identity should be equivalent to closing /
reopening TBB.

By now, it's seems safe to say that if I've visited any other sites
*before* loading YT in a new tab, the chance of YT *NOT* giving the
"suspicious activity" warning, is very low.
** Which begs the question, why would cached data from other sites
affect whether YT thinks the new exit shows suspicious behavior?

I DID discover just now, that the pref in my user.js file,
user_pref("browser.cache.disk.enable", false); - was NOT observed. In
about:config, browser.cache.disk.enable was True - bigger than Dallas.
Further, when I toggled it to False, that is the default setting.  I
can't 'splain why it wasn't using the user.js value.  It worked for yrs.
I've never seen it happen in any other browser.

In a VERY short trial just now (statistically meaningless), after
changing "browser.cache.disk.enable" = false, I still usually needed a
new identity for YT to load. I don't know what a new identity oc
clearing cache has to do with a site not visited since launching TBB
each day.

But a new identity WITHOUT clearing the cache rarely worked on YT. Can't
say the same about other sites.  I tried it enough times over weeks, to
see clearing cache AND a new identity almost always worked.  Question is
why.

Just luck of getting bad exits when cache wasn't cleared before a new
identity, or getting VERY lucky - with "good" exits when cache WAS
cleared is statistically improbable.
--
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

[tor-talk] Upcoming Tor security releases to fix a denial-of-service issue

[Nick Mathewson]

Hello!

Some time this week, we currently plan to put out a set of security
updates for all supported versions of Tor.  These releases will fix a
pair of denial-of-service bugs: one that we are classifying at "low"
severity, and one that we are classifying at "high" severity.

Our recommendation will be for everybody, including relays and
clients, to upgrade once packages are available for their platforms.
Although these vulnerabilities are "only" denial-of-service issues,
any denial-of-service attack against Tor could be leveraged by an
attacker to aid in a traffic analysis attack.

To the best of our knowledge, these vulnerabilities are not being
exploited in the wild.

Currently supported release series are 0.3.5, 0.4.1, 0.4.2, and 0.4.3
(alpha).  If you have not yet upgraded to one of those, the time to do
so is soon.

For our policy and process for handing security issues, please see:
https://trac.torproject.org/projects/tor/wiki/org/teams/NetworkTeam/SecurityPolicy

best wishes,
-- 
Nick
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Testers Wanted: Human-meaningful onion service names via Namecoin in Tor Browser Nightly

[Jeremy Rand]

Jeremy Rand:
> Hi Tor community!
> 
> As we all know, onion services have rather unwieldy randomly derived
> base32-encoded names.  This is, of course, a reasonable design, given
> the design constraints that onion services have to deal with.  And it
> works pretty well, all things considered.
> 
> That said, the unmemorable names are also a UX problem, especially for
> users who are new to Tor and therefore are accustomed to DNS.  Many Tor
> users don't consistently check .onion services' names for correctness,
> which introduces the risk of phishing attacks.
> 
> So, the Namecoin developers and the Tor Browser developers are running
> an experiment, and we'd love to get some feedback from the community.
> The currently available Nightly builds of Tor Browser (currently only
> GNU/Linux) include optional support for using Namecoin as a naming layer
> for onion services.
> 
> To try it out, once you have a Nightly version of Tor Browser for
> GNU/Linux installed, try running it with the environment variable
> "TOR_ENABLE_NAMECOIN=1".  The following domains can be used to test the
> support:
> 
> http://federalistpapers.bit/
> http://onionshare.bit/
> http://riseuptools.bit/
> http://submit.theintercept.bit/
> http://submit.wikileaks.bit/
> 
> These domains are held by Namecoin community members who are happy to
> donate them to the "rightful" owners on request.  However, since they
> haven't been donated *yet*, don't rely on these domains for security
> (e.g. you should *not* use this to submit documents to The Intercept).
> 
> For somewhat more detailed instructions (e.g. if you don't know how to
> get a Tor Browser nightly build, or if you don't know how to set
> environment variables), see my workshop notes from the 36C3 Critical
> Decentralization Cluster:
> 
> https://www.namecoin.org/resources/presentations/36C3/tor-workshop/
> 
> Like any experiment, this experiment is only as good as the feedback we
> get.  So, if you try it out, please let us know how it goes!  Specifically:
> 
> * If it works well for you, please let us know via this thread on the
> tor-talk mailing list.
> * If you find a bug or otherwise have suggestions for how we could
> improve it, please let us know via this thread as well.  (Or, if you're
> comfortable with Trac, you can report it as a ticket on Trac; please use
> the "Tor Browser" component and add "namecoin" to the keywords list so
> that the right people notice the ticket.)
> 
> If you're curious about the behind-the-scenes work that went into this
> (and you're not afraid of technical details), my talk at the 36C3
> Critical Decentralization Cluster may be interesting to you.  See the
> following links:
> 
> 36C3 CDC Slides:
> https://www.namecoin.org/resources/presentations/36C3/Adventures_and_Experiments_Adding_Namecoin_to_Tor_Browser_36C3_CDC.pdf
> 
> 36C3 CDC Video: https://youtu.be/mc51zyflpa8?t=22638
> 
> Cheers!

Relaying a couple of test reports from other venues to this tor-talk
thread so that the right people see them.

Masayuki Hatta tested the Namecoin support at 36C3 and posted feedback
(including a demo video) on Twitter:
https://mobile.twitter.com/mhatta/status/1211651565280468996

LinuxReviews.org posted an article in February about the Namecoin
support, including a screenshot they took of it working.
https://linuxreviews.org/The_Nightly_Tor_Browser_Build_Has_Support_For_Namecoin_Domain_Names

More test reports would be very helpful; if anyone on this list would
like to test it out and report back (even if it's as short a report as
"it works fine"), it would be greatly appreciated.

Cheers!
-- 
-Jeremy Rand
Lead Application Engineer at Namecoin
Mobile email: jeremyrandmob...@airmail.cc
Mobile OpenPGP: 2158 0643 C13B B40F B0FD 5854 B007 A32D AB44 3D9C
Send non-security-critical things to my Mobile with OpenPGP.
Please don't send me unencrypted messages.
My business email jer...@veclabs.net is having technical issues at the
moment.



signature.asc
Description: OpenPGP digital signature
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk