Re: [tor-talk] Don't use Google as default search in Tor Browser?
On 11/06/2011 03:05 PM, Julian Yon wrote: Personally I use DDG, partly because of privacy concerns and partly because I don't like the new-look Google. You can always do a Google search through DDG or Scroogle if you're feeling paranoid. DuckDuckGo's !bang queries are just redirects. You'll be sent to the normal Google page by using it. (Or the SSL page, depending on your settings.) signature.asc Description: OpenPGP digital signature ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] German police keylogger analysis (and the effects on Tor are....?)
On Thu, 2011-10-13 at 17:05 +0200, Andreas Bader wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 13.10.2011 14:02, Karsten N. wrote: Am 13.10.2011 08:39, schrieb William Wrightman: Is moving to Linux one solution? I agree with Adrew, there is no 100% solution. But you can do as much as possible to increase your security. Moving to Linux (or OpenBSD ;-) ) is one step. Full disk encryption is possible. For Debian or Ubuntu you can enable full disk encryption at installation time. It does not need any additional software. (I am not sure about other distributions.) For WIN you may use Truecrypt or Diskcryptor or other software for full disk encryption. Since version 6.1 Truecrypt can use hardware tokens together with pass-phrases. Live-CDs are a possible solution too. You may apply many steps and it will be better than doing nothing because you can not get 100% security. Best regards Karsten N. ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk Hello, I read lots of articles and analysis about the ?Bundestrojaner? (that´s how the german keylogger is called here). It seems like you don´t have to worry. It is more a virus construction kit than a virus. In accordance with the Chaos Computer Club they´ll need about 10 experts working 5 months just to develop and adapt one keylogger. It makes also sense to install one Linux Distribution. I use Ubuntu 11.04 on my second notebook, fully encrypted (can be choosen while the installation, just choose the ?alternate disc? to download). It is much more faster, more secure and just better then Win7. If you have to use Windows 7, try the Truecrypt Preeboot encryption. It is open source software and pretty authentic. With Truecrypt, you can also encrypt external drives. The most important part of the whole encryption thing is the password, choose it as long as possible. The only possibility to crack such an encryption is bruteforce, and using a long password will destroy this chance. So far. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBAgAGBQJOlv42AAoJEL7Y0QyTZ3lX5kMH/3kC0mNS+tReib2FnJgtmcpM MB0VsVwgpQMegr3CCaYKmSUfTYmeo6jzeo7YgTe2QQQKhyX1ZTbcISQ9CXexDSf6 ddIruIXVIaUEZ1qNm5TmyCqmGS12zQ8oYmWa0R4tVrgVg8vtExa/gySjq1AobBZT 9g2o02T8nBGCmppsc35DzJlheyl30W2bMl31AyrXWlJ6pHPoroEQ2uSiPe80Ea4T 14++EWByU2AXzWGVHm0kTqSQrwNseOj4O56/zXQMpbssIcilhIDOwB5FyIYREj/v 2HieResVuP35H87nmo+jIi/abLSm94YPbvRiwDM5Empvh1CfbzvgGwKvMbL3LdU= =Q2Gt -END PGP SIGNATURE- Though always a good idea, encryption doesn't protect against trojans. It may have limited effectiveness against incompetent attackers physically tampering with your system. signature.asc Description: This is a digitally signed message part ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Ideas to securely implement PGP encryption/decryption
On Tue, 2011-10-11 at 13:37 -0700, Mike Perry wrote: Thus spake Moritz Bartl (mor...@torservers.net): On 11.10.2011 04:07, Mike Perry wrote: At the moment, I cannot think of any attack vectors once you combine it with enabled Torbutton (or a stripped down Tor Browser) where active scripting/access to the DOM is disabled completely. Actually, these attacks are generally prohibited by strong isolation between the content script and the XUL script. In XUL, you can read the ciphertext, extract it, decrypt it, and display it in a protected XUL window without introducing risk, IF all steps are done properly. I was thinking of the obvious interaction a user expects for encryption of plaintext data: I type data into a web form, when I am done I execute the encrypt command. I don't see how you can isolate web forms in the DOM in a way that it cannot be read in between typing and encrypting the data. Yes, good to clarify. I was assuming that all encryption and decryption UI would be 100% independent of the normal content window, aside from perhaps a context menu (though even that is prone to deception issues and clickjacking). The UI should not provide a way to encrypt text that has already been typed into a form. Even non-malicious JS can screw you for that user model. For example, Gmail will save plaintext drafts of your email periodically just in case, which will defeat the purpose of the addon entirely. The UI should open an alternate XUL window for user input using a context menu or toolbar button, and should instruct users not to type sensitive plaintext into existing form boxes prior to use of the XUL window. Lots of tough UI issues to solve on the encryption side, it seems. Perhaps almost as tricky as safely handling the potential hostile input and safely displaying the output for the decryption side. In theory, it should be possible to prevent JavaScript from reading the content of decrypted or not-yet-encrypted messages. There are a few barriers to this approach, but they should be surmountable: - The user would need to indicate that they were going to encrypt the contents of a text field *before* they did so. - JavaScript on the page mustn't be able to interact with the data in any way. This would, for example, prevent things like editing buttons, GMail's auto-saving, and auto-resizing of text areas. - When decrypting data, the size of the text in the decrypted area will change. Since JavaScript can query positions and such, it may be difficult to prevent the length of the message from leaking. Of course, it might be possible to do everything in a new window, which would prevent all of these things, but that would be detrimental to the user experience. Also, does anyone know if Firefox even has the necessary APIs to prevent malicious pages from doing these things? signature.asc Description: This is a digitally signed message part ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Banned from IRC. Is there a work-around?
On Thu, 2011-06-09 at 11:33 -0500, David Carlson wrote: On 6/9/2011 10:11 AM, Jon wrote: On Thu, Jun 9, 2011 at 9:41 AM, David Carlson carlson...@sbcglobal.net wrote: Hi, I just tried to access a few IRC channels on a couple of different IRC servers (gnone.org, gimp.org, and their associates)and they all are giving me this same message: *** Banned: Open proxy or TOR (auto-detected tor-irc.dnsbl.oftc.net; pre-join gline) (2011/06/09 16.07) as well as being G-Lined (whatever that means) I think that I succeeded in attaching to irc.oftc.net so now I want to ask someone there about this but I got lost in the Tor documentation and I do not know what conversation to join there, so I am trying tor-talk. It appears that I am banned because either my IP Address or the address of whichever exit node might be delivering my traffic is 'on the list' Originally, Pidgin was configured to use the default connection configuration, but I re-configured it to use socks5 Host 127.0.0.1 port 9050 and I get the same result. ___ From my IRC experience's, unfortunately on the majority of the published IRC networks, Tor IP address have been banned. You may get logged in to the server, but generally, you will get klined or even glined in a few minutes. ( the gline and kline are just a different type of network ban ) This may vary from net work to net work and I have seen some actually get thru and stay logged in. Obviously the Tor's channel on the IRC network they are on as far as I know they have no issues with the proxy's If your looking for a IRC network to use Tor, you may have to just go thru the posted listing of networks and see which ones let you in. Sometimes it is also a hit and miss. Gud luck ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk I want to join a channel on irc.gimp.org by whatever means works, using Tor or not. Further investigation has gotten me to the point that I should somehow e-mail the administrator of irc.gimp.org and ask him/her about alternatives. However, I have not been able to find his/her e-mail address. It is not available on the gimp.org website. Is there a way to use whois or some means to get that information? ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk $ whois gimp.org | egrep '^Registrant (Name|Email)' Registrant Name:Shawn Amundson Registrant Email:sta-uhwkd...@gui.org signature.asc Description: This is a digitally signed message part ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Content-Security-Policy
On Thu, 2011-05-19 at 16:39 +0100, t...@lists.grepular.com wrote: Hi, I don't know if this is something we should be concerned about, but I thought I'd bring it to your attention anyway. Firefox 4 implements Content-Security-Policy: https://wiki.mozilla.org/Security/CSP/Specification It allows website owners to send a HTTP response header containing a policy about what the page is allowed to do. Ie, is it allowed to fetch images from a different domain? Is it allowed to include inline javascript? etc... One of the features of Content-Security-Policy is that you can refer to a URI in the response header which is used for reporting violations. If the browser detects that the page is trying to violate one of its conditions (eg by linking to a remote image), it will then POST data about that violation to the report URI. The data that it POSTs is a blob of JSON. One of the things included in that JSON is the full set of request headers that the browser used when requesting the page that lead to the violation. It's my understanding that people use proxys like Privoxy to sanitise and strip HTTP headers. Using this Content-Security-Policy reporting method could allow a website owner to cause the users browser to package up the headers in a nice blob of JSON, and then POST them back to the server, bypassing any header sanitising. You can put Content-Security-Policy in report only mode, so it would be completely transparent to the end user. Worth addressing? While people do use proxies to sanitize HTTP headers, they shouldn't. These kind of proxies provide no real protection, as HTTPS requests bypass them, and most of that information is available via JavaScript anyway. signature.asc Description: This is a digitally signed message part ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] How to select the path using the weights?
On Thu, 2011-05-12 at 21:42 -0400, Lu Yu wrote: I know how these weights (Wgg, Wgm .) are calculated. But then what? How to choose the path using the weights? My understanding is to calculate the weighted sum of the bandwidth of each possible circuits (Isn't the computation too much?). And then choose the path with the maximum bandwidth (Then every one would choose the same path)? Or using the bandwidth to build some probability distribution? I am totally confused. ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk The bandwidths are used to build a probability distribution. signature.asc Description: This is a digitally signed message part ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] anonymous surveys via Tor?
On Wed, 2011-05-04 at 22:31 +0200, Moritz Bartl wrote: Hi, On 04.05.2011 22:11, Fabio Pietrosanti (naif) wrote: It would be possible to remove X-Forwarded-For from tor2web proxy: * At apache mod_proxy_http level with a code patch: http://blog.basteagow.com/2011/04/02/mod_proxy_http-disable-x-forwarded-headers/ Or better do it at polipo level with CensorHeader: http://www.pps.jussieu.fr/~jch/software/polipo/polipo.html#Censoring-headers I vouch for removal of X-Forwarded-For and a new header for sites to detect tor2web users (regardless of IP). You can also detect Tor2Web users through the use of JavaScript: if ( document.location.host.match(/\.tor2web\.org$/) ) { alert(mikeperry not detected!); } signature.asc Description: This is a digitally signed message part ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Duda pregunta por favor
On Sat, 2 Apr 2011 13:49:15 -0400 Kragen Javier Sitaker kra...@canonical.org wrote: On Fri, Apr 01, 2011 at 09:35:00AM -0600, Pablo Velo de Swaan wrote: oigan tengo entendido que la última version del tor button es la 1.2.5. pero no es compatible con mozila firefox 4. Bueno, esperemos 1 añito a que estos pendejos de vidalia saquen una versión más actualizada que sea compatible ... Translation: Listen, I guess the latest version of TorButton is 1.2.5. But it's not compatible with MOzilla Firefox 4. Well, do we wait a year for those Vidalia motherfuckers to release a more up-to-date version that's compatible Translation of subject: Question, please I note that the only question I can find in the text seems to be rhetorical. Should future Spanish-speakers run their text through Google Translate before posting it (with the Spanish version appended, perhaps, to clear up ambiguities and translation errors)? Or should we just exclude them from participating in the list? Kragen ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk It seems perfectly reasonable to me to allow Spanish messages on the list; I'm sure there are quite a few people here who speak Spanish. That said, this particular message was nothing more than an irrelevant flame, which, I thought, was better left untranslated. -- Please use encryption. My PGP key ID is E51DFE2C. signature.asc Description: PGP signature ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk