Re: [tor-talk] Is Tor Browser 5.5.1 vulnerable to any of the graphite font vulnerabilities?
On Fri, Feb 12, 2016 at 1:41 AM, Georg Koppenwrote: > Cain Ungothep: > >> I would > >> like to know if Tor Browser 5.5.1 is vulnerable. Thanks > > > > Looks like it is: > > > > > https://gitweb.torproject.org/builders/tor-browser-bundle.git/commit/?id=7a36dbece35a307675f396a019dccf6e431efb44 > > > > That build corresponds to a branch which includes the commit that > > supposedly fixed bug 1246093, and this commit was only pushed less than > > 48 hours ago. > > Indeed. We plan to get at least a new stable version (5.5.2) out today > which is based on Firefox ESR 38.6.1. Mozilla released 38.6.1 just to > address the Graphite vulnerabilities. > Thanks, I have downloaded version 5.5.2. -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
[tor-talk] Is Tor Browser 5.5.1 vulnerable to any of the graphite font vulnerabilities?
I received a Firefox ESR vulnerability notice today [1] that basically says some vulnerabilities in libgraphite were fixed in 38.6.1, released today. The digital signature is for the 10th. Some of the issues were first disclosed on Feb 5 [2] which is around Tor Browser 5.5.1 was released. I'm not sure when the other smart font issue was first disclosed. In the tor browser blog comments on the 10th someone said graphite font rendering is vulnerable [3] but I can't tell if he's talking about in 5.5.1 or before. I cannot find a list of vulnerability notices for Tor Browser (why not? seems like it would be good to have). I assume it somewhat mirrors Firefox ESR. Based on the information about this, which looks exploitable, I would like to know if Tor Browser 5.5.1 is vulnerable. Thanks [1]: https://www.mozilla.org/en-US/security/advisories/mfsa2016-14/ [2]: http://blog.talosintel.com/2016/02/vulnerability-spotlight-libgraphite.html [3]: https://blog.torproject.org/blog/tor-browser-551-released#comment-155968 -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
[tor-talk] Did the FBI Pay a University to Attack Tor Users?
There's an interesting article on the Tor Project's blog today that asks that. https://blog.torproject.org/blog/did-fbi-pay-university-attack-tor-users Is this a problem that can't be stopped, these relays that may join the network in an effort to de-anonymize users? Can anyone still flood the network with tons of relays? Though the relays that were identified were removed wouldn't someone persistent just learn from that and differentiate more? -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] How do you configure a Tor relay on Windows?
On Thu, Sep 24, 2015 at 11:21 PM, Cypherwrote: > I'm helping a user try to install a relay on his Windows 7 machine. They > have the Tor Browser Bundle. I know we have to edit the torrc config file > but I can't' find it! The webpage says it should be under \Data director > but it's not there. > Tor Browser\Browser\TorBrowser\Data\Tor\torrc -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] tor browser
On Fri, Jul 24, 2015 at 1:45 PM, Bill Cunningham bill...@suddenlink.net wrote: For the life of me I can't get the tor browser to open. It will not even start let alone install. I don't know what's going on. I have an XP x64. I think it's supposed to work with that. What can I be doing wrong? To get help I think you will have to give more information and also there may be better places to get it. https://www.torproject.org/docs/faq.html.en#SupportMail I tried torbrowser-install-4.5.3_en-US.exe in Windows XP x64 SP2 and it installed and connected without a problem, so it does work there (though I had to resize the browser slightly to fix a lack of refresh). I don't know what you're doing wrong. Maybe you have anti virus that blocks the install file or it is the wrong file. https://www.torproject.org/projects/torbrowser.html.en -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] generating more donations
On Wed, Mar 4, 2015 at 2:18 PM, Denise Mangold denise.mang...@gmail.com wrote: I have my amazon smile to donate to the Tor project. I think there should be more marketing of this to generate more money/donations. I do see it in the donate page, but I think more people would use the Amazon smile. A lot of people shop on amazon and support tor. That is a really great idea and I don't think a lot of people know about it. If you go to smile.amazon.com and search for charity tor project inc the first result is The Tor Project Inc. Selecting that charity is a frictionless way to donate. After that every time you buy from smile.amazon.com which is basically Amazon you are supporting the project. As far I can tell it isn't any more expensive than regular amazon.com (I've been opening a second browser to regular amazon.com the last few times I've bought something just to compare prices) although I don't see where they say that explicitly. -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Belarus just banned Tor and other censorship circumvention tools
On Wed, Feb 25, 2015 at 11:36 AM, Anton Nesterov koma...@openmailbox.org wrote: Aaron Gibson: On 2015-02-25 14:22, Anton Nesterov wrote: 11. If government inspection find Internet resources or anonymity tools (proxy servers, anonymous networks like Tor, and so on), which can be used to get access for Internet resources with limited access, they should add identifier of that Internet resources or anonymity tools to the list of limited access. http://pravo.by/main.aspx?guid=12551p0=T21503059p1=1p5=0 text (Russian) Is there any mention of penalties for circumventing the blocks? No, only for ISPs if they refuse to block. Also, news report in English https://meduza.io/en/news/2015/02/25/belarus-bans-tor According to an announcement by the nation’s Communications Ministry, the authorities intend to block access to any anonymizers that allow Internet users to reach online resources banned inside Belarus. That seems ambiguous, online resources physically inside the country or online resources that could be anywhere but are banned from being accessed inside the country? Do other countries ban all exit nodes? -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] 3347 lizardNSA Relays on google cloud.
On Fri, Dec 26, 2014 at 1:52 PM, Thomas White thomaswh...@riseup.net wrote: It is dangerous. I've run a cluster of exits for a long time and people like myself and Moritz know the dangers of reducing the diversity pool. Adding even a gigabit of exits to a single AS right now is dangerous and I've consulted arma on the topic before who agreed. Beyond 25% of the network is dangerous and higher than that could cause serious anonymity implications. Why turn down more bandwidth? If all of the exits are being run by the same person or group why not mark them all as family members of the same group? I checked a few of them and I don't see that they list family members. Unless I misunderstand what family members is for? https://www.torproject.org/docs/faq.html.en#MultipleRelays -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Sybil Attack
On Fri, Dec 26, 2014 at 3:41 PM, Thomas White thomaswh...@riseup.net wrote: There has been some worry about a possible Sybil attack on the Tor network and a threat of deploying a 0 day once a Sybil has been confirmed. The concerned relays right now are using then nickname LizardNSA followed by random characters There is also FuslVZTOR followed by random characters, 246 right now all from uk 212.38.181.x. I checked a couple the family info on a couple and none is set. I don't know if that is normal or not I've never watched the relays. -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Including Adblock to TBB to save bandwith
On Wed, Dec 24, 2014 at 12:08 PM, krishna e bera k...@cyblings.on.ca wrote: What about making a TorProject filter list for Adblock* users so that we all look the same to sites visited? Tails uses ABP what about including the same list that they use and disable subscriptions_autoupdate. -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Warning: Do NOT use my mirrors/services until I have reviewed the situation
On Sun, Dec 21, 2014 at 3:17 PM, Thomas White thomaswh...@riseup.net wrote: Many of you by now are probably aware than I run a large exit node cluster for the Tor network and run a collection of mirrors (also ones available over hidden services). Tonight there has been some unusual activity taking place and I have now lost control of all servers under the ISP and my account has been suspended. Having reviewed the last available information of the sensors, the chassis of the servers was opened and an unknown USB device was plugged in only 30-60 seconds before the connection was broken. From experience I know this trend of activity is similar to the protocol of sophisticated law enforcement who carry out a search and seizure of running servers. Until I have had the time and information available to review the situation, I am strongly recommending my mirrors are not used under any circumstances. If they come back online without a PGP signed message from myself to further explain the situation, exercise extreme caution and treat even any items delivered over TLS to be potentially hostile. What does this mean for the layman that uses Tor? If I am using Tor via Tails am I affected by this? When you say services does that include your exit nodes? How would I stop your exit nodes from being used? Is there not a way for you to revoke their keys when they are seized by law enforcement? Sorry if I misunderstand. -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Tor and solidarity against online harassment
On Thu, Dec 11, 2014 at 5:07 PM, Roger Dingledine a...@mit.edu wrote: I'd like to draw your attention to https://blog.torproject.org/blog/solidarity-against-online-harassment https://twitter.com/torproject/status/543154161236586496 One of our colleagues has been the target of a sustained campaign of harassment for the past several months. We have decided to publish this statement to publicly declare our support for her, for every member of our organization, and for every member of our community who experiences this harassment. She is not alone and her experience has catalyzed us to action. This statement is a start. Where's the harassment, what happened? Does it have to do with her work for the Tor project? I think if you have any ideals you're going to end up harassed at some point. There are a lot of intolerant people out there, Roger. -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] So much for using ixquick and Startpage: Now broken w/Tor
On Sat, Nov 8, 2014 at 10:44 AM, l.m ter.one.lee...@hush.com wrote: It's not broken. They explain clearly that the concurrent use of ixquick/startpage by multiple Tor users at a given exit relay can trigger automated abuse blocking. They're right. It could be abuse. The same reason Google does it. Why is this a surprise? The problem with Google is the connection sometimes 'spills' over to new circuits which puts you into an infinite loop of entering captchas. This makes Google just block some exit relays entirely for a time because of repeated failed captchas. Google really wants to make money so if they set a cookie for one of your circuits, and ask for a captcha, which then 'spills' to a new circuit, and you just choose a new identity--well it shouldn't be a surprise they decide to block a bunch exits for lost revenue. Just try your search on startpage/ixquick with a new identity. Thanks, I know I can do that but I don't want to do that. Their help page says Both Ixquick and StartPage are compatible with Tor, although use of VPNs and Proxy services (including Tor) may occasionally trigger our anti-abuse mechanisms. If so, you will temporarily be presented with a small warning message, or a request to complete a CAPTCHA before continuing with your search. [1] I didn't get captchas and the warning didn't go away. So it seems broken. It's a block unless you change identities until you get one that works. If you have to repeatedly change identities doesn't that do something to lessen anonymity? [1]: https://support.startpage.com/index.php?/en/Knowledgebase/Article/View/288/0/how-does-startpage-interact-with-tor -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] So much for using ixquick and Startpage: Now broken w/Tor
On Fri, Nov 7, 2014 at 9:50 AM, Öyvind Saether oyvi...@everdot.org wrote: https://startpage.com/do/search is also broken. It is interesting how they decided that today (the day after those darknet raids) would be a good day to ban Tor-users. Does anyone know anyone at startpage, maybe you should CC them this. I just tried the startpage search box in Iceweasel in Tails and I receive a message directed at Tor users whenever I try to search. I will paste the message below. Unfortunately it does not appear just once, it appears every time and I can't get search results that way. I wouldn't mind answering a captcha once in a while but I don't know how much that's going to help them against bots since bots apparently use opencv and tricks to break captchas. Here is the message, it's long: Welcome Tor Users! We are happy to welcome you to Startpage, the world's most private search engine. Startpage now serves well over 2 million searches per day, making us the biggest private search service on the Internet. Like Tor, Startpage was private long before privacy was cool. We have a fourteen-year company track record, and we are the only search engine that can back up our privacy promises with third-party certification. Here are just a few of our powerful, privacy-protecting features: We do not record anything about you — not your IP address, not your search queries, and we never use tracking cookies. We provide 100% Google results — We submit your search anonymously to Google and return their results to you in total privacy. We encrypt all traffic — using HTTPS, so even your ISP can't snoop on your searches. We offer a powerful free proxy — that lets you anonymously view third-party websites with every search. We're third-party certified and independently audited — by EuroPrise and Certified Secure, so you can take our privacy promises to the bank. We love Tor! We believe in the Tor project and its privacy mission and we applaud your efforts to pursue serious Internet privacy. As you know, Tor recently included Startpage as the default search engine in the new Tor Browser Bundles. Thank you! We're honored to be associated with all of you like-minded, hard-core privacy fanatics. Just One Small Catch... However, the avalanche of new Tor users has created an issue with the algorithm we use to detect and reject automated screen-scraping programs. When multiple Tor users are searching through the same end node, Startpage may wrongly conclude that the searches are coming from a scraper. The unfortunate result is that Startpage may occasionally not return results with Tor. But don't panic, we're committed to fixing it. Here's a Temporary Solution We are reaching out to the Tor developers to find a permanent solution. In the meantime, here is a workaround for Tor users: If you use the Tor Browser Bundle: Switching to a new Tor identity is easy and fast. Click the green onion icon next to your address bar, then click New Identity and try your search again. In some cases, you may have to switch identities a few times for this to work. We want Tor users to have a great private search experience with Startpage, and we appreciate your patience while we develop a long-term solution. As you use Startpage, we'd love to hear from you and get your impressions. Meanwhile, thanks for supporting the vision of Tor and Startpage and a completely private Internet! -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Cloak Tor Router
On Sat, Nov 1, 2014 at 5:09 AM, Lars Boegild Thomsen l...@reclaim-your-privacy.com wrote: First of all, I would like to hear more opinions about the value of a device such as this. I realize that most technically adept people will frown on a a toy such as the Cloak, but this device is really not meant for anybody who can install the Tor software on their own or someone who can install Tor on a Rasberry Pi. It is meant for my parents, my kids or anyone else who - deserve privacy but might not be technically able to achieve it. I fully understand and appreciate that a Tor Router such as Cloak will NEVER in itself be able to provide any form of anonymity or security. It is merely a tool that if used correctly can help enforce a certain level of privacy (the newly introduced or discussed Australian data retention laws spring to mind and I am certain other countries are introducing the same laws). A secondary justification are devices which does not support Tor. I've got a Media player in my house and that does phone home every single time I play a movie on it and there is no way I could possibly install Tor on it. With Cloak and NO login - that is fairly anonymous. Second of all I would sincerely like a discussion about the firewall rules and other security or usability issues with a device as this. The source is on Github for everybody to check and I will be happy to discuss any technical aspect and appreciate any constructive criticism. I am of course also happy to respond to any questions thrown in my direction. What happens when a new version of Tor comes out? You want to put this in the hands of people who really don't know anything about security. To stay secure wouldn't you or someone have to ensure that all those devices are using the latest Tor? And how could you do that without access to the devices? If you leave it up to the end user to do firmware updates most people probably aren't because they are, like you say, not able to install Tor on their own. I really don't know if your device is a good idea or a bad idea but I cringe at what could end up as a false sense of privacy. -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Orbot/Tor talk at MIT tomorrow
On Wed, Oct 22, 2014 at 12:06 PM, Nathan Freitas nat...@freitas.net wrote: http://kb.mit.edu/confluence/pages/viewpage.action?pageId=152575577 Anonymity on the Go: The Possibilities and Problems of Tor on Mobile Devices This talk discusses what possibilities exist for communicating more freely on a mobile device. Will someone be taping this? If there's video can you point us to it after the talk. Thank you -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] List Administrivia
On Tue, Oct 14, 2014 at 2:21 PM, grarpamp grarp...@gmail.com wrote: Time to block this rambling spam. Thanks. On Mon, Oct 13, 2014 at 7:17 PM, Ben Healey chewy0...@hotmail.com wrote: Here's some thought I had. Physical Digital Encryption -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk Every time I read one of those e-mails I thought maybe that guy was just way way way over my head, or writing some kind of secret code or something. -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] What should our 31c3 talk be?
On Mon, Sep 8, 2014 at 8:05 PM, Roger Dingledine a...@mit.edu wrote: I wonder what would be the most useful topic for this year? I've noticed some websites are blocking or treating Tor users differently, not always overtly, and while it may not be the most useful topic if that's a trend that's increasing it may be worthwhile to talk about it and what your organization is doing or can do about it. I tried to pay someone using a payment processor in Germany, and they kept denying my transactions but it was clearly automated and when I asked them about it they put the orders through manually and the same thing happened. I tried every payment method (credit card, wire transfer, money transfer services, paypal) through several different IP addresses using the Tor Browser just to see what would happen. I think the payment processor was cleverbridge. There was nothing saying Hey you're a Tor user you can't use this method, but any order originating from an IP address connected to Tor was not accepted. And they just wouldn't say it was due to Tor even though I explained to them that was probably what was happening since I'd already been through this with PayPal after they suspended my account for using Tor (PayPal had cited proxy services are against terms of use and I hadn't accessed any proxy except Tor). -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Performance
On Wed, Aug 13, 2014 at 3:20 PM, Martin S shieldf...@gmail.com wrote: I've set up a Tor and Privoxy chain for our organisation, especially for our courntry offices, of which some work in high risk countries. Pardon me asking this maybe it's obvious but why wouldn't you use an intranet VPN instead of Tor for your offices? You are using Tor to lower the risk of your offices how? -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] What are the PPTOR relays?
On Tue, Jul 8, 2014 at 5:32 AM, Roger Dingledine a...@mit.edu wrote: On Mon, Jul 07, 2014 at 10:07:35PM -0400, Soul Plane wrote: Among these relays, do you know which ones were part of your circuit? First hop: PPTOR0006 (Online) Second hop: PPTOR0014 (Online) It looks like PTOR0014 has the Unnamed flag. I wonder if Tor clients are disregarding it because it's not named by fingerprint in the descriptor, and because it has the Unnamed flag rather than the Named flag. Seems like a bug. Ok I filed it here: https://trac.torproject.org/projects/tor/ticket/12574#ticket -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] What are the PPTOR relays?
On Mon, Jul 7, 2014 at 1:34 PM, Philipp Winter p...@nymity.ch wrote: On Sun, Jul 06, 2014 at 10:57:18PM -0400, Soul Plane wrote: Last night I noticed my relay path was using two PPTOR relays. I don't know much about Tor but from what I've read I thought servers that are related are supposed to identify themselves as such. Just because two servers have similar names does not mean they are related though. Are those servers all run by the same person? Is there a way to tell if they are? Is that unusual or not? Thanks Tor's MyFamily option is used to announce that a set of relays is run by the same operator. Sometimes, relay operators fail to configure the option which could explain what you witnessed. At first glance, it looks like the PPTOR family correctly set the MyFamily option (using fingerprints and nicknames). See for example: https://atlas.torproject.org/#details/0C45FAE12326D376997F8A233A402A6B5BB25404 Among these relays, do you know which ones were part of your circuit? Yes: First hop: PPTOR0006 (Online) Location: Netherlands IP Address: 5.79.71.195 Bandwidth: 11.72 MB/s Uptime: 6 hours 49 mins 45 secs Last Updated: 2014-07-05 20:12:49 GMT Second hop: PPTOR0014 (Online) Location: Germany IP Address: 217.114.218.18 Bandwidth: 22.95 MB/s Uptime: 17 hours 27 mins 56 secs Last Updated: 2014-07-05 09:34:38 GMT I see both on the family list. I am using Tails 1.0.1 CD and it uses Tor version 0.2.4.22 (git-255243866bbf9365). Thanks -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
[tor-talk] What are the PPTOR relays?
Last night I noticed my relay path was using two PPTOR relays. I don't know much about Tor but from what I've read I thought servers that are related are supposed to identify themselves as such. Just because two servers have similar names does not mean they are related though. Are those servers all run by the same person? Is there a way to tell if they are? Is that unusual or not? Thanks -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Case examples of people deanonymized while using Tor?
Thanks for the video. On your website there is another video Intro to Darknets: Tor and I2P Workshop. Is one part of the other or do they cover different material? On Tue, Jun 10, 2014 at 7:47 AM, Adrian Crenshaw irong...@irongeek.com wrote: Sorry, I forgot to come back to post this Dropping Docs On Darknets: How People Got Caught - Adrian Crenshaw http://www.irongeek.com/i.php?page=videos/showmecon2014/2-03-dropping-docs-on-darknets-how-people-got-caught-adrian-crenshaw It was also accepted at Defcon, but Defcon is a pretty geeky crowd and I should not have to spend as much time to explain how Tor works to them. What other things should I add? On Tue, Mar 25, 2014 at 11:43 AM, Артур Истомин art.is...@yandex.ru wrote: On Thu, Mar 20, 2014 at 09:16:46AM +, Adrian Crenshaw wrote: It will be public after ShowMeCon. Going to do a private one next week as practice. Can you paste link on talk here after ShowMeCon please? -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk -- The ability to quote is a serviceable substitute for wit. ~ W. Somerset Maugham The ability to Google can be a serviceable substitute for technical knowledge. ~ Adrian D. Crenshaw -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Small server, not much bandwidth
On Thu, Apr 10, 2014 at 1:57 PM, Roger Dingledine a...@mit.edu wrote: On Thu, Apr 10, 2014 at 06:24:00PM +0100, John Williams wrote: 3. If I run obfsproxy, should I open the regular tor port 9001 to the internet also? Or will that get me onto blacklists of known tor bridges and cause my whole IP address to be blocked? Alas, if you don't open the ORPort to the Internet also, your bridge won't find itself reachable, so it won't publish to the bridge directory authority, and so bridges.torproject.org won't give out your bridge address automatically: https://trac.torproject.org/projects/tor/ticket/7349 So it is fine to leave ORPort closed if you're giving the bridge address out manually, but if you want the automated system to do it, you need ORPort reachable. Fortunately, in practice China censors by IP:port, not by blacklisting the whole IP address, for now. Is there a list of the automated system's IP addresses that we can allow to reach that port and block everything else, as suggested in the bug? -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] CAPTCHA for getting bridges too strong
On Sun, Mar 30, 2014 at 12:58 AM, Артур Истомин art.is...@yandex.ru wrote: It is very strong. I was trying more than ten times and did not solve it. I am realy do not need bridges, but for those who need, this way getting bridges (through web page and CAPTCHA) is useless. Maybe they could do something like this instead: http://research.microsoft.com/en-us/um/redmond/projects/asirra/ -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Linux kernel transproxy packet leak (w/ repro case + workaround)
On Fri, Mar 28, 2014 at 5:34 PM, Mike Perry mikepe...@torproject.orgwrote: Here's a set of rules to try both --ctstate and --state invalid, as well as log which ones get hit, for testing purposes. Note the use of -A in this case, for readability wrt ordering. These rules should come before any other rule in the OUTPUT chain section of the firewall script you use: #iptables -A OUTPUT -m conntrack --ctstate INVALID -j LOG --log-prefix Transproxy ctstate leak blocked: --log-uid iptables -A OUTPUT -m conntrack --ctstate INVALID -j DROP iptables -A OUTPUT -m state --state INVALID -j LOG --log-prefix Transproxy state leak blocked: --log-uid iptables -A OUTPUT -m state --state INVALID -j DROP iptables -A OUTPUT ! -o lo ! -d 127.0.0.1 ! -s 127.0.0.1 -p tcp -m tcp --tcp-flags ACK,FIN ACK,FIN -j LOG --log-prefix Transproxy leak blocked: --log-uid iptables -A OUTPUT ! -o lo ! -d 127.0.0.1 ! -s 127.0.0.1 -p tcp -m tcp --tcp-flags ACK,RST ACK,RST -j LOG --log-prefix Transproxy leak blocked: --log-uid iptables -A OUTPUT ! -o lo ! -d 127.0.0.1 ! -s 127.0.0.1 -p tcp -m tcp --tcp-flags ACK,FIN ACK,FIN -j DROP iptables -A OUTPUT ! -o lo ! -d 127.0.0.1 ! -s 127.0.0.1 -p tcp -m tcp --tcp-flags ACK,RST ACK,RST -j DROP It's likely only the first pair is needed, and you may want to comment out the --ctstate LOG line as I did to limit noise for successfully handled --ctstate INVALID DROP blocks. I did test this with the above repro method, and --ctstate INVALID did appear sufficient by itself, but reports of any --ctstate DROP rule bypass happening will be tremendously useful (which will result in the later LOG lines being hit, and sending output to 'dmesg'). I have an Ubuntu middlebox to torify. It uses TransListenAddress, TransPort. One interface accepts incoming traffic that will be torified. The connections to the tor network go out on the other interface which can access the internet unrestricted. I can't find the original directions I used to set it up. The Torbox page I have commented in my config now says it's been replaced by Whonix. I tried the wiki there but it doesn't load: http://sourceforge.net/p/whonix/wiki/ Does what you're saying apply to a setup like mine? Thanks -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Linux kernel transproxy packet leak (w/ repro case + workaround)
On Sat, Mar 29, 2014 at 12:59 PM, Patrick Schleizer adrela...@riseup.netwrote: Soul Plane: I have an Ubuntu middlebox to torify. It uses TransListenAddress, TransPort. One interface accepts incoming traffic that will be torified. The connections to the tor network go out on the other interface which can access the internet unrestricted. I can't find the original directions I used to set it up. The Torbox page I have commented in my config now says it's been replaced by Whonix. I tried the wiki there but it doesn't load: http://sourceforge.net/p/whonix/wiki/ Does what you're saying apply to a setup like mine? Thanks The TorBOX instructions project does no longer exist. Old instructions do still exist in torproject wiki history. Reviving them from wiki history will be tedious. The directions I used turned a normal Ubuntu 12.04 LTS with two network adapters into a tor middle box. It was a long time ago and I don't remember how I did it, but I had the torbox url commented in my config next to the transproxy option. I looked at the torbox url via internet archive (june 2012) but I can't find the directions I used. My iptables don't seem to have any entries. -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
[tor-talk] Newbie with a bunch of questions for Tor Cloud
I would like to set up a Tor bridge in the Amazon cloud. I have read the project page at cloud.torproject.org and I think I can do this at little to no cost based on what I've read. Amazon just sent me a $50 credit because I signed up to AWS but never used it so maybe I can use that to cover any overages. Did anyone else get one of those coupons? More questions: Why is the only region available for the Tor images us-east virginia? I thought I could use the free tier in other places. Wouldn't it be better to vary the regions instead of sticking them all in one place? And also wouldn't it be better to vary the OS and images in case there is a vulnerability in one, the rest of the ecosystem using different OSs are ok? I read in Tor Weekly News today that the obfs3 protocol is vulnerable to active probing attacks and there is a replacement ScrambleSuit. If I setup the AWS Obfsproxy image now does that mean the Chinese can detect it and block it? Is that image obfs2 or 3 or both? Should I just wait until ScrambleSuit is supported, or can I modify the config file to only use ScrambleSuit, or is that not a good idea at this point? I don't want to run something that nobody is going to be able to use because governments can just detect it and block it. Is Tor obfuscation specifically more likely to come under attack from repressive governments? How is security handled. For example suppose there's a known vulnerability in Tor or Ubuntu does the server shut down until it's fixed and an update is available or does the server stay up and risk being hacked? Is there any notification sent to the AWS administrator in these cases? I would imagine even a small window is gold for some state run group to break in. How can I determine the integrity of the server and do I have any responsibility to do that? Do you guys who are running these instances in the Tor Cloud just set it and forget it or is there some oversight required? I would take an active role in securing the instance if necessary but I need to know what to do. What do you guys do? Has anyone here built their own Tor setup in EC2 similar to what Tor Cloud offers? Thanks -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Newbie with a bunch of questions for Tor Cloud
On Wed, Mar 19, 2014 at 6:01 PM, Runa A. Sandvik runa.sand...@gmail.comwrote: On Wed, Mar 19, 2014 at 9:05 PM, Soul Plane soulplan...@gmail.com wrote: More questions: Why is the only region available for the Tor images us-east virginia? I thought I could use the free tier in other places. Wouldn't it be better to vary the regions instead of sticking them all in one place? We initially had images in all regions, but due to a bug/issue (see https://trac.torproject.org/projects/tor/ticket/10318) I decided to temporarily remove all images except the ones in us-east-1. The goal is to bring back images for the other regions at some point. Thanks, I read the bug and the AWS thread and it looks like there is something wrong with the image copy process. If I wanted to setup in a location other than Virginia would I be able to use your build script to do that or would I run into the same image copy problem? Also I noticed in ec2-prep.sh you have: curl -m 5 http://169.254.169.254/latest/meta-data/reservation-id That address is invalid, what is the reservation id for? I read in Tor Weekly News today that the obfs3 protocol is vulnerable to active probing attacks and there is a replacement ScrambleSuit. If I setup the AWS Obfsproxy image now does that mean the Chinese can detect it and block it? Is that image obfs2 or 3 or both? Should I just wait until ScrambleSuit is supported, or can I modify the config file to only use ScrambleSuit, or is that not a good idea at this point? I don't want to run something that nobody is going to be able to use because governments can just detect it and block it. The current image is a standard bridge, an obfs2 bridge, and an obfs3 bridge. ScrambleSuit is not included. If you create an SSH key when setting up the instance, you can log on and change whatever you want. The Great Firewall of China blocks standard bridges and obfs2, but I believe it has yet to block obfs3. Ok so after I do a build if I want scramblesuit I change this line: ServerTransportPlugin obfs2,obfs3 exec /usr/bin/obfsproxy --managed to this: ServerTransportPlugin scramblesuit exec /usr/bin/obfsproxy --managed According to this here I need to update obfsproxy first? Is that relevant here? https://lists.torproject.org/pipermail/tor-relays/2014-February/003886.html Is Tor obfuscation specifically more likely to come under attack from repressive governments? More likely than what? Than regular tor bridges. Are obfs3 bridges special bridges that users in repressive countries are more likely to use because other bridges are blocked? Maybe I don't understand. How is security handled. For example suppose there's a known vulnerability in Tor or Ubuntu does the server shut down until it's fixed and an update is available or does the server stay up and risk being hacked? Is there any notification sent to the AWS administrator in these cases? I would imagine even a small window is gold for some state run group to break in. The server stays up and checks for regular package updates from Ubuntu. If someone were to break in, they would not learn anything more than if they had set up a bridge themselves. Ok. Let's say there was a security vulnerability being exploited in Tor bridges. Is there any warning from Tor staff? Like when there is one in Flash or Microsoft etc I will get a CERT or a security advisory saying xxx is being actively exploited, view such and such a page for more information. In those cases I will just turn off flash or run the fix it. How can I determine the integrity of the server and do I have any responsibility to do that? Do you guys who are running these instances in the Tor Cloud just set it and forget it or is there some oversight required? The Ubuntu image the Tor Cloud image is based off of is verified when the image is built. The Tor package is verified as it is installed (which happens within the first five minutes you boot the server for the very first time). Thanks I took a look at the script. I would take an active role in securing the instance if necessary but I need to know what to do. What do you guys do? The image has been configured to automatically check for package updates. In addition, it is recommended that you only open certain ports in the firewall (22 for SSH, plus 443, 40872 and 52176 for Tor). Is there any obfuscation benefit to using random ports, like changing 40872 to 1234 etc. Thanks -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] TorBrowser spoofed screen size?
I tried TBB 3.5.2 in Windows XP at 120 dpi and browserspy says I'm at 96. However I went to whatsmyip.org and clicked the 'more info' option and it shows what appears to be a unique browser resolution. I've never checked the resolution before so I don't know how it compares to earlier versions. There's a ticket about DPI here: https://trac.torproject.org/projects/tor/ticket/8076 If there is a thorough fingerprint page somewhere I would like to know what it is so I can see what information differs between clients. Aren't Tor Browser users supposed to look the same? On Wed, Mar 5, 2014 at 7:56 PM, Joe Btfsplk joebtfs...@gmx.com wrote: I'm sure I recently checked what screen size TBB (Windows) was giving out. Which ever version I checked it in, test sites did NOT show my actual monitor size. Now, in TBB 3.5.2, my actual screen size seems to show on several browser test sites. Even extracted TBB again, into clean folder re-checked. Still shows my *actual* screen size on test sites. I thought decision was made / implemented to report same screen size for everyone? This is a problem - for couple reasons, for me. IF... I set Windows system DPI slightly default of 96 (else it's too damn small), then w/o TBB properly spoofing screen size, sites will detect a size that's NEITHER the same as other TBB users, nor a standard size. Changing Windows' DPI setting will make my detected screen size an oddball size - that almost no one has. Anyone else notice TBB isn't spoofing a default screen size anymore, or have ideas why it isn't spoofing mine correctly? -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Security in Tor Browser related to Firefox ESR
Ok thanks. I checked the blog today and saw that 3.5.2 was released. I didn't get any announcement. Why not announce the releases through tor-announce? I'm subscribed to that but I didn't get any notice. Is there a list or RSS feed where just releases are announced? I don't want a lot of emails. I don't plan to stay subscribed to tor-talk (there are lots of things that just don't concern me) but for now I am and I didn't get a notice of the new release on this list either. On Thu, Feb 6, 2014 at 6:18 AM, Rick reru...@gmail.com wrote: On 02/06/2014 02:05 AM, Soul Plane wrote: Yesterday I received a security alert that Firefox ESR was updated to 24.3. http://www.mozilla.org/security/known-vulnerabilities/firefoxESR.html I am wondering if since Tor Browser is based on Firefox ESR it is now subject to security vulnerabilities? When you release the Tor Browser Bundle do you identify the version (24.2, 24.3,etc) of Firefox that it is based on? When Firefox patches vulnerabilities in the ESR product and makes a new release do you do the same? I took a look at the git for Tor Browser and I can't tell whether or not it integrates whatever changes are in Firefox 24.3. Thanks New releases are announced here and in the website blog. Changes are mentioned and a link to the changelog is provided. That shows that we've been in 24.2 since mid-December and 24.3 will appear with TBB 3.5.2, due for release within the next week or so (I presume). Are we 'now subject to security vulnerabilities'? Sure! And we'll be subject to the yet-unknown vulnerabilities of 24.3 when it's released in TBB. It's a work in progress. -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
[tor-talk] Using Tor Browser without Tor?
Is it ok to use the Tor Browser without Tor? I don't need Tor but I like the privacy features that the browser offers. Recently I noticed that if the Tor Browser is used without Tor and is set to manual proxy, but there is no HTTP/HTTPS/SOCKS proxy, name lookups will fail. I filed it as a bug here: DNS lookup fails without proxy (TorBrowser without tor) https://trac.torproject.org/projects/tor/ticket/10808 But it was closed as not a bug. If the Tor Browser is able to be used without Tor would you consider that a bug? -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
[tor-talk] Security in Tor Browser related to Firefox ESR
Yesterday I received a security alert that Firefox ESR was updated to 24.3. http://www.mozilla.org/security/known-vulnerabilities/firefoxESR.html I am wondering if since Tor Browser is based on Firefox ESR it is now subject to security vulnerabilities? When you release the Tor Browser Bundle do you identify the version (24.2, 24.3,etc) of Firefox that it is based on? When Firefox patches vulnerabilities in the ESR product and makes a new release do you do the same? I took a look at the git for Tor Browser and I can't tell whether or not it integrates whatever changes are in Firefox 24.3. Thanks -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk