Re: [tor-talk] TorBirdy 0.0.10 released - testing and feedback requested!
On Thu, 12 Jul 2012 20:23:38 + Ethan Lee Vita wrote: > > I plan to keep working on this because at the moment I see no other > > real alternative email client for Windows, Mac OS X, or Gnu/Linux. > > I agree, but what about the email client for Tails? Will > Thunderbird/TorBirdy be available in Tails in the future? Or a way to > torify that client? Thunderbird can be run directly from a USB drive or other removable media. You could probably download and extract it directly within Tails so that as long as you keep all your email on the server you don't need to leave a trace on the disk. -- kat ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] TorBirdy 0.0.10 released - testing and feedback requested!
>> Thunderbird can be run directly from a USB drive or >> other removable media. You could probably download and extract it >> directly within Tails so that as long as you keep all your email on >> the server you don't need to leave a trace on the disk. > > Thanks. I realize that I could've done that, but a major reason I'm on > this list is to understand the hows and whys behind the technology. Yes, me too. Been quietly reading for many years now. Great way to learn. > And despite perusing the tor project website and its various links, I > had missed that particular page on Tails, so I'm thankful that I was > shown the pros and cons to Claws being included on Tails. I had also > given up subscribing to Tails discussion list because the page I had > found for it (Getting Started) didn't link to the archives, but I was > prompted into looking again and found the page (Contribute). I'm using Claws to write this (Claws, Linux, TBB), but also use both Claws and Thunderbird via Tails. Different scenarios, different solutions. I've also struggled with the Tails lists ... much simpler to get information about Tails via this list. > That and I much prefer to trust an encrypted disk with my email than a > server owned by people I 'trust' comparatively more than other > entities. Looking into Claws more, I've even begun to start > experimenting with it. Still like Thunderbird + enigmail + TorBirdy > (when it works) for the easy set-up amongst other reasons, but > sometimes convenience isn't the best security. And yet security must > be conveniently-accessible if more people are going to use it. I know > I've enjoyed sharing Thunderbird + Enigmail with people who thought > encryption was too hard; I can't wait to do the same with TorBirdy > when its a bit more stable. So thank you to all the developers, > testers, researchers etc. I only hope my few questions can be of > value. :) Seconded! Thanks to all the devs! Understanding is the key to security, not convenience. That being said, TorBirdy is both convenient and great. I'm not sure that's it's ready for primetime yet, but I do try to test and feed back (using another nym ...) and definitely see the value. > And thank you Katya for sharing Tbird's nature as a portable app. > Perhaps there is someone lurking on the list who was unaware and who > would be helped by this discussion. I must admit it wasn't obvious to me until a few years ago when I was actively look for the portable Linux version and thought "wait, I download, specify the profile directory, and run - it *is* portable." Obvious when you see it ... -- kat ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] General remarks when using mail clients over Tor (i.e. TorBirdy)
> Every major data harvester and private > data seller does that as they really really need you to confirm they > are tracking the right person. Go to other, nicer, services. Also > free. But with less mbox space. And you'll find out that's not a > problem. Yes, Yandex and Fastmail are both good in this regard, I've never had a problem. Lavabit also has a good reputation. -- kat ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] TorBirdy 0.0.10 released - testing and feedback requested!
Hi Jake, > > Understanding is the key to security, not convenience. That being > > said, TorBirdy is both convenient and great. I'm not sure that's > > it's ready for primetime yet, but I do try to test and feed back > > (using another nym ...) and definitely see the value. > > > > Happy to help. :) > > Is there anything in specific that you feel that we should address? It's a bit difficult to describe succinctly, but I'll try to relay my thoughts ... It's about the indications that you are actually using Tor. I've been using Tor since before TBB, probably since before Vidalia, and one of the great features of TBB is that on start-up it tells you that you're successfully using Tor. And the occasional failure due to not recognising the exit node you've come from is handy for making you stop, think, check the IP address, and make sure you still have an understanding of how Tor works. And then there's the fact that pages load a little slower over Tor, not intolerably slow but still noticeably slow. So you know that you're using Tor. TorBirdy doesn't give this indication ... it looks like regular Thunderbird, and email loads in the background and is just there when you need it. Sending is a little slower and so you could infer that Tor is in use, but you really want to know that when you start up, and before the automatic fetch begins. I'm not sure how I would fix these issues. Trying to have TorBirdy do something to test Tor is in use for IMAP/POP/SMTP connections would be quite difficult, if possible at all. But if you could do it and notify the user before the fetch began then that would simulate some of what TBB does. Other indicators such as a change to the skin would be a useful indicator that you're using the right software, but still doesn't actually test the network. So I can't solve the problems, just point out that, from my perspective, it's those visual clues that give confidence that your connections are protected that are missing from the current TorBirdy. Alternatively, if there was a way to detect that Tor was not in use and then stop and alert the user would also be suitable. Otherwise, all the technical aspects appear to work exactly as expected ... I'm very happy to use it. Thanks for the good work! -- kat ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] TorBirdy 0.0.10 released - testing and feedback requested!
adrelanos wrote: > Good idea. Just created: > https://trac.torproject.org/projects/tor/ticket/6451 Thanks! And thanks to all for the feedback on the ticket ... enjoying the discussion. -- kat ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
[tor-talk] Free WiFi Bootable Ditros
Hi all, This is not specifically a Tor question, but there may be some on the list who know the answer. I'm wondering whether there are any bootable distros out there which are designed to be used on free WiFi networks (e.g. Starbucks, McDonalds) and enforce some level of network encryption. Tails would obviously provide a solution here by forcing everything through Tor, but I can also see alternatives which force the use of an IPSEC VPN, or only allow outbound access to ports which are commonly used for secure access (443, 993, etc). It wouldn't need to be an entire distro, just a set of scripts which configured the local firewall (iptables, ipfw, even the regular Windows firewall) to only allow secure connections, and established a Tor or VPN connection (if necessary). This would mean I could use my regular desktop environment to read email, check social networks, etc all the while being reasonably confident that any traffic which would normally traverse the network unsecured (updates, etc, and any misconfigured software) would not get access. I guess that the set up would need to be somewhat aware of the network it was connecting to to allow access to captive portals to agree with the AUP. Anything out there which does this? Thanks -- kat ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Free WiFi Bootable Ditros
adrelanos: > Katya Titov: >> I'm wondering whether there are any bootable distros out there >> which are designed to be used on free WiFi networks (e.g. >> Starbucks, McDonalds) and enforce some level of network encryption. >> Tails would obviously provide a solution here by forcing everything >> through Tor, but I can also see alternatives which force the use of >> an IPSEC VPN, or only allow outbound access to ports which are >> commonly used for secure access (443, 993, etc). > > Neither Tor nor Tails fall into the category "designed for free wifi > networks". If Tails where focused primary at public wifis, their > planed mac changer feature had much more priority. [1] Tor provides > anonymity and circumvention, Tails is a LiveCD/USB designed for > privacy and anonymity. If you use them for their purposes, they are > good. Agreed. > But do you rather risk Tor exit nodes sniffing your traffic than > public wifis? Either you are aware of risks of transmitting data over > insecure networks, which is the internet, and take yourself care of > end to end encryption or you don't care at all. Yes, I agree with Andrew, I would rather trust Tor nodes than public WiFi. > > It wouldn't need to be an entire distro, just a set of scripts > > which configured the local firewall (iptables, ipfw, even the > > regular Windows firewall) to only allow secure connections, and > > established a Tor or VPN connection (if necessary). > > At least with iptables I know it's be easy to limit yourself to a few > outgoing ports. > > > This would mean I could use my regular desktop environment to read > > email, check social networks, etc all the while being reasonably > > confident that any traffic which would normally traverse the > > network unsecured (updates, etc, and any misconfigured software) > > would not get access. > > You falsely assume that a free wifi hotspot is less secure than a > regular internet access point. You should configure your system in a > way it doesn't matter if there is a man in the middle. (signed > updates, patched correctly configured software, etc.) Agreed, but this is becoming harder to do as operating systems and the software we use becomes more complex. The best way to solve this would be to ensure that the OS only does what you allow it to. But outside one of the BSDs or a very minimal Linux distro this is pretty much impossible these days -- they're just too complex. So using a distro which doesn't update, or only allowing updates over secure channels and blocking all other attempts may be effective. > If you believe the free wifi hotspot is less secure than your regular > home/cooperate network, you can build a VPN tunnel to your regular > network. That is also safe and routes all your traffic through it. > Alternatively you could use a VPN service. Yes, that's an option, but I'm looking for something minimal at the moment, and trying to counter my impression that the risk of interception when using public WiFi is too great. As Andrew said: "The decision on the risks are yours." Thanks! -- kat ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Free WiFi Bootable Ditros
jed c: > I wouldn't recommend TOR for anything personally identifying > (anything done on TOR has a chance of greater scrutiny and malicious > subversion). Agree with that, however just because I'm using Facebook doesn't mean I will be identifying myself ... ;-) > Have used Facebook through TOR with SSL enabled and watched a friends > computer get exploited during a chat session. SSL is pretty well > broken from my point of view. I've seen a single SSL MITM, but that's it. I'm not a fan of SSL and see major issues, but I think it's far from broken. > I wouldnt trust TOR for any executable download or software update > (pdfs and other exploited forms of media are questionable too). Best > use for tor is in a read only environment where no writable media is > present on your computer. I would recommend locking your bios, it > might not matter if there is a default secondary password. I'm not sure that I'm quite that paranoid, but Tails can certainly provide a read-only environment. Tails may not be designed for open WiFi networks, but until something else comes along it may be the best solution for my needs. -- kat ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Tor virus
On Wed, 15 Aug 2012 01:43:27 +0200 Philipp Winter: > ethio tor wrote: >> What if there is a tor "virus" (pardon for the choice of word) that >> can infect such pc and make a relay, bridge, or what ever on the >> background undetected. > > Sounds like a "human rights worm". Some people thought about that > before [1]. > > Aside from the obvious ethical difficulties, I would consider such a > worm as highly problematic because it works in the "interest" of an > independent project and would eventually damage its reputation (just > think about how the media would interpret it). And a damaged > reputation might decrease Tor's user diversity which, on the other > hand, would hurt anonymity. Not to mention the fact that it is most likely illegal. An illegal act to correct or respond to another illegal act is usually not justified, or: the end usually does not justify the means. What if a large music corporation *cough*Sony*cough* placed software on your PC to stop you performing what you consider to be perfectly within your rights but they consider to be illegal? And what if that software introduced vulnerabilities which could be used by other parties to gain access to your PC? https://en.wikipedia.org/wiki/Sony_BMG_copy_protection_rootkit_scandal It looks like the Obfsproxy TBB may work https://www.torproject.org/projects/obfsproxy.html.en#download I wonder if VPN is blocked, and if not are there any free/inexpensive endpoints which are simple to configure? -- kat ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Security update notice after new install
"Runa A. Sandvik": > On Fri, Sep 14, 2012 at 12:42 PM, wrote: > > This notice- "There is a security update available for the Tor > > Browser Bundle" appears after a installing Tor 0.2.2.39 > > > > Is this a cause for concern? > > I've noticed the same thing. The notice disappears if you extract the > package archive again. Bug, maybe? OK for me, working fine. But wondering: o Any reason why there was no testing via tor-qa? o Any reason why the release wasn't sent to tor-talk? o What was the reason for disabling random port selection? (I disable it anyway, but just wondering why in this case?) Thanks -- kat ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Security update notice after new install
"Runa A. Sandvik": >> o Any reason why there was no testing via tor-qa? > > Tor 0.2.2.39 was a security-fix release for a fairly severe bug and we > wanted to get a new release out as soon as possible. OK, understood. >> o Any reason why the release wasn't sent to tor-talk? > > We announce new Tor Browser Bundle releases on the blog. I've never actually realised this! Kudos that the other communications channels work so well. >> o What was the reason for disabling random port selection? (I >> disable it anyway, but just wondering why in this case?) > > Random port selection was disabled because of > https://trac.torproject.org/projects/tor/ticket/6803 Thanks -- kat ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] LinkedIn and TBB
yppahreggirt : > Hi list, > > Linkedin.com is crashing my TBB (latest - linux32) during login. Can > someone confirm ? Confirmed. A few seconds after loading the page CPU usage spikes to 100%. If the tab is closed immediately then TBB works OK, but if left open for more than a few seconds TBB locks up. No logs to the console. -- kat -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] TBB 3.6.5 not on download site?
>> Joe Btfsplk: >>> Tor Weekly News, September 3rd, 2014 - mentions Tor Browser 3.6.5 >>> and 4.0-alpha-2 are out. >>> >>> But the download site >>> https://www.torproject.org/projects/torbrowser.html has only >>> 3.6.4. & 4.0-alpha-1. > harmony: >> This has happened more than once and I don't really know what to do >> about it. If the Tor Browser team object to Tor Weekly News >> announcing things, I have no problem with not doing so. On the other >> hand, the software is available in the /dist directory (I'm using it >> now!), so it has “been released”. Mike Perry: > In the future, if you'd like to avoid this possibility, probably the > safest thing to do is simply report on the Tor Browser release the > week after. A quick suggestion for the future: "TBB x.x.x is due out in a day or two. Your current installed version will let you know when an update is available, or you can keep an eye on the blog or download page for the official announcement." -- kat -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Tor Browser Bundle 3.6.3: bad start
Joe Btfsplk: > On 9/7/2014 5:36 AM, Geoff Down wrote: >> Same problem on Win7 with 3.6.5 - browser sometimes fails to open. >> >> On Sun, Sep 7, 2014, at 08:51 AM, Hartmut Haase wrote: >>> Hi, >>> sometimes when I try to start Tor, firefox will also be started, >>> but there is no Tor Browser-window. I have to start several times >>> until it works. > I've had the same problem with TBB 3.6.3 in Vista. Haven't tried > 3.6.5 yet. > It doesn't happen too often - enough to be annoying. When it's > happened, I kill the Tor Browser / Firefox.exe process (that's > running in background). > > I've never shut any other apps or services down, before starting TBB > again. It almost always works on the 2nd try (actually opens the > browser window). > So IF... something else is interfering w/ TBB starting correctly, > it's not consistent. I have very similar results to Joe using the 64-bit Linux version. I have never been able to find relevant TBB logs, nor any system or home directory logs which point to the cause. Killing and then restarting TBB always fixes the problem. It probably happens 1-2 times per month. If anyone can suggest tracing/logging options I'm willing to try. -- kat -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] What should our 31c3 talk be?
Griffin Boyce: > Roger Dingledine wrote: >> Two lessons I've learned from recent CCC talks: >> >> A) Social commentary works much better than technical things. That >> is, the audience respects us for our technical work, and now they >> want to hear >> our perspective on what's going on in the world. So while my >> instinct is to use the talks to make the audience more technically >> competent and thus more able to help us in this growing global >> conflict, the talks that work best these days are more like social >> rallies. > >I think it makes more sense to start from the beginning. Talk > about the social problems that Tor tries to solve, and then talk > about the technical ways that Tor actually solves them. Domestic > Violence victims are easily tracked via email and other means, so > using tor will help prevent that by giving them a different IP > address and preventing niche attacks that are otherwise hard to > mitigate. People with serious medical concerns use it to keep their > private information private. Everything from pregnancy to rape to > transgender status can cause someone's personal data to be more > valuable to big corporations -- or put them at risk of death, > depending on location. Someone wants to look up OSHA regulations > anonymously and maybe file a complaint about their dangerous > workplace -- Tor helps make sure they're really anonymous through the > magic of onion routing. Anonymous bloggers and journalists need it > for the same reason. I tend to agree with this. It may also lead on to topics such as what threats are being effectively addressed/mitigated and what threats Tor does not currently protect you from. It does seem that illegal activity (as evidenced through the Silk Road take down and operation Torpedo) is being actively targeted and people are being identified and arrested, although not necessarily through vulnerabilities in Tor. An exploration of who has the capabilities to unmask Tor users and why/how would be interesting. This may also lead into #3 (sponsors) and could provide some food for thought. -- kat -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Torbutton "load external content"
SecTech: > I have accidently checked the do not ask again checkbox of the "load > external content" security question in TBB. Could someone tell me how > to reenable it? One of the fantastic things about Tor: just extract a fresh copy and start again! -- kat -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
[tor-talk] Tor & JavaScript
Öyvind Saether, in a thread about captchas: > I am not sure this is something most corporations would care about > since Tor users tend to block their (javascript-using) advertisements > anyway but webmasters, know that I am probably not the only one who > will go somewhere else instead of enabling JavaScript from a bunch > of places & typing in a silly captcha This disabling of JavaScript gets mentioned from time to time and portrayed as a common adjustment users make to the defaults. The Tor Project stand seems to be to keep JS enabled by default to ensure that most of the web works with TBB, while bolstering security to compensate. Are there any stats about how many TBB users disable JS? And even if the majority did disable JS would changing the default drive away to many of the non technical users to make it worthwhile? -- kat -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Comcast looking for Tor traffic, contacting customers to threaten termination of service.
ITechGeek: > I would just like to chime in as a Comcast customer, tonight was the > first time I've tried hopping on tor browser since this rumor > surfaced and traditionally when I launch the tor browser I see tor > connect and I'm on. > > Tonight it took a couple minutes before I was able to connect (I was > able to search for this thread, catch up on every message since the > 14th, and read Comcast's notice and the comments before tor was > connected-Not sure if tor has ever taken that long to connect). > > This could just be something going on tonight or Comcast could be > doing traffic shaping and this would be another Comcast will deny all > interference with traffic until someone proves otherwise. I have a TBB installation that I only use every few weeks. That always takes significantly longer to start. I think the delay is because it has a larger number of descriptors to download. Try running at least once a day for a while and see if start-up is quicker. -- kat -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
[tor-talk] Article: Best Alternatives to Tor
Article named "Best Alternatives to Tor: 12 Programs to Use Since NSA, Hackers Compromised Tor Project": http://www.idigitaltimes.com/best-alternatives-tor-12-programs-use-nsa-hackers-compromised-tor-project-376976 Some quotes: "Tor has been compromised, the Tor Project has recently suffered from two security setbacks which have called into question just how safe users on the anonymity service are." "In any case, it's best to assume that Tor has been compromised by the NSA, DHS, FBI and pretty much any other government intelligence agency, domestic and foreign." -- kat -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] TBB 4.0 default screen size
Philip Georgiev: > I download and use tor-browser-linux64-4.0_en-US.tar.xz > $ cat /etc/debian_version > jessie/sid > $ uname -a > Linux debian 3.10-2-amd64 #1 SMP Debian 3.10.7-1 (2013-08-17) x86_64 > GNU/Linux > KDE is my desktop environment > > open some panel - bookmarks (ctrl+b) or history (ctrl+h) - and close > the browser. > when start it again the panel is active in the new session and screen > size is larger than default. Confirmed on Debian 7.7/Xfce. Browser pane appears to be the same size (or slightly larger) than the normal window, with the bookmarks pane to the left. Persists across restarts. Size is consistent and reverts to normal when opened without the bookmark pane being active. -- kat -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] "Hidden Services" vs "Onion services"
Paolo Cardullo: > This was an interesting discussion. > > I was just thinking of starting a thread on why people use the > appellative 'dark' as for 'dark net'. I found it quite disturbing and > offensive, also in a racialised way. > > [...] > > I strongly disagree and I suggest to drop 'dark' from TOR services. > Funny enough, only the day after the chief of London MET declared: > 'internet has become a “dark and ungoverned” space populated by > paedophiles, murderers and terrorists'. This also can be seen with a > shade of racism. I opened a lengthy discussion about this in January: https://lists.torproject.org/pipermail/tor-talk/2014-January/thread.html#31863 No real outcome. The name is what it is, and I think it's stuck. -- kat -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] "Hidden Services" vs "Onion services"
Paolo Cardullo: > On 15/11/14 08:42, Katya Titov wrote: >> I opened a lengthy discussion about this in January: >> >> https://lists.torproject.org/pipermail/tor-talk/2014-January/thread.html#31863 >> >> No real outcome. >> >> The name is what it is, and I think it's stuck. > > Katia, thanks very much for pointing to the discussion, which is > simply fascinating. I will read it more attentively. > > Let me say that meanings are never fixed or 'stuck' and that the > struggle to shift them is always open. So between cosmic space, > night/day, hidden/open, there are plenty of shades and personalities > coming out. > > I think the use of 'dark' is not neutral and it hides a moral > geography of the Net, which might appeal to some of the 'insiders' > too. I also think that the anti-terrorism, anti-immigrants, > anti-whatever symbols (all 'dark' of course) are serious attacks to > Internet freedom too. Thanks Paolo. I agree with everything you said, but the big issue I see is that the media is already using the term 'dark', and my impression is that once they think they are on to a good thing they will stick with it. It's hard to change these things. Think "hacker" -- the original term is lost to the greater public. I would be *very* happy to be proven wrong! -- kat -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] "Hidden Services" vs "Onion services"
"I" wrote: > Katya, and all, > > So why don't we use sensible, plain language and stick to it > to distuingish ourselves from them? This article (German) has just been published which is quite dispassionate and factual, avoiding hype. This is the type of explanation and coverage that (I think) Tor needs. https://www.cypherpunk.at/2014/11/darknets-fur-dummies/ But using different language to that of the media? Different to the language in common use? No, we need to influence the media and change their words, or at least have them redefine the ones they're using now. > Hacker wouldn't have the currency it has if a large part of the > pudgy, pizza-eating photophobes didn't perpetuate it for dramatic > self-interest. I really don't think comments like this help the situation. -- kat -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Giving Hidden Services some love
Thomas White: > As per Nick's post, I fully agree that hidden services do need some > work, but I imagine the vast majority of people on this list are not > skilled in the languages and areas required to do any kind of > technical reform to them. However, technical reform of them is only > one aspect. > > I've been launching a few of my own hidden services recently with some > useful things such as Tor project mirrors, as well as my own > client-side encrypted file host/sync which I've currently got in > private beta (email me privately if you want to give it a test drive). > In order to make hidden services a bigger priority and to potentially > attract more funding from sponsors to Tor Project, I think we as a > community need to make better use of them. They are end to end > encryption, thus have held up very well against nation state attackers > like the NSA and GCHQ, and they do not require exits and that makes > use of the underutilised capacity of the non-exit relays in the > network. > > If anyone has any thoughts on what they would like to see as a hidden > service, I am all ears to suggestion. Whether you can build it or not > (so yeah, even if it is just an idea throw it at me) I'd love to know > what you want to see in hidden services. > > One of the primary ideas in the works right now for myself is a shared > host environment which I and a few others are experimenting with ideas > for, but the premise is each person would be assigned a small virtual > machine and they could host Wordpress blogs for example, or whatever > else that would make people more comfortable using hidden services. > > So to conclude - if you've got ideas, I'd love to hear them! Hi Thomas, It would be interesting to see big sites out there providing more resources within the Tor network, i.e. offering hidden services themselves. Maybe this could be an area of exploration: rather than hosting sites yourself, provide information, encouragement and advice to others to run their own HS. Maybe run a HS which is just a proxy into their clear web site, with their permission, as an initial step? This could be combined with a change to HTTPS Everywhere to prefer HS sites over clear web sites, just as it prefers HTTPS over HTTP. (I think this has been mentioned before?) This would lead towards an environment where there is less need to leave the Tor network itself. Many providers are completing the end-to-end model and also encrypting their internal links, the next logical step may be to operate within an environment which is outside the reach of state monitoring, or at least further from their grasp. (This could lead to further Balkanisation of the Internet, and could also lead to more direct competition between Tor and I2P ... but I'd wager that this won't increase the likelihood of Balkanisation, and competition should be good for both projects.) Slightly off-topic: if use of hidden services is going to expand then this may be an opportune time to ensure that they will continue to work into the future, e.g. who is going to own the .onion TLD? Should the Tor Project make a bid for it? Should HS change the way they are addressed? I don't know how the code works now, but I assume that there is something which stops DNS lookups of .onion domains and just redirects them toward a HS lookup. What happens when the Oxnard Chamber of Commerce claims that TLD? -- kat -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Giving Hidden Services some love
>> This could be combined with a change to HTTPS Everywhere to prefer >> HS sites over clear web sites, just as it prefers HTTPS over HTTP. >> (I think this has been mentioned before?) > > You mean like what we've been doing over on > https://github.com/chris-barr/darkweb-everywhere? :) I knew it was being discussed somewhere, although I'm getting a 404 on that page at the moment. > The above tool (granted I have a *very* clear bias) is why I am not a > fan of the "make a hidden service be a reverse proxy to another > website". I'm not comfortable with transferring expected ownership of > a website for a number of reasons, which is is why we try to vet every > site included. > > I'm very big on asking websites, especially those that are censored, > to run a hidden service as a way to protect their users and as a way > to make them more censor resistant. I think the lack of interest has > started to go away now that Blockchain and Facebook have implemented > one, since I haven't been getting the usial "Well we don't block > Tor..." response. Maybe we can get a big news organization to run one > for a proof of concept? Yes, a reverse proxy would just be a tool to help an organisation transition into running a HS, and should be performed in conjunction with the organisation. This should be part of a campaign to encourage organisations to participate in Tor. I think we're pretty much in agreement here. -- kat -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Giving Hidden Services some love
Colin Mahns: > That was my fault, must've deleted a character by mistake. > https://github.com/chris-barry/darkweb-everywhere is the right link Installed and working. (Yes, I read issue #32. What happens now that TBB updates in place? Will I remain with DWE when a new TBB is released?) > I'm wondering if a few from the community should take part in a > nagging effort? I'd gladly throw some time of mine into helping get > more hidden services. Any takers? I'll help. A first call out: Derric Atzrott seems to have a close affiliation with Wikimedia ... Derric, any thoughts on how to approach the Wikimedia Foundation and have them run a hidden service? And I'm pretty sure that there's been some very helpful posts from a Google employee here before ... can't find anything in my archives just at the moment. If there's a pro forma email template for this sort of thing I can try to adapt it, if not I'll run up a draft and place it on the Tor Project wiki. -- kat -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Giving Hidden Services some love
Colin Mahns: > I've written up an example email here: > http://zerobinqmdqd236y.onion/?31934b9e07f96171#GM3e5ekrDUakoz612PNB8tCBmme/QRrj6zMgd1amZpU= > Feel free to improve on it, I based it off of emails I've sent in the > past. I'm not sure if we should list security concerns in the general > sense, or if we should point to a real life example of where a hidden > service was utilized for security reasons. Thanks Colin. I've made some changes and created a new wiki page: https://trac.torproject.org/projects/tor/wiki/doc/HiddenServiceEvangelism I've mentioned you directly as the initial author, let me know if you want that attribution removed. (Or just remove it yourself!) -- kat -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Giving Hidden Services some love
Virgil Griffith: > If an existing website simply wants to improve performance for Tor > users, my understanding is that it's more efficient simply to run an > Exit Enclave instead of a hidden service. Is that true? > > https://trac.torproject.org/projects/tor/wiki/doc/ExitEnclave I have no direct experience with exit enclaves, however the page above seems to indicate that you are probably better off not using them. If there is value then we should provide this as an option, I just can't see it. -- kat -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Giving Hidden Services some love
Thomas White: > The whole CA system is a broken model in many ways yes, but that > doesn't mean we should totally disregard it. We can work with the CA's > to build up a standing as long as we don't forget that CA's are no > requirement to legitimacy. If a standard is set by the CA community > this paves the way to other pushes and can be seen as a credential > that this isn't some fad or "criminal" tool, but is a genuine and > useful tool in this day and age. This is an excellent point. Add to that the fact that we've been telling people to check for the padlock for the better part of 20 years and we're finally seeing it roll out almost across the board. I would think it's a little too early to move on to something else. That being said, another option is to ditch the CAs and and use a TOFU (trust on first use) and certificate transparency approach for .onion domains within TBB. That gives us self-signed certificates and reasonable security without warnings being presented to the user. The Certificate Patrol and Perspectives plugins (and others) may be able to be re-purposed. Another thought: is it possible to tie the certificate's private key to the private key of the hidden service and have TBB (or Tor) verify that? -- kat -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
[tor-talk] Paper: Systemization of Pluggable Transports for Censorship Resistance
New paper "Systemization of Pluggable Transports for Censorship Resistance" from Ross Anderson's research group at Cambridge: http://www.arxiv.org/abs/1412.7448 [0] Related blog entry: https://www.lightbluetouchpaper.org/2015/01/02/systemization-of-pluggable-transports-for-censorship-resistance/ [0] arXiv blocks access from Tor ... I'll approach them. -- kat -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Giving Hidden Services some love
Jesse B. Crawford: > [Explanation of EV certificates] > > Now, two HUGE caveats: > > 1) Facebook does not actually have an EV cert for their hidden > service! they have an OV cert with O=Facebook, Inc. but for various > (largely political but still largely valid) reasons Firefox does not > trust the O field and considers OV certificates no better than DV. Facebook doesn't have an EV certificate at all! They same cert is present on their clear web and HS sites. And, IMHO, I don't think that this is the list for solving the CA problem. If we can get a visibly encrypted page displayed to a user without a warning then that's probably good enough. > So why does Facebook use SSL..? I don't know, perhaps they think > that providing the O field is significant (I'd say that it isn't > because browsers don't tell the user about it), or perhaps it's just > for consistency with their open web presence. https://www.facebook.com/notes/protect-the-graph/making-connections-to-facebook-more-secure/1526085754298237 "We decided to use SSL atop this service due in part to architectural considerations - for example, we use the Tor daemon as a reverse proxy into a load balancer and Facebook traffic requires the protection of SSL over that link. As a result, we have provided an SSL certificate which cites our onion address; this mechanism removes the Tor Browser's “SSL Certificate Warning” for that onion address and increases confidence that this service really is run by Facebook. Issuing an SSL certificate for a Tor implementation is - in the Tor world - a novel solution to attribute ownership of an onion address; other solutions for attribution are ripe for consideration, but we believe that this one provides an appropriate starting point for such discussion." > 2) Don't think that I'm an advocate of the present CA infrastructure, > it's a terrible approach to the problem. But it is the approach that > we have right now. :) > > Overall, what should be done? Layering SSL on top of the hidden > service system is not a good solution to the problem, but I'm also not > comfortable with just saying "users should be smart enough to validate > that they have the right address" and relying on the difficulty in > producing a near-collision address (keep in mind that many "important" > hidden services do not have a vanity address at all or have only > generated an address with a small number of chosen characters). I certainly agree that the CA system is not ideal and that we must assume that users know nothing about security (and rightly so), but we've struggled to get the current system working somewhat reliably for end users for nigh on 20 years and it will be difficult to suddenly change direction. > Probably the best solution is that hidden services that are attractive > for phishing/misdirection (just about anyone doing business in bitcoin > for example) should implement measures like showing secrets to the > user to prove the service identity, and users should of course > beware. But this solution requires service operator and user > participation, making it far less than ideal. Where we can assume a technically literate user then alternate solutions should be possible, but I do wonder whether it is worth the effort. Even for something like Bitcoin where we can currently assume that the user has some understanding of security, a different solution would have a major impact if/when the service becomes popular with less technical users. Any solution should just work. Chrome is moving towards this with certificate pinning: displaying "I'm sorry Dave, I'm afraid I can't let you do that" when the certificate doesn't match expectations. An alternative may be to somehow tie a hidden service's private key to that of the certificate and then allow TBB or Tor to perform the validation. I'm not sure how it would work technically, but it seems like a logical step. -- kat -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] DNSSEC better protecting users?
> i am concerned about https not being enough to protect tor2web > users. In particular, I am concerned about what subdomain a user is > visiting being leaked. Are there any established ways of preventing > the subdomain from being leaked? Because none spring to my mind. I've just reviewed a packet dump and found that you should indeed be concerned. The SNI HTTPS extension lists the exact host I was connecting to. This is performed right at the beginning of the HTTPS transaction, before encryption. DNSSEC won't solve this because you will still be using HTTPS. If Tor2web ran as a CGI proxy that may avoid the issue, or if it supported something like https://tor2web.org/?url=blah, but the root cause here is that browsers support SNI and it would need to be disabled there. Unfortunately, this would have an impact on sites which require SNI. -- kat -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Giving Hidden Services some love
Katya Titov: > Colin Mahns: >> I'm wondering if a few from the community should take part in a >> nagging effort? I'd gladly throw some time of mine into helping get >> more hidden services. Any takers? > > I'll help. Attempts to far have failed. I've tried to get in touch with Google and Wikipedia to no avail. I've also had some dialogue with arXiv but have not been able to stop them blocking Tor. No, wait ... today I'm getting some successful connections with an occasional "Access Denied" page, whereas previously there was just nothing (timeout). So some minor success, although not with hidden services. -- kat -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] WebRTC to uncover local IP
>> This PoC has made its ways around. Using webRTC to deanonomize your >> IP. New to me: https://diafygi.github.io/webrtc-ips/ > > This PoC works for me when i use firefox with a proxy switcher, but > it doesn't work if i run firefox via torsocks. Doesn't work at all for me using TBB. Forcing Chrome to use Tor shows my local private address and no public address. -- kat -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Games Without Frontiers: Investigating Video Games as a Covert Channel
>> Title: Games Without Frontiers: Investigating Video Games as a >> Covert Channel [ http://arxiv.org/pdf/1503.05904v1.pdf ] > > I say maybe, just maybe, it would have been a nice thing to test: > > Access Denied > > Sadly, you do not currently appear to have permission to access > http://arxiv.org/pdf/1503.05904v1.pdf I had a discussion with h...@arxiv.org in January but unfortunately they didn't seem to understand the issue. At the time I could eventually access papers by changing identity until it worked, and I just tried now and could access this paper. -- kat -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
[tor-talk] Hidden vs Clearnet Services (was: Attracting more community input on Tor issues)
Raynardine : > I do not like connecting to clearnet services from Tor. > > I am not alone in this. > > There are arguments about the reasons why Tor hidden services can be > better than clearnet services for users as well, but that would derail > this thread. I would be interested in such a thread. I use hidden services as well as clearnet services via Tor. This account *only* sends/reads email via Tor. I would welcome a discussion about the pros and cons. To start: By accessing clearnet services via Tor I am exercising a right and capability to remain reasonably anonymous. At the same time this allows others to choose an alternative form of anonymity, participate in a non-anonymous manner, or use other privacy-enhancing aspects such as decoupling identity from routing and location, all when accessing the same resources that I do. Ready to learn the downsides to this, as well as the benefits from an all hidden service model. -- kat ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
[tor-talk] Hidden vs Clearnet Services (was: Attracting more community input on Tor issues)
Raynardine : > I do not like connecting to clearnet services from Tor. > > I am not alone in this. > > There are arguments about the reasons why Tor hidden services can be > better than clearnet services for users as well, but that would derail > this thread. I would be interested in such a thread. I use hidden services as well as clearnet services via Tor. This account *only* sends/reads email via Tor. I would welcome a discussion about the pros and cons. To start: By accessing clearnet services via Tor I am exercising a right and capability to remain reasonably anonymous. At the same time this allows others to choose an alternative form of anonymity, participate in a non-anonymous manner, or use other privacy-enhancing aspects such as decoupling identity from routing and location, all when accessing the same resources that I do. Ready to learn the downsides to this, as well as the benefits from an all hidden service model. -- kat ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Hidden vs Clearnet Services
Katya Titov : > Raynardine : > > > I do not like connecting to clearnet services from Tor. > > > > I am not alone in this. > > > > There are arguments about the reasons why Tor hidden services can be > > better than clearnet services for users as well, but that would > > derail this thread. > > I would be interested in such a thread. > > I use hidden services as well as clearnet services via Tor. This > account *only* sends/reads email via Tor. I would welcome a > discussion about the pros and cons. > > To start: > > By accessing clearnet services via Tor I am exercising a right and > capability to remain reasonably anonymous. At the same time this > allows others to choose an alternative form of anonymity, participate > in a non-anonymous manner, or use other privacy-enhancing aspects > such as decoupling identity from routing and location, all when > accessing the same resources that I do. > > Ready to learn the downsides to this, as well as the benefits from an > all hidden service model. Thanks all for the information, and sorry for the double post. To summarise, I see that the issues can be grouped into three areas: privacy, political and technology. The privacy side is about selecting what you require. This includes understanding how much information you are releasing to the site owner/operator, and how much you trust that person. The political aspects include strongly supporting privacy, keeping all your traffic private from prying eyes, etc. The technology side includes decisions such as choosing "Tor encryption" over SSL, remaining within a closed network, stream isolation, etc. Raynardine, thank you for your thoughtful response. I understand and support your concerns, but also think that there are different levels of privacy the people need. Some people also need different levels of privacy for different purposes and will create multiple identities and operate them in different ways to achieve this. I also happen to agree that many law makers are "elite criminals", but sometimes you need to work from within the system to change or better exploit it and not just exist outside it. I treat privacy as a trade off, similar to the way I look at security in general. The more secure/private the more restriction on what you can do and how to achieve it. Excellent discussion! -- kat ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] TorBrowser does not work with mediafire.com
Juan Garofalo : > Anna Brown : > >> Hello. When I login no mediafire.com, I cannot see my files. I see >> next progressbar , which never ends : > > You probably need to enable javascript for it to work. I've also noticed this, starting sometime last year. I don't believe that JS is the problem as it should be OK under a standard TBB install. Maybe one of the CDN's or other remote sites that mediafire uses? They use googleapis.com, and Google tends to block malicious nodes, which often includes Tor exit nodes. -- kat ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] TorBrowser does not work with mediafire.com
> Hello. When I login no mediafire.com, I cannot see my files. I > see next progressbar , which never ends : You probably need to enable javascript for it to work. >>> >>> I've also noticed this, starting sometime last year. I don't >>> believe that JS is the problem as it should be OK under a >>> standard TBB install. >> >> Seems, you have to enable HTML5 DOMstorage. Enter "about.config" in >> the URL bar and search for "dom.storage.enabled" set it to "true" >> and try again. >> >> It is NOT recommended to enable DOMstorage! > > The TorBrowser 2.4.x-alpha series should support DOMstorage safely (no > disk access, and isolated to first party domain): > https://blog.torproject.org/blog/new-firefox-17-and-tor-alpha-bundles > > Be aware that it is an alpha, and more auditing work needs to be done > on Firefox 17 in general, though. Thanks Karsten & Mike, works under tor-browser-gnu-linux-x86_64-2.4.9-alpha-1-dev-en-US -- kat ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Tor with other applications
"Sebastian G. " : > Karsten N.: > > Hi, > > > > using old versions of TorBrowserBundle it was possible to edit the > > configuration torrc to set the SocksPort to 9050. It was possible > > to use Tor with Pidgin or Thunderbird+TorBirdy. > > > > Now the settings are ignored because Vidalia enforced "SocksPort > > auto" by command line argument. > > > > Any idea how to use Thunderbird+TorBirdy or Pidgin with Tor for > > Windows user. (Linux user may install Tor package and Vidalia and > > it works.) > > > > Best regards > > Karsten N. > > Hi Karsten, > > I'm not sure if this works for you, but I "installed" TBB and changed > the Vidalia setting (Settings > Advanced) to not set the ControlPort > automatically. This is all I do with recent versions of TBB. Works fine with Thunderbird+TorBirdy and Claws. Everything below was required a little while back before the autoconfig option was present and worked, but shouldn't be needed now. kat > I picked the old standard 9051. > > Then I edited the torrc and at least added > SocksPort 127.0.0.1:1234 > > I'm also not sure if > SocksPort 127.0.0.1:9050 > is present by default or if I added it. (Could it be > SocksListenAddress is still the default entry?) > > If Vidalia won't let you configure its own config from its interface > you can add > ControlPort=9051 > to vidalia.conf > > Regards, > Sebastian (bastik_tor) ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Restarting TorBrowser (not all of Tor)
Val C: > On several occasions recently, I've visited some buggy Web sites that > have caused TorBrowser to crash. This causes all of Tor to > terminate, because Tor apparently decides that if I've shut down > TorBrowser (which I didn't, actually, but it doesn't know that), then > I must not have any more need for Vidalia. Is there any way to > restart TorBrowser while still reusing the existing Vidalia process > and pseudo-IP identity? Some of the Web sites I use freak out if you > suddenly move to the other side of the world like that while using > them. I've been testing the latest alpha and stable releases and this problems appears to be solved, at least for me. Looks like the new stable has just been released: https://blog.torproject.org/blog/new-tor-browser-bundles-firefox-1706esr I'm interested to know if this solves your problem as I have had the same. -- kat ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Identify requests made by the same user
Andrew F: > krishna, > Tor minimizes the variables that can Identify you via fingerprinting > techniques, but > a dedicated team can still track you with enough effort. I know form > personal experience Andrew, I'm interested in any more light you can shine on this. I don't expect full details, but: I expect that if someone is targeting the physical me then they would be able to see and track much or all of my anonymous traffic if they really wanted to. However if someone is trying to find out who is behind some anonymous traffic or actions of a nym then this would be quite a lot more difficult, assuming adequate precautions were made. So could let us know from your personal experience which one is feasible? Thanks -- kat ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Vidalia error message with TorBirdy
anonymous coward: > Karsten N.: > >> Latest Thunderbird versions enforce STARTTLS if it was selected. The >> weak option "Use STARTTLS if possible" is not available any more in >> Thunderbird. You may use IMAP with STARTTLS, if your provider does >> not offer IMAPS. > > I changed to SSL/993 which should be fine now. > > But, with the latest discussions about Prism and stuff, how much can > you trust the CAs in web browsers and Thunderbird, after all? Do you > think CAs are safe from NSA´s games? I would be surprised if they > were. You can't really trust the CAs, at least not from state-level attackers. And Prism seems to indicate that pretty much all traffic is subject to recording (and later decryption?) by at least two state-level attackers: US and UK. > How does SSL work with Imap in general? When I first connect to the > imap server it transmitts its certificate, right? Is the certificate > then stored in Thunderbird or will the certificate transmitted again > each time you connect to imap server? I think, if the cert gets saved > in the mail client, it is _some_ protection against the man in the > middle...!? IMAPS works by ensuring that an SSL (encrypted) connection is made before the IMAP connection is made, therefore guaranteeing encrypted comms. All that is visible to an observer are the IPs and ports involved, and some information about the crypto being used. STARTTLS means that the IMAP connection is made first and then the session is 'upgraded' to become encrypted. This leaves encryption in the hands of the client and therefore the server can't enforce encryption. If I understand Karsten's email correctly then Thunderbird with TorBirdy now enforces the encryption from the client end via STARTTLS: this is good! The certificate will be cached in the client, however if the cert is changed (e.g. MitMed) then the client will accept the new one as long as it checks out through the regular checking processes. So a MitM which doesn't involve coercing a CA (or otherwise getting a 'valid' certificate) should result in Thunderbird throwing a warning, but a MitM due to a coerced CA will look fine. There are plugins for Firefox which alert you to a change in certificates, but I'm not aware of any for Thunderbird. -- kat ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Vidalia error message with TorBirdy
Karsten N.: > On 05.07.2013 08:41, Katya Titov wrote: >> You can't really trust the CAs, at least not from state-level >> attackers. > > See: "Certified Lies - Detecting and Defeating Government Interception > Attacks against SSL" ( C. Soghoian and S. Stamm, EFF.org, 2010) > > https://www.eff.org/deeplinks/2010/03/researchers-reveal-likelihood-governments-fake-ssl Thanks Karsten, Nice summary of the issues and collection of evidence showing that it does happen. Just reinforces: "just because you're paranoid doesn't mean they aren't after you." -- kat ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Vidalia error message with TorBirdy
Douglas Lucas: > On 07/05/2013 01:41 AM, Katya Titov wrote: >> >> The certificate will be cached in the client, however if the cert is >> changed (e.g. MitMed) then the client will accept the new one as >> long as it checks out through the regular checking processes. So a >> MitM which doesn't involve coercing a CA (or otherwise getting a >> 'valid' certificate) should result in Thunderbird throwing a >> warning, but a MitM due to a coerced CA will look fine. There are >> plugins for Firefox which alert you to a change in certificates, >> but I'm not aware of any for Thunderbird. > > Do you recommend any Firefox plugin in particular for this? It's quite a difficult task. I've used Certificate Patrol which alerts you if a certificate changes; and employs some simple checks such as automatically accepting (and still advising you) if the certificate was changed when it required replacing. I've also used Perspectives (now Convergence) which uses a history of certificate 'sighting' and known notaries to provide a degree of confidence about whether or not a certificate is genuine. Google's Chrome uses certificate pinning so that the certificates of well known sites are hard coded and the browser itself can determine if a MitM is occurring (assuming it is being regularly updated). This was how the Comodo/Iran breach (2011?) was detected. Firefox and IE are now also using pinning, but I'm not sure to what degree. I think that the Perspectives/Convergence approach is probably the best: rely on others' reports about whether a certificate is legitimate. This should demonstrate if a local adversary (e.g. government) is trying to intercept the comms (your certificate is different to everyone else's). This also means that a CA hierarchy is no longer required. You really need to determine who you can trust. Trusting CAs used to be good enough for most people (i.e. people who are protecting their financial transactions and email and not their lives) however this no longer appears to be the case. Certificate pinning secures your connections to specific, well known sites, if you trust the browser vendors. Perspectives/Convergence means trusting a distributed group of people who run notaries that crowd source information from end users who are trying to be more secure; but even here you need to trust the technology behind the system and that the system can't be gamed by a well-resourced adversary. One final option is something like the way SSH generally works in practice: trust and accept the certificate the first time you see it and then notice if it changes. Unfortunately this one isn't practical because most certificates change on a regular basis and there's no way to verify that the change was legitimate. You can treat Perspectives/Convergence as an advanced version of this. If anyone else knows of some other good plugins or approaches then I'm also looking for more options. -- kat ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Vidalia error message with TorBirdy
Karsten N.: > HTTPSEverywhere can use the SSL Observatory of EFF.org to warn you, if > something goes wrong with the SSL certificate of a visited webserver. > But I am not sure, if it was now proxy safe. In TorBrowser this option > is disabled. Thanks Karsten, I use HTTPSEverywhere but wasn't aware of this. I've just enabled it in my non-Tor FF installs. I can't see the ability to do this in Chrome yet. I'll play around with the settings in TBB and see if I can detect any leaks. -- kat ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Vidalia error message with TorBirdy
adrelanos: > Hi Katya, > > thanks for looking into these solutions. > > Katya Titov: >> If anyone else knows of some other good plugins or approaches then >> I'm also looking for more options. > > I take you by your word. > > http://web.monkeysphere.info/ > https://addons.mozilla.org/en-us/firefox/addon/monkeysphere/?src=search Thanks adrelanos. Do you have any thoughts on the amount of effort involved in using Monkeysphere? I've never recommended this to others because of the additional work involved, and as I'm sure you've seen on this list recently there are some people who seem to struggle with things that most of us take for granted, like email list usage. Do you use Monkeysphere in Whonix? (It's been a while since I spun up the VMs ...) -- kat ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Vidalia error message with TorBirdy
Katya Titov: > Karsten N.: > >> HTTPSEverywhere can use the SSL Observatory of EFF.org to warn you, >> if something goes wrong with the SSL certificate of a visited >> webserver. But I am not sure, if it was now proxy safe. In >> TorBrowser this option is disabled. > > Thanks Karsten, I use HTTPSEverywhere but wasn't aware of this. > > I've just enabled it in my non-Tor FF installs. I can't see the > ability to do this in Chrome yet. I'll play around with the settings > in TBB and see if I can detect any leaks. OK, I've done some testing using both Firefox 22.0 and TBB 2.3.25-10 on Debian 7.1. In both cases HTTPS Everywhere is configured to use the Observatory, *even if Tor is not available*. This should hopefully check that HTTPS Everywhere honours TBB's proxy settings. Using: tcpdump -i eth0 "(port 443) and (net 64.147.188.0/24 or \ 173.236.32.0/24)" I see regular traffic to hosts observatory*.eff.org when using Firefox. I see *no* such traffic when using TBB, however I *do* see connections to the same hosts via the Tor Network Map. I discovered the network addresses for the EFF Observatory through some simple host lookups so these are not definitive. It appears as though the HTTPS Everywhere plugin honours the TBB proxy settings. Can anyone from EFF comment? And if we can get an affirmative then should I open a ticket to have TBB's default behaviour modified? -- kat ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Vidalia error message with TorBirdy
adrelanos: > Katya Titov: >> adrelanos: >>> http://web.monkeysphere.info/ >>> https://addons.mozilla.org/en-us/firefox/addon/monkeysphere/?src=search >> >> Thanks adrelanos. >> >> Do you have any thoughts on the amount of effort involved in using >> Monkeysphere? > > No. I never came to look into it more throughly and the low number of > users, discussion and as far I found, project activity, never > motivated me. So it was a good time to point you at it, after you > asked for it. > > By the way, an interesting search term might be: > site:tails.boum.org monkeysphere Very interesting. In particular: https://tails.boum.org/todo/monkeysphere/ which points out that replacing the CA hierarchy with a web-of-trust hierarchy just isn't that simple! One of the the other pages links to: http://65bgvta7yos3sce5.onion/viewtopic.php?f=4&t=649&#p3418 which spells out the trust aspects quite well. I guess that many of us will trust EFF through their reputation. But the developers behind Monkeyspere ... not so much. >> I've never recommended this to others because of the >> additional work involved, and as I'm sure you've seen on this list >> recently there are some people who seem to struggle with things that >> most of us take for granted, like email list usage. > > I see the point. And given the Tails experience I'm not sure that it's worth the effort. >> Do you use Monkeysphere in Whonix? (It's been a while since I spun >> up the VMs ...) > > No, although I find it interesting in principle. And you're the first > one who ever asked. Again, I would say not worth the effort at the moment. Thanks for the pointers! -- kat ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Speculation: Next 10 years of Tor?
David Vorick > But right now Tor is one of the best tools we have. I would like to > see ways to make relaying easier - I've never been able to set up a > relay because I've always been behind some firewall (EG my community > college) that has stopped the relay. It's been technically beyond me > to establish a relay, and while I'm sure I could figure it out it > hasn't yet been worth the effort to me. I think Tor would have a lot > more relay and exit nodes if under all situations setting up a relay > was as simple as hitting a button. https://cloud.torproject.org/ Almost as simple as hitting a button, and $20 max per month. (Not a relay, but also not an exit, so unlikely to result in nasty outcomes for the operator.) > I think it would also be good to see the rest of the web standards > form around tor-level security. Right now you mostly disable > javascript and entirely disable flash through Tor, because they are > insecure. It would be nice if the full web was secure enough that Tor > could use the full web without vulnerabilities. This is the type of > thing that the devs can't really help, it's more up to the web > community as a whole to take a stance behind secure practices. https://tails.boum.org/ Flash is still problematic (I think, but being worked on), but everything should be accessible as per any other Linux distro. Overall I agree that the web should be more secure, but I don't think it will be any time soon. The next solution is to move security to the end point, have it on by default, and take options out of the hands of the (uneducated) user. The Tor Project and associated groups are doing just that. It looks like you've been engaging on the tor-talk list for a few months now. Keep it up, learn more, try more, report on things that are good or bad. Join the tor-qa[0] list and help to test new version on TBB as they are developed. Put back into the community! [0] https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-qa -- kat ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Updated "Why JavaScript is enabled" FAQ entry
Roger Dingledine > Hi folks, > > I rewrote our two FAQ entries on JavaScript-in-TBB, and merged them > into one: > > https://www.torproject.org/docs/faq#TBBJavaScriptEnabled > > Did I leave out any important points, or are there ways to make the > issues clearer? Hi Roger, I think it reads well. > (Please don't turn this into a "you should change the default you > idiots" thread, but please do point out if I've made one of the points > inadequately. Hopefully that's a distinction that will work here.) The "security slider" proposal will help to address this. Maybe with a small "have you considered ..." section on the start page. -- kat -- tor-talk mailing list - tor-talk@lists.torproject.org To unsusbscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] How secure is check.torproject.org?
Roger Dingledine: > Almost true. check.tp.o will no longer be the homepage (which also > gives a usability advantage on startup -- a local homepage will mean > you're not waiting for some outside page to load, and you're not > doing it while your Tor is bootstrapping its directory information, > making things seem even slower than they will be). > > But TBB in the background will still fetch > https://check.torproject.org/RecommendedTBBVersions > to decide if you need to upgrade without telling anybody your version. > > But that happens asynchronously, in the background, and doesn't need > to run javascript (at least, not externally fetched javascript). > > So yes, the answer is that pretty soon the check website won't be the > bottleneck that it currently is. Just out of interest, why doesn't the current TBB load a .onion address to check that Tor is working correctly? Or two tabs, one loading the current check site and one loading a hidden service version? The HS version would demonstrate beyond a doubt that you're communicating over Tor. -- kat -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] How secure is check.torproject.org?
Moritz Bartl: > On 11/22/2013 05:49 PM, Ed Fletcher wrote: >> This is something that I have also wondered about. Why go outside >> of the Tor network to check that you're using Tor? > > A hidden service adds extra hops to hide the (location of the) > service. There's some movement towards allowing services within the > Tor network to be just that, not hidden, removing the additional > hops. I don't use hidden services much, but they definitely are less > reliable than "regular" Tor use, and using hidden services adds > extra/unnecessary load to the network. The advantage that I see is that is there is no way to directly access a .onion site without using Tor, so it is a clear indicator that Tor is in use, visible to the user. > If I remember correctly the certificate for check.torproject.org is > pinned in TBB, so using a hidden service instead does not add any > security benefits. If you have more information about this then I would love to see it. I didn't realise pinning was implemented in FF, other than by removing all CA certificates and adding server certificates individually. -- kat -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] How secure is check.torproject.org?
Roger: > On Sat, Nov 23, 2013 at 07:35:54AM +1000, Katya Titov wrote: >> The advantage that I see is that is there is no way to directly >> access a .onion site without using Tor, so it is a clear indicator >> that Tor is in use, visible to the user. > > Not necessarily. Imagine a local network attacker who sees your > request for a .onion address go out on the local network, and then > supplies you with a DNS answer and then a webpage when you ask for > one. Now you're not using Tor, but you think you are. But if we're talking about TBB then a local network attacker should never see the request, just the resultant Tor traffic. Unless my understanding is very off. > Now, it's harder for them to do that with > https://check.torproject.org/ because of the https part, but the > attacker could just recognize requests for check and route them > through Tor, so the check page will congratulate you on using Tor > when you're mostly not. > > The correct answer is for TBB to do some self-tests of its proxy > settings, and not ask the big bad scary internet. I certainly agree here, but I'm also a visual person. I use the Network Map a lot to see that the traffic is passing through Tor. (This is one of my issues with the 3.0 series - no Network Map. I've had a look at writing FF plugins but they seem beyond my ability, or at least require more time than I have available at the moment.) I guess that some way to internally ensure that it is indeed using Tor as well as a visual cue would be nice. -- kat -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] How secure is check.torproject.org?
Roger: > On Sat, Nov 23, 2013 at 06:04:54PM +1000, Katya Titov wrote: >> But if we're talking about TBB then a local network attacker should >> never see the request, just the resultant Tor traffic. Unless my >> understanding is very off. > > If we're talking about TBB and it's working correctly, then there's no > need to check if it's working correctly, right? :) Well, yes, I guess so. > Check.tp.o is from a time before TBB was standard, when users were > trying to muck with their proxy settings, install an extension, or > otherwise make their Tor work. Yes, I remember the good old days ... > If you trusted the old check, you should trust the new about:tor page > in TBB 3 at least as much. It's more accurate, and it loads quicker > too. It certainly loads quicker. I'll need to trust that it's more accurate. > As for having a network map for TBB 3, I agree in theory. But somebody > needs to actually do it. Promising routes include writing it into Tor > Launcher (harder to do, but easier to maintain and probably safer) > or writing instructions for how best to attach your (old, eventually > obsolete) Vidalia to your shiny new TBB 3. Great idea, and so very easy. Just run TBB 3, and then run TBB 2.4. TBB 2.4 just simply connects and works. Network Map and New Identity both work nicely. I can't stop FF from starting (well, I can, but not cleanly) so any hints on that would be appreciated. Thanks! -- kat -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] How secure is check.torproject.org?
On reflection, I think I should clarify ... Roger: > As for having a network map for TBB 3, I agree in theory. But > somebody needs to actually do it. Promising routes include writing > it into Tor Launcher (harder to do, but easier to maintain and > probably safer) or writing instructions for how best to attach your > (old, eventually obsolete) Vidalia to your shiny new TBB 3. Great idea, and so very easy. Just run TBB 3, and then run TBB 2.4. Vidalia from TBB 2.4 just simply finds the running Tor instance, connects, and works. Network Map and New Identity both work nicely. I can't stop FF from starting (well, I can, but not cleanly) so any hints on that would be appreciated. Thanks! -- kat -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] VPS Suggestions for Middle Relay
David: > Hey everyone, > > I've been searching around for a few hours now looking for a good VPS > service to host a non-exit relay. It seems as if most VPS services > cringe at the word Tor, and the ones that allow it are either slightly > sketchy looking or somewhat expensive. > > In fact, I had one service tell me that the relay would HAVE to be > exit, otherwise they wouldn't be able to monitor the network for > malicious use. Another service just told me that they already have > 2-4 relays per node as is, so it would be pointless (although I feel > this may just be an effort to reduce their bandwidth load). > > So I'm looking to spend around $20-$30 dollars a month, and was > wondering if this awesome list had any recommendations? I've been running a bridge in Amazon for quite some time now. Around $20/month. https://cloud.torproject.org/ makes it very simple. -- kat -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Tor bridges in the Amazon cloud
nano:
> I took another run at this and managed to get a bridge running under
> the free usage tier.
>
> It works fine, but I have an Amazon problem (that some here may know
> how to solve).
>
> I am trying to setup a Billing Alert[1] to notify me when I exceed my
> free usage limit. However, despite setting up the instance >12 hours
> ago and enabling Billing Alerts in account preferences, I am still
> receiving the following message in the Alarms panel {
>
> No billing metrics found. If you recently enabled billing metrics, it
> may take up to 6 hours for them to appear here. If they do not appear
> please visit the Billing Console, you may need to adjust your
> preferences to receive billing alerts.
> }
>
> I recall a discussion not too long ago where the suggestion of
> Billing Alerts was made to avoid incurring unexpected fees at the end
> of the month. I was hoping someone knows what I need to do to
> activate this. Thanks.
I can't remember clearly now (was too long ago) but I never received any
alarms until I started to get billed. It is certainly working now for
me since I have gone beyond the free tier.
--
kat
--
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
[tor-talk] Terminology: Deep v Dark Web
Hi all, I have a question or two about terminology in use when discussing non-indexable portions of the web. Relevant terms I see are "deep web" and "dark web", with occasional references to "dark Internet". Definitions which I use, and which seem to be reasonably popular are: - Deep web: Sites not easily indexable (dynamic pages, pages not referenced from others, sites hidden behind authentication, etc) - Dark web: Sites not accessible from the open Internet (Tor hidden services, I2P eepsites, etc) - Dark Internet: Unroutable IP space (unallocated, sink holes, etc) If I am correct about these definitions then statements such as the following the recent Businessweek article[0] are a little misleading: In addition to facilitating anonymous communication online, Tor is an access point to the "dark Web," vast reaches of the Internet that are intentionally kept hidden and don't show up in Google or other search engines, often because they harbor the illicit, from child porn to stolen credit card information. References to illicit material are probably unavoidable, however one thing which may be addressable is the definition of "dark web" which often seems to imply that it is enormous. (That's assuming that the dark web isn't actually enormous, and to my reckoning it doesn't appear to be.) So are there any useful stats on the size of the dark web? (And the deep web for that matter.) ISTR EFF discussing the deep web years ago but can't find a reference (and I may be getting confused with their Deeplinks blog); and I've rediscovered Andrew's report from 2012[1] noting that the dark web is often seen as being "dark and scary". If there were some stats which pointed out, e.g., that the deep web (including all those non-indexable pages in those big corporations where many work) is far larger that the regular Internet, and that *that* is far larger than the scary and illicit dark web, it may be useful for putting things in perspective. I realise that such stats would be hard to get, but assuming that some approximation is available it may make a good reference. (Current stats that I can find (e.g. [2],[3] as a random sample) seem to indicate that the deep web is 500 times larger than the public Internet without any real references; Wikipedia provides some quite old stats[4] but no comparisons (and confuses the terms "deep web" and "dark web"); and I can't find anything useful for the dark web.) I can put together a wiki/FAQ article if there's some interest. Thanks Kat [0]http://www.businessweek.com/articles/2014-01-23/tor-anonymity-software-vs-dot-the-national-security-agency [1]https://lists.torproject.org/pipermail/tor-reports/2012-September/46.html [2]http://websearch.about.com/od/invisibleweb/f/What-Is-The-Size-Of-The-Hidden-Web.htm [3]http://websearch.about.com/od/invisibleweb/a/invisible_web.htm [4]https://en.wikipedia.org/wiki/Deep_Web -- kat -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Terminology: Deep v Dark Web
Roger Dingledine: > On Sat, Jan 25, 2014 at 06:44:11PM +1000, Katya Titov wrote: >> So are there any useful stats on the size of the dark web? > > Check out http://freehaven.net/anonbib/#oakland2013-trawling > for some statistics about the number of hidden services as of about > a year ago. It's not all that precise (and the fact that they could > collect these stats represents several bugs: > https://blog.torproject.org/blog/hidden-services-need-some-love ) > but it's pretty darn clear that it's not "vast reaches of the > Internet" -- more like on the order of 1000 hidden services, many of > which aren't all that popular. > > (Not that popularity is a good judge of the value of a hidden service; > see example #1 on https://blog.torproject.org/blog/using-tor-good ) Thanks Roger, and Moritz too. I've put together an article and placed it on the Tor Trac/Wiki: https://trac.torproject.org/projects/tor/wiki/doc/HowBigIsTheDarkWeb It's a start, and I'll keep searching for more relevant information. I have no idea how to make it appear on the front page, but then maybe it should wait to see whether or not it is up to standards first. -- kat -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Vidalia has been replaced with Tor Launcher
TT Security: > 1. So "Network Map" and "New Identity" are absent now. When these > functions will be add to the TBB? Vidalia is now a stand-alone package. Details: https://www.torproject.org/docs/faq#WhereDidVidaliaGo -- kat -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Terminology: Deep v Dark Web
krishna e bera: > On 14-01-25 06:53 AM, Katya Titov wrote: >> I've put together an article and placed it on the Tor Trac/Wiki: >> >> https://trac.torproject.org/projects/tor/wiki/doc/HowBigIsTheDarkWeb > > Cool - it's concise and useful as a reference point for media or > public relations. > > To push the naming analogy a bit further, consider "dark matter" [0] > used in astrophysics. If the internet is the virtual universe, what > proportion would "dark energy" [1] - traffic which isnt indexed such > as email, bittorrents, streaming, IM/voip/videocall, gaming? There > was a statistic a few years ago that more than 40% of traffic was > bittorrent. Thanks krishna, and thanks for the update to the page. I agree that there's a lot of non-web traffic which could be considered dark, as Lars also pointed out. I'm looking from a web point of view as this is what is meant by media organisations, and I imagine by most end users. I'm trying to capture what would be thought of as websites but which cannot be directly accessed from the open Internet. It would be nice to include p2p/gaming/voice networks too. The differentiation for me is where there's an overlay network. So are BitTorrent/VPN/VoIP/etc networks overlays? I would say yes. Gaming/email networks? Maybe not. Where does a protocol/suite stop and a network begin? Wikipedia has a good definition: https://en.wikipedia.org/wiki/Overlay_network An overlay network is a computer network which is built on the top of another network. Nodes in the overlay can be thought of as being connected by virtual or logical links, each of which corresponds to a path, perhaps through many physical links, in the underlying network. For example, distributed systems such as cloud computing, peer-to-peer networks, and client-server applications are overlay networks because their nodes run on top of the Internet. The Internet was originally built as an overlay upon the telephone network while today (through the advent of VoIP), the telephone network is increasingly turning into an overlay network built on top of the Internet. For me, an overlay network is a basic requirement for a dark network - you need to do/use something other than your 'normal' software to get to it. But for it to be a dark net then it also provides access to something which you can't reach from the open Internet. A/The dark web is just a subset of a dark network, as the web is a subset of the Internet. That's my take. I'll try to work some of the above into the page over the next day or two. -- kat -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Terminology: Deep v Dark Web
Moritz Bartl: > "There are approximately 5000 Tor relays and under 2500 Tor bridges, > this may provide an indication of an upper bound on the number of > hidden services." > > There is no correlation between the number of relays and hidden > services? Hidden services should rather be behind simple Tor clients. Thanks Moritz, article updated. -- kat -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Vidalia has been replaced with Tor Launcher
Nathan Suchy: > Katya Titov: >> TT Security: >>> 1. So "Network Map" and "New Identity" are absent now. When these >>> functions will be add to the TBB? >> >> Vidalia is now a stand-alone package. Details: >> >> https://www.torproject.org/docs/faq#WhereDidVidaliaGo > > I'm unsure, The New Identity function is critical, I think Tor Button > has it, but Network might be a deprecated function... New Identity works from both TBB and Vidalia. The difference is that from TBB the entire browser closes and restarts and you lose open tabs. When choosing a new identity from Vidalia the browser remains open. If I had time and experience with Firefox plugins I would look at developing something similar to the Network Map as a native plugin. I still find it very useful as a visual cue. -- kat -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Vidalia has been replaced with Tor Launcher
Joe Btfsplk: > On 1/25/2014 5:07 PM, Lunar wrote: >> Joe Btfsplk: >>> I missed the memo on all reasons why Vidalia - bad, Tor Launcher - >>> good. >> >> At least: >> http://users.encs.concordia.ca/~clark/papers/2007_soups.pdf >> http://petsymposium.org/2012/papers/hotpets12-1-usability.pdf >> and Vidalia has no maintainers for a while now. > > Thanks Lunar. I perused those papers at my convenience (sounds > fancy). It was lost on me if they in fact pointed out (important) > flaws in Vidalia that Tor launcher doesn't have. > Other than Vidalia not being maintained. I see the main message as being that the TBB is too different from other software to allow non-technical users to use it confidently. Some specifics: - 2007_soups.pdf - G5 Users should not make dangerous errors from which they cannot recover. - G7 Users should be sufficiently comfortable with the interface to continue using it. - G8 Users should be aware of the application's status at all times. - hotpets12-1-usability.pdf - C.) Download Clarity: User wasn’t sure where on website to download the TBB - D.) Window discriminability: User wasn’t sure which window was TBB and which was a normal browser. - G.) Security Measure Confusion: Security measures taken by the TBB (such as redirecting from Google CAPTCHA, to DuckDuckGo) confused users. Some of these are being addressed by the simplification of the interface in the 3.x series (G7) and some are are not really Tor specific (G5, C). Others are more difficult, and if I had answers I would suggest them. Unfortunately, if the software is not simple to use then people will make mistakes, and those mistakes could result in the front door being kicked in by jack boots, or worse. Tails and Whonix fit the bill here and they make it very difficult to make mistakes, but they aren't the answer for everyone. -- kat -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Terminology: Deep v Dark Web
Mirimir: > On 01/25/2014 04:53 AM, Katya Titov wrote: >> https://trac.torproject.org/projects/tor/wiki/doc/HowBigIsTheDarkWeb > > I've never liked the term "Dark Web". There's nothing dark about it, > except in the sense that Africa was called the "Dark Continent" > because it was little known in Europe. It was not especially dark > there, until the European invasion. > > Virtually all of the "Dark Web" examples are networks that are routed > through the Internet. Most accurately, they are "Virtual Webs". > Drawing on Vernor Vinge, one could call them "High Webs", with the > current Internet being the "Deep Web".[1] If that's too evocative of > The Silk Road et alia, perhaps "Supra Web" would do. > > Typical "Dark Web" examples are Tor and its hidden services, I2P and > Freenet. But there are many other private networks (government, > military, academic, enterprise, etc) that are routed via VPNs through > the Internet, and yet are not readily accessible from it. Whatever we > call this category, they belong in it too. > > Analogous private networks, generally called anonets, are also routed > via VPNs through the Internet. Most of them use unallocated IP space. > Some of them route those addresses to the Internet, using customized > DNS services. And so they arguably become part of the Internet. This > will all become far easier with IPv6. > > There are also physical networks that extend the Internet in various > ways. Some of them arguably become part of the Internet. But many, > including most meshnets, are rather too impromptu for that. I generally agree, however the term is in common usage and we're probably stuck with it, just as we're stuck with the common definition of the word 'hacker'. I guess we could define a synonymous word and use that in lieu of "dark" ... 'private' isn't quite correct, and 'hidden' probably isn't either. I like 'overlay' but I'm not sure how it would go with the media and users. I've placed some definitions in the article and made some rearrangements and minor additions. Please feel free to update and/or discuss. -- kat -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Vidalia has been replaced with Tor Launcher
Lunar: > Katya Titov: >> New Identity works from both TBB and Vidalia. The difference is that >> from TBB the entire browser closes and restarts and you lose open >> tabs. When choosing a new identity from Vidalia the browser remains >> open. > > I need to point this out one more time: In the case of the latter, > the browser content stays the same. All the browser content. Including > cookies, history, and many other things that are used to fingerprint a > browser session. This means that from the websites point of view, > nothing changes except the IP address. You keep the same identity > there. Thanks Lunar, this is an excellent point. From my perspective this is expected and welcome, however others may be looking for something different. -- kat -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] no more Vidalia for TOR, what if...
Sukhoi: > Hi, > > Many TOR exit nodes were banned to access some sites. One way to > by-pass this is taking a "new identity" to change tor exit node. > But now, the latest TOR browser version has no more the Vidalia > client. So, how to change the exit node? Click on the green onion under the tab bar and select 'New Identity'. Note that this will close all existing tabs and not re-open them. As Lunar recently pointed out this is more consistent with actually getting a 'new identity' rather than just changing your IP address via Vidalia. If you want Vidalia back then read: https://www.torproject.org/docs/faq#WhereDidVidaliaGo -- kat -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Terminology: Deep v Dark Web
Rick:
> Why should you be stuck with anything? You're writing an important
> piece for an important project: You know... the onion with the crown?
> What you're writing may well become a source, a reference. You drive
> the conversation. All the words are belong to you. :)
>
> In a very broad sense I'd suggest:
>
> 'Commercial' that is open to all (sort of) and is after whatever can
> be monetized.
>
> 'Private' that is behind all those heavy-metal firewalls and exists
> primarily in support of 'commercial'.
>
> 'Neutral' for those referred to as 'deep' or 'dark' and, like Tor,
> seek to be common carriers:Identity is by choice, not by mandate. The
> connotations of the word 'neutral' are benign. It also suggests 'net
> neutrality' (original recipe... not KFCC's extra-crispy). Further,
> 'Neutral Net' has a nice ring to it. Shorten that to 'NeuNet' and the
> media might run with the concept. They love that stuff; it makes the
> Pulitzer fairies run around in their heads.
Thanks Rick, for the encouragement and the suggestions. I've added a
few definitions ('Open Internet' to represent your 'Commercial', as well
as a 'Private network'), but I've left the dark web as is ... not sure
that 'Neutral' fits, but I will keep it in mind.
--
kat
--
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] no more Vidalia for TOR, what if...
Douglas Lucas: > Seems that right there, at the green onion button, there could be, > under "New Identity," a selection for "New IP address" that would > retain the old functionality. Good idea, and looks like it has already been requested: https://trac.torproject.org/projects/tor/ticket/9442 This also has some similarities and probably provides the same result: https://trac.torproject.org/projects/tor/ticket/9892 -- kat -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Terminology: Deep v Dark Web
Nicolas Vigier: > On Sat, 25 Jan 2014, Katya Titov wrote: > >> - Dark web: Sites not accessible from the open Internet (Tor >>hidden services, I2P eepsites, etc) > > I don't know what is the exact definition of "open Internet", but I'm > not sure we should oppose that to Tor hidden services. The Tor hidden > services are accessed using the internet, and they also look very open > to me: anybody can access them if they know the address, using free > software, based on a protocol that is documented. Good point. I've change "open Internet" to "public Internet". I already had a note that the open Internet was "open to filtering/censorship by governments and ISPs" and I think that sits better with the term 'public Internet'. Thanks for the input. -- kat -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Terminology: Deep v Dark Web
Parity Boy: > @Katya > > From my own perspective, a network can be considered "overlay" if > some or all of the nodes perform a relay and/or routing function via > server-to-server or peer-to-peer communications. > > Obvious candidates include Tor, I2P and various VPN implementations, > as well as IRC. Less obvious ones might include SMTP (servers), > Jabber (servers), VoIP (Skype and SIP servers yes, > TeamSpeak/Ventrilo/Mumble no). > > OpenNap used server-to-server communications to fan out searches to > other OpenNap servers. Not sure if BitTorrent can be considered a > network in the truest sense. > > Just my 2 cents. :) Thanks, good suggestions, some of these are already in the article. -- kat -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Terminology: Deep v Dark Web
On Wed, 29 Jan 2014 18:00:55 + mick wrote: > Katya's wiki page nicely encapsulates some the definitions, but I > think the definition of "deep web" might benefit from some tweaking to > take account of such commentary as Sergey Brin's lament back in april > 2012 (1) > > According to the article referenced. Brin complained that Apple and > Facebook's networks were effectively "dark" to Google since he > couldn't search those walled gardens. I don't think many people would > consider such sites as part of the "deep web", let alone "dark web", > but if Brin is to be taken seriously, then it might be worthwhile > pointing this out. Facebook alone is vast. Including that as an > example of "deep web" might add some context to the discussion. Good points. I've modified the end of the deep web definition from: "and private organizational information which resides behind authentication." to be: "and information which resides behind authentication such as on private organizational networks and public networks such as Facebook." I toyed with the idea of mentioning "walled gardens" as in the article but I don't think that it would be a correct term here. Apple certainly operates a walled garden, but this doesn't restrict which parts of the web that people can get to, it's more about controlling the applications. (Through which, or course, they can control access to "dark" nets such as Tor and I2P, so they do indirectly control access ... but then there are proxies to get around this ... we're descending into a deep rabbit hole here!) > After all, the claim that the "deep web" is some 500 times the size > of the open public internet dates from 2001. Somehow that statistic > doesn't feel right to me. I also think it doesn't feel right, but can't find anything more recent or concrete. Let me know if you find a better reference and I'll update the article. Thanks for the input. -- kat -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Terminology: Deep v Dark Web
Luther Blissett: > Katya Titov: >> Nicolas Vigier: >>> >>> I don't know what is the exact definition of "open Internet", but >>> I'm not sure we should oppose that to Tor hidden services. The >>> Tor hidden services are accessed using the internet, and they >>> also look very open to me: anybody can access them if they know >>> the address, using free software, based on a protocol that is >>> documented. >> >> Good point. I've change "open Internet" to "public Internet". I >> already had a note that the open Internet was "open to >> filtering/censorship by governments and ISPs" and I think that sits >> better with the term 'public Internet'. > > Both expressions are somehow misleading. What do you mean "open"? If > you mean "general public accessible", aka, "unrestricted internet", > first you have to consider that in most countries there is a fee > attached to internet access so it's not public in the same sense that > streets are. It does seem to be difficult to get a perfect description. Rick suggested "commercial" which I don't really think sums it up. "Open" is misleading to me because access is often filtered by governments or ISPs. I see "public" as a good compromise, meaning access to the "regular" Internet, something that the general public can get to. Whether it is through a home DSL line or a city or Starbucks WiFi doesn't matter too much (to me). > If you mean "well, accessible provided that you have access", then you > should consider that the internet is filtered to great lengths and so > there is no clear map of what is accessible till you try to connect. Yes, and I've noted in the article that "filtering/censorship by governments and ISPs" can be performed. > Also, you should consider that the internet != web Yes, the article defines: Web: the portion of the Internet which is accessible via a web browser; the World Wide Web. Getting this message across to non-technical people is hard. For many the web *is* the Internet. > and that even if we consider the web only, there are factors such as > nameserver completeness, websites that have private portions + public > ones, websites that require certain software & | hardware to provide > ordinary functionality. Yes, the private portions become the "deep web" in my definition. Not "dark", just not searchable/accessible. Where software or hardware which is not immediately available to users is involved I see that as "dark". > Everything is done in the open and everything is interconnected, but > that does not mean there is no friction. Dark is the word westerns use > to refer to that which they do not comprehend. There is no dark and > there is no deep, the only ones who might think this way are those who > were captured by the .com web2.0 bullshit later 90s, early 00's. The > problem is they are the 99% as of nowadays. I disagree here. The dark web is the portion which is not accessible from regular web clients and not done in the open, e.g. Tor hidden services and I2P eepsites. I've also noted in the article that if we consider dark *networks* instead of just the dark web then we also should include VPN, P2P, VoIP and other overlay networks. "Dark" can be associated with that which westerners do not comprehend: that is in part, I think, what the Tor Project is trying to combat through its "Who Uses Tor?" articles. Web 2.0 may be marketing bullshit, but it's generally accepted and therefore needs to be addressed. I'm hoping to document useful definitions and at the same time dispel the myth that the dark web is many times larger than the public web. While it's possible to just ignore the 99% it doesn't really help the situation, and it certainly doesn't help expand the reach and usefulness of Tor. That's my view. If you come up with a better definition than "public" then please update the article! My only wish is that any other term will be understood by and useful for the 99% as they are ultimately the target audience. -- kat -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] FW: Estimate Deep Web
Rick: > Vanderlei Gugel: >> hello okay? We Vanderlei Gugel and Ariel Schwendler We are students >> of Information Systems at the University of the West of Santa >> Catarina (UNOESC) and we are developing a work of completion on the >> Deep Web and we challenge you to try to estimate the amount of >> sites that have the Deep Web Please ask if you have as you help us >> with that, if you do not have to tell us the size. help in giving a >> hint how we could do this. Thank you very much. > There may be interesting reading for you in the January archives > for this mailing list. They are here: > > https://lists.torproject.org/pipermail/tor-talk/2014-January/subject.html > > The post 'Terminology: Deep v Dark Web' originated by Katya Titov > might be a good start. We would, I'm sure, welcome any thoughts or > results that you and your group might have on the matter. An academic study into the size of the deep web would certainly be welcome. A study from BrightPlanet[0] may provide some insight into your research. Pointers to any other papers or research that you find would also be most welcome. [0]http://quod.lib.umich.edu/cgi/t/text/text-idx?c=jep;view=text;rgn=main;idno=3336451.0007.104 -- kat -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] [Cryptography] Dark Web should really be called the Twilight Web
grarpamp: > Internet access is generally provisioned and billed as... choose > the max bandwidth you want, pay for it whether you use it or not. > Therefore if you have idle capacity within your max at some moment, > you have the bandwidth to dynamically fill it with padding at no > additional cost. It's not a question of buying more to use as fill, > it's about intelligently filling what you've already comfortably paid > for. There are still many places, including some western first-world democracies, where Internet access is billed by the byte/KB/MB/GB. I live in a G20 country outside the US and pay for traffic usage. And anyone using a mobile connection (maybe shared to their laptop) will most likely be paying for usage and not bandwidth. Does anyone know how access is billed in countries with mandatory Internet filtering such as China, Iran, Syria, etc, and what the impact of filling would be? How would such have impacted, e.g., the Arab Spring? -- kat -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] TBB update using offline/ downloaded tarball?
Zenaan Harkness: > Is there an upgrade process for TBB by e.g. unpacking the tarball over > the existing installation directory, or does one have to use the > in-browser upgrade-in-place option or install to a separate directory? > TIA > Zenaan If you follow the tor-qa list you can see the new version just before it's released (and help test!). From there you can download the .mar update file for the version you need to update. The locations change, but the most recent was: https://people.torproject.org/~mikeperry/builds/5.0-build2/ (I'm sure there's a standard repository somewhere ...) >From there you can download the necessary update, e.g.: https://people.torproject.org/~mikeperry/builds/5.0-build2/tor-browser-linux64-4.5.3-5.0_es-ES.incremental.mar This will upgrade the Linux x64 version from 4.5.3 to 5.0. To apply: $ cd /path/to/tor-stuff $ rm -rf outside.old; mv outside outside.old; mkdir outside $ cp [.mar file] outside/update.mar $ cd [tor-browser directory] $ cp updater ../../outside $ ../../outside/updater ../../outside . . This is for Linux, and obviously based on my directory structure. This should replicate the automatic update process. And a backup of the old tor-browser directory probably wouldn't hurt. -- kat -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] TBB5 & torsocks
Lara: > I use torsocks 2.1.0 with youtube-dl. > > After the upgrade the connection keeps breaking off. Quite often the > dns resolution. And less often the connection just breaks. Everything > but TBB is unchanged. > > So I have made the experiment. With TBB 4.5 everything works fine with > no error. Back to TBB 5 and the errors start popping up again. I'm having no issues with TBB 5.0 and torsocks 2.1.0. Where are you downloading from, and do you have the latest youtube-dl? I have found that youtube-dl -U fixes most download issues. -- kat -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] youtube required scripts_now
Joe Btfsplk: > Is there a specific set of scripts now required to play youtube vids > in TBB - & the other aren't needed? > Not long ago, the only scripts required on youtube for TBB or Firefox > seemed to be youtube.com & s.ytimg.com. > > I get mixed results by trying to test which ones are now required or > not. Sometimes allowing scripts youtube.com & s.ytimg.com & another - > like googlevideo.com - seems to work; other times not. > > That could partly be a timeout issue, not a forbidden script issue? > I haven't determined if the same scripts are required to play in > Firefox as in TBB - mixed results. > That may depend on the video to be played? I've been allowing blocked objects from googlevideo.com, video/ogg seems to be what is required. -- kat -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] torpoxy support for forced https
> I suggest torproxy could generate a random CA certificate when its > installed and transparently convert all http to https, generating the > required SSL certificates on-the-fly and signing them with the random > CA certificate. The user would then have to add the random CA > certificate to their browser, or better yet, this could somehow be > automated for the Tor Browser. One open question with this scheme is > whether torproxy would also need to rewrite html content to change > http urls to https. This is similar to a method which oppressive governments use to monitor their users. Not something that Tor should be involved in. > Alternately, the Tor Project could ask Mozilla and other browsers > developers to add a switch for "treat .onion as secure". Or maybe it > could be "treat .onion as secure but only if certain conditions hold, > such as the proxy is running on the localhost and a to-be-determined > status query of the proxy succeeds". .onion sites already are secure. I think what you are looking for is a way to to signal to the user that HTTPS is not required for .onion sites. I'd lean towards just using HTTPS because that means there is no further education to be performed. Let's Encrypt could help here. -- kat -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Onion service discovery
Joshua Hull: > I've been thinking about how to get onion services transparently > selected over non-onion services in order to drive adoption. It seems > to me that a simple strawman proposal would be that before attempting > to connect to a domain name, do a lookup for a specific type of TXT > record, ensure it's being served over DNSSEC, and if both things are > true, prefer that record. Check out Darkweb-Everywhere, a fork of HTTPS Everywhere, and the associated email thread: https://github.com/chris-barry/darkweb-everywhere/releases https://lists.torproject.org/pipermail/tor-talk/2014-February/032220.html > However, I can't seem to find much documentation on preferred > mechanisms for discovering onion services. Is there something similar > to the scheme I mention above already in use that someone could point > me to? Hopefully someone else can answer this. I've run hidden services and can confirm that they can be discovered, but I'm not sure on the best/preferred discovery methods. -- kat -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] "Circumvent" Cloudflare Captcha alike Sites with Translation
> A simpler workaround of similar kind would be to use the Ixquick > Proxy: do a search at https://ixquick.com/, then click "Proxy" in > search results. Just tested with searching for "Cloudflare" then > opening their website via the proxy. HideMyAss has a free proxy: https://www.hidemyass.com/proxy > Sadly you can't enter an URL directly, it has to start with a search. Same limitation: load the page then enter the URL into the form. -- kat -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Which reputable webmail providers function well with Tor?
blo...@openmailbox.org: > Can anyone suggest a reputable webmail provider that is not totally > anti-Tor. > > Cock.li and Sigaint and Unseen.is and Mail2Tor are out as the names > look weird to "normal" people. > > Ruggedinbox is unreliable as the site is often down. VFEmail used to > work but I can't seem to sign-up now. > > ProtonMail demands SMS validation. > > Tutanota seems OK but on this list a poster said that they closed his > accounts down for no reason. > > RiseUp requires an invitation. I have had very few problems with Yandex and GMX. Yandex sometimes blocks IMAPS connections, but a change of exit node fixes that. No issues with either via the web interface. -- kat -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Which reputable webmail providers function well with Tor?
grarpamp: > Yandex was very aggressive with their outbound spam > filtering, so ability to reliably send messages became > very annoying, with no way to disable / train it. > > Has yandex corrected this problem? I've never had any issues. -- kat -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
[tor-talk] Tor Is Teaming Up With Researchers To Protect Users From FBI Hacking
Found this on Motherboard https://motherboard.vice.com/read/tor-is-teaming-up-with-researchers-to-protect-users-from-fbi-hacking > Tor Is Teaming Up With Researchers To Protect Users From FBI Hacking > Written by > Joshua Kopstein > Contributor > > June 19, 2016 // 03:28 PM EST > > The FBI has had a fair amount of success de-anonymizing Tor users > over the past few years. Despite the encryption software's > well-earned reputation as one of the best tools for online privacy, > recent court cases have shown that government malware has compromised > Tor users by exploiting bugs in the underlying Firefox browser—one of > which was controversially provided to the FBI in 2015 by academic > researchers at Carnegie Mellon University. > > But according to a new paper, security researchers are now working > closely with the Tor Project to create a "hardened" version of the > Tor Browser, implementing new anti-hacking techniques which could > dramatically improve the anonymity of users and further frustrate the > efforts of law enforcement. > > Specifically, the researchers are currently testing "Selfrando," a > technique made to protect against browser exploits such as the one > reportedly used by the FBI. > > The new method is meant to counteract what's known as "code reuse" > exploits, where rather than attempting the much harder task of > injecting new malicious code, an attacker will exploit a memory leak > to reuse code libraries that already exist in the > browser—essentially, building malware by rearranging things inside > the application's memory. > > To do that, an attacker generally needs to have an idea of where > certain functions are located within the application's memory space. > But the current security mechanisms in browsers only randomize the > locations of code libraries, not the individual functions. Which is > where the Selfrando technique comes in, creating a random address > space for internal code that's much harder to exploit. > > "Our solution significantly improves security over standard address > space layout randomization (ASLR) techniques currently used by > Firefox and other mainstream browsers," the researchers write in > their paper, whose findings will be presented in July at the Privacy > Enhancing Technologies Symposium in Darmstadt, Germany. > > "The Tor Project decided to include our solution in the hardened > releases of the Tor Browser, which is currently undergoing field > testing." > > Basically what that means is it's about to get harder to hack the Tor > Browser, including for law enforcement agencies like the FBI, who > complain they already don't have enough resources to develop the > malware necessary to catch terrorists and other serious criminals. > > And while that defensive advantage may not last for too long, it > shows that some in the academic research community are still intent > on patching the holes that their peers are helping government hackers > exploit. > > Topics: security, anonymity, Tor Browser, hacking, privacy, > Selfrando, FBI, law enforcement, power, encryption, machines -- kat -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Tor-friendly email provider
Oskar Wendel: > I need an email provider who will: > > a) allow receiving mail through pop3 or imap over tls (or tor hidden > service) > > b) allow sending mail through smtp over tls (or tor hidden service) > > c) be tor-friendly (my current provider blocks some tor exit nodes > when I try to send mail through it) > > d) have a good reputation (emails sent from it won't be classified as > spam) > > e) don't filter incoming emails in any way > > f) be anonymous and free or payable with scrypt-based coins > (litecoin, dogecoin, etc.) > > Do you have any recommendations? I rarely have problems with Yandex. Sometimes it doesn't allow an IMAP connection so I simply choose a new identity from TBB. GMX also works well. Both support SMTP and IMAP over Tor and both have web interfaces. -- kat -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Tor E-mail gateway - how to transfer messages from the Tor Network ?
Muppet96: > Hi, > is there any chance to send an E-Mail message from the Tor network to > gmail accounts or any other E-mail service providers ? > Usually each E-mail which is sent from the IP where for example: tor > relay is running - is immediately block by the spam filters. > Till now I havent found ane sensible service, from which for example > activist will be able to send an E-Mail. As You see, this E-mail has > been sent from the protonmail.com. Nice service, but I would never > store/send any messages from this website to my enemies or some > organizations. > Does Tor has any E-mail System which could be easily use to transfer > messages between Tor Network and Internet ? I`m talking about > services from which E-mail is accpeted by the providers as gmail, > yahoo, hotmail. > Does any one working on it ? Does any one has configured some kind of > gateway which can be use to transfer E-mail message from the tor > network to the internet ? > I will appreciate any for any infos. > Cheers > Muppet96 I use common email providers, I sign up and access them via Tor. So, for example, I signed up to this provider (Yandex) using Tor, and I ensure that I only ever connect using Tor. That way, I get the anonymity I require while using well known providers and my email does not end up in the SPAM folder. Yandex, GMX and ProtonMail all work well. None are perfect and there are times when I can't connect via Tor and need to use the New Identity feature, but these three are pretty good. -- kat -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Tor E-mail gateway - how to transfer messages from the Tor Network ?
Random User: > Katya Titov: > >> Yandex, GMX and ProtonMail all work well. > > Would you know if any of those are functional without JavaScript? I use Claws Mail and torsocks, so technically yes, but that probably doesn't answer your question. I don't use the web interface, and it has been a while since I created a new account. Even then, I tend to leave TBB settings at default, so I'm not sure. -- kat -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Tor E-mail gateway - how to transfer messages from the Tor Network ?
>>> Yandex, GMX and ProtonMail all work well. >> >> Would you know if any of those are functional without JavaScript? > > I use Claws Mail and torsocks, so technically yes, but that probably > doesn't answer your question. > > I don't use the web interface, and it has been a while since I created > a new account. Even then, I tend to leave TBB settings at default, so > I'm not sure. ... except ProtonMail. I only use a clear net account there at the moment. When I was accessing it over Tor I was was using the default security settings, so I was probably using JS. -- kat -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Tor E-mail gateway - how to transfer messages from the Tor Network ?
Random User: > Random User asked Katya Titov: >>> Would you know if any of those [Yandex, GMX and ProtonMail ] are >>> functional without JavaScript? > > K.T. answered no, did not know, at least not as concerns using via > each provider's web interface. > > Thank you. I suppose we will yet see if anyone else here may know. It's really not all that hard. Move that security slider up to high and try. Yandex has a light version that works without JS. The others require it. You now owe me 5 minutes of internet. -- kat -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Tor Browsers - problem with sequencial runs
J B: > I have both TB 7.0.2 and TB 7.5a2 installed separately (different > dirs) - they are > fully different apps. > I do NOT run them in parallel as that would normally cause a problem. > But I do sometimes run them one after another by starting and closing > e.g. TB TB 7.5a2 and after a few hours trying to start start 7.0.2 > which then reports an error due to being unable to connect to Tor > (when I quit and restart, sometimes twice, I am > able to connect, but have to "CONNECT"-configure as if on first run > after installation). > I do not have any related custom configurations. > I think I should be able to do it - these browser runs are > independent and should not know about each other (presumably thru > some run-related uninitialized data structures). Not sure if this is related, but I occasionally see that TBB doesn't completely exit when I close it down (running on Linux). Doesn't seem to matter whether I close the window, File->Quit or CTRL-Q. Also doesn't appear to depend on how long TBB has been running or how many windows I have had open. It does seem to depend on how many different sites I've been to, so I'm leaning towards something going slightly haywire based on a site I'm visiting, but have never been able to figure out what or which. I end up using ps or lsof to find the PID and then just kill it. Has been going on for a long time over many major releases, but I've never had enough information to log a ticket. -- kat -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
