[tor-talk] Warning to TorBirdy users: system language leak in replies (via authorwrote line)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Due to a change in Thunderbird's handling of the reply_header_authorwrote prefs [1] TorBirdy users which use Thunderbird 31 and later leak their system language to recipients* of reply messages. Usual TorBirdy quoting behaviour when composing a reply looks like this (author name is not followed with wrote): John Doe: . leak (wrote in the case of an English system) introduced with newer Thunderbird versions: John Doe wrote: . Whether the system language is actually leaked depends on the content of the email body. If the sender (you) manually remove the entire text in the composing window - the authorwrote line is not included and no leak occurs. *) If the message has not been end-to-end encrypted this leak is not limited to the intended recipients. Workaround - -- Until TorBirdy gets ready for Thunderbird versions = 31 affected users may set the following preference to avoid this leak: mailnews.reply_header_authorwrotesingle = #1: [1] https://bugzilla.mozilla.org/show_bug.cgi?id=1009585 https://bugzilla.mozilla.org/show_bug.cgi?id=995797 [2] https://trac.torproject.org/projects/tor/ticket/13480 -BEGIN PGP SIGNATURE- iF4EAREKAAYFAlREOXEACgkQgSFXpOdJgOsLoAEAvA3PQMKCm6u5Yooo2cV9Mmci wNbIpwNZLWH8qoJQqbMBAMIxHPcO72miTE+0N3+/pwcdL3Syl6bwg0Q30vO8ELEE =RKu7 -END PGP SIGNATURE- -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] TorBirdy doesn't work with Gmail?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Google locked my gmail account for the last ~24 hours. I was not asked to change my password or to provide a phone number. Message on web signin: Sorry, we can't process your request right now For security reasons, Google may sometimes deny logins in cases where we believe the account's password could have been stolen. [...] After trying a few web signins I was asked to change my password and regained access. The usual 'Suspicious sign in prevented' email arrived. Exit relay: https://atlas.torproject.org/#details/EB5CCD5FA868637289F426C133DC924A64D5E769 Is google only using the source IP address as input for its 'bad-guys' detection or is it also taking other things into account (like user agent)? I finally decided to switch to another email provider, this is my new email address : bm-2d8suxrlhg2k6h4t4tcsgrnejqazpxh...@bitmessage.ch Please do not use tag...@gmail.com anymore - thanks. OK, while typing this email my gmail account got locked again.. so this email is coming from my new email address already. You may verify the authenticity of this claim by verifying the GPG signature of the attachment (it is signed with the key I used to sign all my mails with). regards, tagnaq -BEGIN PGP SIGNATURE- iF4EAREKAAYFAlIwTIwACgkQgSFXpOdJgOsP3AD+OQ1TbXJZ7XvOj2Yx/srvrTRT CscdAWrIpDPko9k4X4kA/1+QNp6t4vmTibmKezHaIPydTLjKjea0GkIfPRDl464y =hARp -END PGP SIGNATURE- -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Hi, this is my new email address: bm-2d8suxrlhg2k6h4t4tcsgrnejqazpxh...@bitmessage.ch I'm no longer able to read emails going to tag...@gmail.com (please do not use that email address anymore). thanks, tagnaq -BEGIN PGP SIGNATURE- iF4EAREKAAYFAlIvUnEACgkQyM26BSNOM7YrSgD+OptPG5TDLAIPRvaGB71YiOLf TQa2QkAVdNKPB+EId6YBALYU3guIwiQfbApeYgKlbcwDNrnrj6lszmrNR6scZG3F =bJDb -END PGP SIGNATURE- -- tor-talk mailing list - tor-talk@lists.torproject.org To unsusbscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] TorBirdy doesn't work with Gmail?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Actually, re-reading this thread I recall that tagnaq suggested just disabling the risk analysis entirely once we see a successful Tor login. Yes, and I still believe this is the best option, because even with the best possible 'tor exit IP list generator' - implementation you will get false negatives [1]. [1] https://lists.torproject.org/pipermail/tor-talk/2013-June/028411.html I've CCd Daniel Margolis who still works on this system (I moved on to other things). Daniel, what do you think? (note that you may have to sign up to the public tor-talk list to reply-all successfully) -BEGIN PGP SIGNATURE- iF4EAREKAAYFAlIuub4ACgkQyM26BSNOM7YC5gEAt8uYkYC6EVVPzDrzljVwb3PO 0N/WtW2SSo5HZKo6hqEA/2HxCHvRSBGsvdWd+imui4VB3qsqG9JisO/P9dWXj/mE =ISkL -END PGP SIGNATURE- -- tor-talk mailing list - tor-talk@lists.torproject.org To unsusbscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] TorBirdy doesn't work with Gmail?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 I no longer work on this system but I forwarded your mail to someone who does. We still get 'Suspicious sign in prevented' emails: The following relay was used: https://atlas.torproject.org/#details/EFAAC1D98176AAD94B1D16E868F51DFBD6BC8CB0 Note: The relay has no 'exit' flag (not fulfilling the minimum requirements for that), but still allows exiting on certain ports. Thank you for forwarding this email to the relevant people. Would be great if they could share a timeline on when this issue will finally be fixed (if at all) - thanks! -BEGIN PGP SIGNATURE- iF4EAREKAAYFAlItu/AACgkQyM26BSNOM7Zl7gD9FCbFahKlNgzIj96D5Aq2O/jd prW6WW5mmoSg95/ELJIBAJdkpNBOoYLkagMtHC/7pUMJuCoeZ8eRubHySqPH90wV =Wlgn -END PGP SIGNATURE- -- tor-talk mailing list - tor-talk@lists.torproject.org To unsusbscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
[tor-talk] The reasoning behind the 'exit' flag definition
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Hi, I'd like to understand why the exit flag is defined as it is. The current definition can be found in the directory spec [1]: Exit -- A router is called an 'Exit' iff it allows exits to at least two of the ports 80, 443, and 6667 and allows exits to at least one /8 address space. I assume the exit flag was meant to be used by tor clients only [2] because destination port 80/443 are probably amongst the most frequently accessed services, but was than (mis)used to generate (inaccurate) 'Tor exit IP address lists' (?). This means that there is no way to tell if a relay actually allows exiting (any) traffic simply by looking at relay flags. To actually tell you would have to parse exit policies. I think this is the main reason why people trying to handle the 'is a tor user' - case are having a hard time. Here are two examples why this negatively affects tor and non-tor users: 1) Non-Tor users are banned to access certain services when they share their IP address with a non-exit relay. Admins start to block *all* tor relay IP addresses (even non-exits) ones they realize that also relays without 'exit' flag might allow exiting to their services. 2) I'm regularly banned from accessing my gmail account when using tor because google blocks my access to its services if I'm appearing to have a *non*-tor IP address [3] (this is the direct inversion of 1). Which one of the following proposals would be more likely too be accepted by the Tor Project (if any at all): - - change the definition of the 'exit' flag to include all nodes that allow *any* exiting traffic. - - introduce a new flag that is set on all relays allowing *any* exit traffic (leaving the current definition of the 'exit' flag unchanged) As an alternative, better tools to create 'tor exit lists' as suggested in [4] and [5], might also do the job. Is someone aware of a tool that implements something like that already? Something along the lines of: ./get-tor-exits [relay-IP] target-service-IP[/mask][:port],... output: boolean if relay-IP is given, if no relay IP was given: print a list of all relay IP addresses that would allow accessing (any) service in the target IP (range). (similar to what exonerator does already) thanks! [1] https://gitweb.torproject.org/torspec.git?a=blob_plain;hb=HEAD;f=dir-spec.txt [2] https://gitweb.torproject.org/torspec.git?a=blob_plain;hb=HEAD;f=path-spec.txt [3] https://lists.torproject.org/pipermail/tor-talk/2013-September/029975.html https://lists.torproject.org/pipermail/tor-talk/2013-September/029981.html [4] https://lists.torproject.org/pipermail/tor-talk/2013-September/029988.html [5] https://lists.torproject.org/pipermail/tor-talk/2013-September/029986.html -BEGIN PGP SIGNATURE- iF4EAREKAAYFAlIuIJIACgkQyM26BSNOM7aVXQEAkxKjDlkpFO44DA9Gbe5tscvL b2kX/27XSRHIpXczcW8A/1olo4LrMWgZyY+X8OccGbtJ2iUUwxWnynnqy8CcgUtE =atrW -END PGP SIGNATURE- -- tor-talk mailing list - tor-talk@lists.torproject.org To unsusbscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] TorBirdy doesn't work with Gmail?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 It'd be better to find out why nodes that are exiting traffic don't get marked as exits. Looking at that relay, it seems it doesn't allow web traffic, but some ports are allowed. Perhaps the suspicious sign-in in question wasn't a web signin? Correct, it wasn't a web-signin. What would be really useful not just for Google but I suppose the entire internet community, would be a simple runnable tool that would take a set of host/port-range pairs and identify any node with a compatible exit policy. Then we could find any node that could potentially exit traffic towards our servers. I started a thread for it here: https://lists.torproject.org/pipermail/tor-talk/2013-September/029992.html -BEGIN PGP SIGNATURE- iF4EAREKAAYFAlIuISUACgkQyM26BSNOM7YRgwD/dFFyu//j26Kb8HBW2tiX5xAW lZDVx4bPwbQVisZNddsBAKJB7qicFoJzuyGLF1fNFvLQORXDQPcQ6u0btSTqRmd+ =PSCl -END PGP SIGNATURE- -- tor-talk mailing list - tor-talk@lists.torproject.org To unsusbscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] The reasoning behind the 'exit' flag definition
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 I assume the exit flag was meant to be used by tor clients only [2] because destination port 80/443 are probably amongst the most frequently accessed services, but was than (mis)used to generate (inaccurate) 'Tor exit IP address lists' (?). Does anybody actually do that? I suppose that's how [1] is generated (Olaf in CC). I would even suggest to remove it from the site if [1] is purely generated based on the 'exit' flag.) [1] http://torstatus.blutmagie.de/ip_list_exit.php/Tor_ip_list_EXIT.csv As an alternative, better tools to create 'tor exit lists' as suggested in [4] and [5], might also do the job. Is someone aware of a tool that implements something like that already? You don't like https://check.torproject.org/cgi-bin/TorBulkExitList.py ? Great. I think this should get them started - thanks. https://svn.torproject.org/svn/check/trunk/cgi-bin/TorBulkExitList.py https://gitweb.torproject.org/tor.git/blob/HEAD:/contrib/exitlist -BEGIN PGP SIGNATURE- iF4EAREKAAYFAlIuQSsACgkQyM26BSNOM7bOuQD/RSlkkYAFtDp0KG47I9qOP7jK CTwQMPQKTOSh7hXg28wA/2p2edpl66x3SqJaTM1qoGevKexDur/7xLtvSTkWD4q9 =CV44 -END PGP SIGNATURE- -- tor-talk mailing list - tor-talk@lists.torproject.org To unsusbscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Email Clients and Tor
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 I have an email client (Sylpheed) that I use to download email from gmail and others. Can this be configured to send/receive through the Tor network? Where would I find information on doing this, assuming it can be done? Depending on your threat model and use case simply routing program X through tor might not what you actually want. You used 'email client' in the plural form in the subject so I assume you are also asking for other email clients? You might want to use Thunderbird with Torbirdy? https://addons.mozilla.org/en/thunderbird/addon/torbirdy/ https://trac.torproject.org/projects/tor/wiki/torbirdy#KnownTorBirdyIssues -BEGIN PGP SIGNATURE- iF4EAREKAAYFAlIk66sACgkQyM26BSNOM7YOVgD9HcBaXqKzsaF7YG+gwBhX4QAG PXq2JhUv76/98PWvLzEBALvobAHja8CmZZaGVJjraolWr4u9NGk1+cYSx50Y8BZo =pxoY -END PGP SIGNATURE- -- tor-talk mailing list - tor-talk@lists.torproject.org To unsusbscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] TorBirdy question
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 I'll wait for the update, hopefully it'll come with the option to configure the Tor port, Well, that option is already there in Torbirdy's preferences. What will probably change is the default SOCKSPort Torbirdy is trying to connect out of the box. -BEGIN PGP SIGNATURE- iF4EAREKAAYFAlIMwFoACgkQyM26BSNOM7aDIAEAoquYXaX32/NJapREHkovpe/d yumw6vNuFNOBuLMSY6gA/0l/7nyXGOuPQDR9+SJdg9O7NihXo1S7z8kT3W3VQiV2 =s6Fx -END PGP SIGNATURE- -- tor-talk mailing list - tor-talk@lists.torproject.org To unsusbscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] TorBirdy question
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 I recently stop using TBB in order to use a Vidalia relay, the problem is that TorBirdy uses the 9150 port to connect to Tor (the port that uses with TBB), and the relay uses the 9050. I tried to change in the config editor the value extensions.torbirdy.restore.network.proxy.socks_port;9150 to 9050, but id didn't connect to Tor in the end, I changed the TorBirdy preferences, from recommendede proxy settings to custom..., using the 9050 port. Is there any way to change for real the port to TorBirdy in the config editor? Why would you want to change it there? (and not via the gui) You have two possibilities: 1) add the following line to your torrc to get an additional SOCKSPort: SOCKSPort 9150 or 2) Goto TorBirdy's Proxy Settings and choose 'Use custom proxy settings' (this is what you did and I suppose it works) We are aware of the issue and this will change in the future. https://trac.torproject.org/projects/tor/ticket/9395 -BEGIN PGP SIGNATURE- iF4EAREKAAYFAlILmKYACgkQyM26BSNOM7ZpDAEAqIjhSsuEOY5HEnOvrwgWCafY VZryeS57m3roCZAlGEoA/Ri66MWryztHmVANC1p/ikoKMjoAXye3b5FoU56K8U6y =KvWH -END PGP SIGNATURE- -- tor-talk mailing list - tor-talk@lists.torproject.org To unsusbscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] TorBirdy patches for Mozilla Thunderbird
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 In all fairness, I agree with Mark Banner's comments that setting a custom message-ID using the current approach can easily break things if the extension doing so is not careful about it. That being said, the only way to take this forward is to resume the discussion with Mozilla and ask them their preferred way of getting this done, so that we can work on the patches accordingly; we will be doing this soon. I would suggest to work/discuss the harder part (date header) first. Getting the message-id modification accepted might be easier but if the date header remains, the message-id modification did not gain anything (and vice versa: date header fix without msg-id fix doesn't solve the problem either). Before starting the discussion with Mozilla, I'd like to get some hard facts by testing the no-date-header patch on a broad range of different freemailers and MTAs run by ISPs having a significant market share (this requires volunteers actually sending emails from their accounts without date header). If we run into MSA setups where emails without date header cause problems (the MSA doesn't insert the date header for us) we have to analyze this in detail. Ideally by contacting the operator. (Not an easy task.) One item on the task list, is it to make it easy for volunteers to contribute test cases (send test emails without date header). Volunteers should not be required to patch and recompile Thunderbird to send test emails (a simple script would probably do the job). My underlying assumption is: As long as our patch breaks email (for some users) Mozilla will not accept our patch (even if our patch does not change the default date header at all - users would have to opt-in via TorBirdy). So the first question I'd like to answer is: Would our date patch break mail for some users? (Currently we can answer this question for the main freemailers only.) If so: How big is 'some'? Why does it break? todo: 1) create a script to send no-date-header test emails 2) set up a wiki page to collect test data 3) ask volunteers contribute -BEGIN PGP SIGNATURE- iF4EAREKAAYFAlH4NAEACgkQyM26BSNOM7ZdVwD+Lt1m9GfBvGLVtaKQDdBRCB73 fYPx232FaVFbdTENXvsBAJWrrvmZCmA05gDl0YM4Qaqy2nl0VSKLwCuyWK1AUCWz =wa7V -END PGP SIGNATURE- -- tor-talk mailing list - tor-talk@lists.torproject.org To unsusbscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] TorBirdy doesn't work with Gmail?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Thanks for the explanation. For now we're in the middle of including the blutmagie list. But yes, switching off the entire system if there's evidence of recent Tor usage is an alternative approach we should consider. In case you are trying to improve the system to prevent false positives and need some feedback: I still get 'Suspicious sign in prevented' emails (4 in the last month) and was forced to change the password - but luckily I still have access to my account. Gmail blocked access when coming from ~8 different IP addresses - all of which where tor relay IPs (verified via metrics.torproject.org). I suppose you can see the IP addresses in my account history in case you need them for debugging purposes. If I should direct these emails to someone else let me know - thanks. -BEGIN PGP SIGNATURE- iF4EAREKAAYFAlHXD7kACgkQyM26BSNOM7apoQD/eFQFt3ef1QGJVNlOKqKtrUR5 YiCe7LoyfHHyOeWxG8IA/3cIcbcKrHa0LXBIRcAYgGxCvc8/4UiFL/nDvxG9Llxk =0sgk -END PGP SIGNATURE- ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] TorBirdy doesn't work with Gmail?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Hello Mike, I work for Google as TL of the account security system that is blocking your access. Access to Google accounts via Tor (or any anonymizing proxy service) is not allowed unless you have established a track record of using those services beforehand. You have several ways to do that: 1) With Tor active, log in via the web and answer a security quiz, if any is presented. You may need to receive a code on your phone. If you don't have a phone number on the account the access may be denied. 2) Log in via the web without Tor, then activate Tor and log in again WITHOUT clearing cookies. The GAPS cookie on your browser is a large random number that acts as a second factor and will whitelist your access. Once we see that your account has a track record of being successfully accessed via Tor the security checks are relaxed and you should be able to use TorBirdy. thank you for providing this information on this mailing list - really appreciated. I'm using Tor to fetch and send emails since quite some time but never reached the point where I didn't get any 'Suspicious sign in prevented' emails from google anymore. I got used to it and occasionally verified if the IP address in question was an exit node at the given time. Yesterday google decided to lock my account (not the first time) even though I used your described procedure (2) a while ago and hoped that I should be fine now. Did google revisit it's procedures or is this expected behaviour even after following your described procedure (2) and with relaxed security checks? As several times before - I was able to unlock my account answering the security question, but this is becoming a continuous burden. kind regards, tagnaq -BEGIN PGP SIGNATURE- iF4EAREKAAYFAlGqI1QACgkQyM26BSNOM7bivQEApDjT/TkJSXNFzihumDwa13Rp El+x7zALXG5BYHU1wJEBALUq+iypqcNCqHYryjYH0r9zP33geXpNZk+2szWdmXAw =SJeW -END PGP SIGNATURE- ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
[tor-talk] unable to create bitmessage forum account via Tor
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Hi Jonathan, (CC tor-talk) thanks for your work on bitmessage. I reviewed your papers and wanted to give you some feedback and suggestions (problems we try to prevent in torbirdy [1]) in your forum at [2] but I was unable to do so (forum thinks I'm a spamer [3]). I didn't want to send my feedback via direct email because I wanted to have an open discussion. It would be great if you could allow me (and others) to create a forum account via Tor. thanks! btw: is there a bitmessage pseudo-mailing list about bitmessage? (besides announce) [1] https://trac.torproject.org/projects/tor/wiki/torbirdy [2] https://bitmessage.org/forum [3] The user tagnaq with Email tag...@gmail.com (IP tor exit ip) is a Spam, please contact forum administrator. -BEGIN PGP SIGNATURE- iF4EAREKAAYFAlFbKAAACgkQyM26BSNOM7Yb4wD+JiJJR8Pi+lUAlecGUaxmsfcy wtlA0C1hfcAIwgxFh2wA/0mb74KOfDltih9q0C0HJ7EVqVYdLs4wUuQJeZ9TiJIO =BzPs -END PGP SIGNATURE- ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] upgrading procedure for TBB
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
1.1K bytes in 24 lines about: : Thnx for responding so quickly!...
To make sure I understand perfectly well and don't screw anything
up!... I delete the ENTIRE tor bundle file off my computer the just
download and extract new one and DO NOT just download new file on
top of old one!... Is that correct! Thanks again for ur help!...
Here's what I just did to update my virtual machine with Tor
Browser:
1. gpg --verify
tor-browser-gnu-linux-x86_64-2.2.39-5-dev-en-US.tar.gz.asc 2. rm
-rf tor-browser_en-US/
I'm surprised to see this 'rm -rf' command in a recommendation. I
thought you recommend to just unpack the tar file to preserve bookmarks..
Has that alternative approach ('tar xzf' without prior 'rm -rf')
negative side effects?
-BEGIN PGP SIGNATURE-
iF4EAREKAAYFAlCwszsACgkQyM26BSNOM7YPfAEAuehvn1oFrdOeGMcLZNG+E4RF
HmCrnu/Vk0VltmZWfzQA/iLbDCtvMQYIMVmEjkqQmrR4v0z9d2Yqf0dnB4DPXq1I
=e5ZK
-END PGP SIGNATURE-
___
tor-talk mailing list
tor-talk@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Tor 0.2.3.25 is out
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Hi, great to see the first Tor 0.2.3 stable release! Maybe we can reach the point where the line for 0.2.3 relays crosses the line for 0.2.2 relays in the 'relays by version' - graph [1] earlier with announcements via additional channels: - - https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-announce - - https://blog.torproject.org/ - - https://twitter.com/#!/torproject [1] https://metrics.torproject.org/network.html#versions -BEGIN PGP SIGNATURE- iF4EAREKAAYFAlCwszIACgkQyM26BSNOM7bCZAEAqGXWWMs0B3s/ItrxBwissity nBvhBLVur+moxnYNjHcA/iWUF9RzMeZiUBTtDF1GjO5toNf3PNe4CnMo8GWek4Nj =AUdf -END PGP SIGNATURE- ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] TorBirdy GnuPG version curl-shim?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 gpgkeys: curl version = GnuPG curl-shim I suppose this is not a curl version that supports socks, Jake saw the same [1]. For more background and test cases see: [1] https://trac.torproject.org/projects/tor/ticket/6940 https://trac.torproject.org/projects/tor/ticket/2846 http://lists.gnupg.org/pipermail/gnupg-devel/2012-September/026923.html -BEGIN PGP SIGNATURE- iF4EAREKAAYFAlBx3JUACgkQyM26BSNOM7a5ngEApOhMHevczVx8CLIM0RcdyikL pstB3zhSzGxbvGDaVTwA/ivxdumdDD/rg4837C56ahw9O/qXEjlRzwOexPpRUyAV =YBmx -END PGP SIGNATURE- ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Testing Documentation for TorBirdy
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Hi antispam06, Sukhbir, could you make a small tutorial on how to test TorBirdy? I'm willing to create one or two free accounts via TBB and do the checking, but I have no idea how. thanks for your offer to test TorBirdy. What are you aiming for exactly? a) Do you aim to test TorBirdy's features and ensure they are working as they should (like regression tests before releasing new version) or b) Do you want to test a TorBirdy setup and find yet unknown leaks? For (a) a detailed feature list with expected behaviour should be enough for you to build test cases, such a list does not exist yet but we will build it if you want to go into the direction of (b) you might want to have a look at bit.ly/qDZm7C (chapter 3.1 and 3.3) and analyze parts of Thunderbird that were not in scope back then (for example the new chat feature - which I really dislike to have in Thunderbird). To cover (a) the following ticket has been created: https://trac.torproject.org/projects/tor/ticket/7060 -BEGIN PGP SIGNATURE- iF4EAREKAAYFAlBwuhsACgkQyM26BSNOM7b/LAD9FeYAn8UJaNw0Zs9Q5m/4hSva Jd9Wq1jvFnqlNyRPgRAA/3w/ACqmH2inC+Bv1j9Wm3KooSUeS8nJwa8tk9gTy6yj =f+Tf -END PGP SIGNATURE- ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Debian Repository GPG Key
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 How do I get the public key? https://www.torproject.org/docs/debian.html.en#ubuntu -BEGIN PGP SIGNATURE- iF4EAREKAAYFAlA85ssACgkQyM26BSNOM7bE4gD/bxFUvHZ4VSGpg4Zkz9MRTOxg kj3uGBMqU/L6EnyYInYA/0zTrBfSV0ohd4dmMmA/osd6I4poOgVL91TYG+lWgrR5 =A7Jd -END PGP SIGNATURE- ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] [Advanced configuration troubleshooting] Exit node slowed way down
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 [breaking the thread as it didn't seem to be related to Robin's] For a visual, you can see how it just sort of gave up on life around the beginning of August here (although some of that is accounted by extra tor instances cannibalizing stats): https://atlas.torproject.org/#details/88984E7F8DDB702644660E10A5C7019FA80B8AFF Did you had a look at the advertised bandwidth fraction graphs? (it dropped from 0.7% to under 0.2% around the 1th of August) These relays (00Teh0Signul00, 00T3h0Signul00, 00Teh0S1gnul00) currently do not have the stable flag. -BEGIN PGP SIGNATURE- iF4EAREKAAYFAlA2KRUACgkQyM26BSNOM7b17QD/WLsvuqgbzgKlm7mgaledM/+Y e/lbUztJPUx8ueepP9wA/RnzgvCvqdmtdgwVlfCkgfRGp8/7G+nYEnwVdnK9Cf7z =X8aM -END PGP SIGNATURE- ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] [Advanced configuration troubleshooting] Exit node slowed way down
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 3) I'm not sure where to view the advertised bandwidth graph https://atlas.torproject.org/#details/88984E7F8DDB702644660E10A5C7019FA80B8AFF Scroll down till you see graphs with red, green, yellow and blue lines. -BEGIN PGP SIGNATURE- iF4EAREKAAYFAlA2m7gACgkQyM26BSNOM7YC9gEAl4SpEeUzxqAJe4DkAKd2TiPr uAHbUjKgPwv4mX4oCXoA/0jKA7On42pNNdcy5u/4iUtl3tY/b/hOn5cNJGjWxfT/ =ZUhg -END PGP SIGNATURE- ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] End-to-end correlation for fun and profit
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Manually, using WHOIS and traceroute. This can be done automatically using GeoIP, but I wanted to be sure in the results (also visited some hosting sites), and writing a proper program would deviate too much from the initially intended “quick hack” design. tor-relay-stats.py, renamed to compass.py might be useful too: https://lists.torproject.org/pipermail/tor-relays/2012-July/001403.html https://gitweb.torproject.org/compass.git/blob/HEAD:/README https://gitweb.torproject.org/compass.git -BEGIN PGP SIGNATURE- iF4EAREKAAYFAlA0koUACgkQyM26BSNOM7YkHAEArEvO57x2kPX2IiagyaO31EEF ozkK3G7juj8i9FpjB+kA/ArucoVSsXKhmHVR+7H8WUlsJdtY8ZtLtskSMOm336is =+piU -END PGP SIGNATURE- ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] End-to-end correlation for fun and profit
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 tor-relay-stats.py, renamed to compass.py might be useful too: https://compass.torproject.org/result?by_as=Truetop=10 -BEGIN PGP SIGNATURE- iF4EAREKAAYFAlA0l50ACgkQyM26BSNOM7Yy3wD+Lz/ciNl/2H+peEgxzsWM85Kb PVxK2Qpx6QrzvuwiOmIA+gOKxVPm9jW3wdJDSm2o2haYpma4AQXeaohbCtaGuwjg =2oC3 -END PGP SIGNATURE- ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] End-to-end correlation for fun and profit
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 I think karsten's graphs from #6443 fit also well to this thread: https://trac.torproject.org/projects/tor/ticket/6443 You might also be interested in this thread on tor-relays: https://lists.torproject.org/pipermail/tor-relays/2012-July/001433.html https://lists.torproject.org/pipermail/tor-relays/2012-July/001436.html ... -BEGIN PGP SIGNATURE- iF4EAREKAAYFAlAz7swACgkQyM26BSNOM7ZQbwD/XKnvYACuduXuWmZj57Xx/R/0 lC96fot02g65tf2cDQQA/3UdEmW5edT4DJusnWNYL0vl4yeKFwh1xxuRyTXwKKZI =CC66 -END PGP SIGNATURE- ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] TorBirdy - testing and feedback requested!
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 It's a bit difficult to describe succinctly, but I'll try to relay my thoughts ... It's about the indications that you are actually using Tor. Thank you for your feedback. I'll write my follow-up answer directly to the trac entry. -BEGIN PGP SIGNATURE- iF4EAREKAAYFAlANz4MACgkQyM26BSNOM7aSZgD/T23invIJkl638P75TAxd39Qk RqcHHAHCKv0CBZJOUj0BALs0YvSsXKOfzw4CJhXI+t2NRc865XeBNbFBasmmDkW2 =u5wf -END PGP SIGNATURE- ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] TorBirdy Not Allowing Connections to Servers
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Previously, I had been launching start-tor-browser from the extracted archive and then attempting to get messages. However, when you asked me to check connections in Vidalia, I went to the app directory and opened it directly (I usually hide vidalia when launching from start-tor-browser). And it showed connections. And worked. Good to hear that you were able to resolve your issue and it was not a TorBirdy problem. I suppose its related to stream isolation not being in TBB yet? When you start the Tor Browser Bundle it starts the Socks listener on a random TCP port (SocksPort auto). This is probably the reason why you were not able to use tor in thunderbird because there was no open Socks port where torbirdy expected it (9050). -BEGIN PGP SIGNATURE- iF4EAREKAAYFAlALzq4ACgkQyM26BSNOM7bwVgD+KhhDLnrTv7rFO1EXMmrHS8qW 2xx5uPTrCyxcJkkugmMA/i5X9IuiDjnbyOCV1KrAZ2TsF/gpgHLIJ2cpGVpOibGk =vWn6 -END PGP SIGNATURE- ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] TorBirdy with Tor?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Sorry, may be a newbie question, But while using ThunderBird with TorBirdy, must another instance of Tor be running?, for example BBT or Vidalia? Just dled TorBirdy 0.0.10.xpi but i should run BBT before to make TorBirdy work.does TorBirdy not work lonely? TorBirdy is a Thunderbird extension that configures your Thunderbird to use Tor, but it doesn't include Tor itself. TorBirdy expects that you have Tor running on your localhost: SocksPort 127.0.0.1:9050 http proxy: 127.0.01:8118 [1] Thanks for your question, we will update/create end-user documentation to make this requirements more clear. [1] https://github.com/ioerror/torbirdy/blob/master/components/torbirdy.js#L38 -BEGIN PGP SIGNATURE- iF4EAREKAAYFAlAL6DcACgkQyM26BSNOM7Yp7QEAnqPBytW2WAZ/w8Zbnu2xwkSu hJViM6YxuZAOj92XJH0BAJbb6sxPhTEzLN0+DJ5CdI04At1TfsPdhqPGFTLIkokX =2Q10 -END PGP SIGNATURE- ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
[tor-talk] General remarks when using mail clients over Tor (i.e. TorBirdy)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Hi, I'd like to give some general information on what you might run into when using mail clients over Tor, in fact this is not specific to email but probably applies to other authenticated services that deploy some kind of anti-account hijacking prevention systems. Whether this stuff actually applies to you depends on your email provider. - - Fetching mail via Tor might triggers automated intrusion prevention systems because you come from 'unusual locations'. These automated systems might temporarily block your account till you login via webmail and confirm your password/secret question. If this is the case on a gmail account you will get an email with the subject: 'Suspicious sign in prevented' This might happens when trying to fetch mails over Tor for the first few times, at least the detection mechanism at gmail seems to be adaptive and won't bother you continuously if you use constantly use Tor to access you mail account. Thunderbird might shows you a clear warning indicating that a login was denied for that specific reason. I can't remember the exact sentence anymore, but that was the case with a gmail account. (The warning is not generated by Thunderbird itself but rather a displayed message received from the mailserver.) Make sure you know the answer to your secret question (or alternative password recovery method). Unfortunately changing gmail's password recovery options doesn't seem to work with TBB [1]. - - Another issue that I haven't seen often with gmail but you might run into it with other freemail providers occurs when submitting emails to the mailserver (sending). Depending on your mail provider and exit node the mailserver might simply deny access or resets the connection. This usually happens when using big exit relays (torservers seems to work fine compared to CCC exit nodes). Hitting 'Use a New Identity' might be a workaround [2]. Or you exclude exit nodes for which email submission doesn't work, but in that case you should have a specific tor instance just for mail because excluding the popular exit nodes will affect your usability (speed) and privacy. So when having troubles using Thunderbird with Tor keep in mind that this might be the case because one of these issues arose. Maybe we should start a wiki page to collect experience with different freemailers. [1] https://trac.torproject.org/projects/tor/ticket/6191 [2] https://trac.torproject.org/projects/tor/ticket/6371 -BEGIN PGP SIGNATURE- iF4EAREKAAYFAlALNXQACgkQyM26BSNOM7YXVgD+IeDd8Wr1aY0y3ISpWdTNTl32 MqL8LYMLmrqYox56yPoA/1arhuxfODfZJacqb9v4mBgI4cpL40mDd+OlTu8iUxfP =0pSL -END PGP SIGNATURE- ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] TorBirdy Not Allowing Connections to Servers
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Hi, Finally had a few spare minutes to switch over to the guest account and try it. Installed current TorBirdy, restarted, manually set up account (gmail), changing the pop and SMTP settings as necessary Can you be more specific? (mentioning exact settings, server, port, connection security, ..) Do you see the connection attempts in Vidalia's network map? BTW, the xpi linked to from the TorBirdy Tracpage is corrupted, and based on file size, is an old version anyway. Might want to fix that link. I suppose it is fixed now. (it is a wiki page) https://trac.torproject.org/projects/tor/wiki/torbirdy -BEGIN PGP SIGNATURE- iF4EAREKAAYFAlALQC0ACgkQyM26BSNOM7ZB0AD+JoJskKITGasJtr29zCtE6fzU 7xBoRcYXOfIlgnSUsW8A/R1RoZ0/iJKbIlyvp9J2feW4Z2UcS3k+fN1EQoriZ9Az =pZJq -END PGP SIGNATURE- ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] How to pin the SSL certificate for torproject.org? (#3555)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 FYI https://trac.torproject.org/projects/tor/ticket/3555 (for TBB) -BEGIN PGP SIGNATURE- iF4EAREKAAYFAk/4MpcACgkQyM26BSNOM7bBdwEAhQsVuOUNylcAYm79H1wMCvKp DyZD451XCHDR1mG/sLgBAKH8MilGXrxdDkg3BV3q41k5f3cIuUHL89zB9u1cX5Z8 =JCV5 -END PGP SIGNATURE- ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Multiple Tor instances
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 If I run two Vidalia instances with unique SOCKS ports and Control ports and connect two applications (say 2 instances of pidgin) on the unique SOCKS ports, a remote observer shouldn't be able to know that both my identities are the same right? That's true, but you could equally have each application connect to the same tor instance and the remote observer still won't be able to determine that both sets of traffic belong to the same person. It is certainly easier to link account A to account B if they always use the same circuit, but since tor version 0.2.3.3 you can achieve stream separation with one single tor instance - no need to run multiple instances. For more information see: https://gitweb.torproject.org/torspec.git/blob/HEAD:/proposals/171-separate-streams.txt https://trac.torproject.org/projects/tor/ticket/1865 0.2.3.x manual page -BEGIN PGP SIGNATURE- iF4EAREKAAYFAk/CS4wACgkQyM26BSNOM7aqhAD+JFSNd4xIDT611G7VPpLmsHyi GF5ouQk4Uo8Is5YPUKQA/0hl3NsQVlos16g8EvkA1cjK5rIyyYhk07gHTPIZrDrY =Udps -END PGP SIGNATURE- ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] TorBirdy version 0.0.2
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Wouldn't this (or some of the other header settings) allow the recipient or general public (if a mailing list post) to learn that a person was using TorBirdy? Note: TorBirdy doesn't support a toggle model. There has been an attack vector against the old Torbutton in Firefox where one was able to detect the presence of Torbutton while it was off (IIRC). If TorBirdy aims for a per-email-account enable/disable option within one Thunderbird Instance/Profile this is an issue. E.g. you can determine with sufficient likelihood that someone has TorBirdy installed while he sends email from an email account for which he doesn't have torbirdy enabled. But as of now Thunderbird doesn't support per-email-account proxy settings - AFAIK. -BEGIN PGP SIGNATURE- iF4EAREKAAYFAk/CXeoACgkQyM26BSNOM7aMTwD/cPsxkAXERRw+pnOTdoJswEyk TfXUx3/P2lly+cM+7ewA/0R9e1jd+v4h3FGvNlltIGpJmp9glg88E9kPFyj7SHTY =FOUI -END PGP SIGNATURE- ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Volunteer QA: The Price of Freedom is Eternal Vigilance
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 To start, Runa will simply give interested people a url to a release candidate Do you plan to create a mailing list for the 'interested people' that are going to test pre-release builds? -BEGIN PGP SIGNATURE- iF0EAREKAAYFAk+1YUoACgkQyM26BSNOM7YahAD3Q3MLxg5OaNMoZxZtNTl7opTk wh4hbdl3Rwgkr/m5YgD+LmUtRpxAJnYweAaDMUF5SSGcvtn1lYaFsb323hXwp8o= =KVqm -END PGP SIGNATURE- ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Technical Documentation for the TBB Update Notification Mechanism
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Can you explain please, how the TBB update notification mechanism is implemented? the following trac entry might be helpful for you https://trac.torproject.org/projects/tor/ticket/2285 -BEGIN PGP SIGNATURE- iF4EAREKAAYFAk+1d00ACgkQyM26BSNOM7Y81wEAtM7Jgc83u542imIO998zWnnP i2pWl2QHx3OpKOPv1nIBAK6p7drtgi0pqoUnSCTBSZZXkrMwXdYL2v5E/V9tBZ04 =IYzi -END PGP SIGNATURE- ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] any issue with TBB extensions auto updating?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Is there any anonymity / fingerprinting issue(s) w/ extension shipped w/ TBB auto updating during a Tor session? Default setting in TBB in Addons Extension under drop box, Update Add-ons Automatically is checked. Do No Script, HTTPS Everywhere, TorButton automatically update when the default update selection above is checked does that pose any anonymity / fingerprinting issues? You might be interested in this discussion: https://lists.torproject.org/pipermail/tor-talk/2011-June/020755.html https://lists.torproject.org/pipermail/tor-talk/2011-July/020784.html short version: the exit sees what you are updating (http request) but can't modify it without being detected. regarding the prevention of SSL MITM (compromised CAs and the such) during the update process, you might want to have a look at: https://trac.torproject.org/projects/tor/ticket/3555 the future of key pinning via HTTP headers http://tools.ietf.org/rfcmarkup?doc=draft-ietf-websec-key-pinning-01 -BEGIN PGP SIGNATURE- iF4EAREKAAYFAk+xbEkACgkQyM26BSNOM7aJ3AEAnWiVA4+And1x/ThB07dH/p6M Y8KBT51eNVCFKg8GCsgA/AjaTuAsE2tuGhky25py9KCZtqAQsIbKdXQsjAE9U9iD =dlXp -END PGP SIGNATURE- ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Towards a Torbutton for Thunderbird (torbutton-birdy)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Nope, auto generated, just like in this one. I've checked mailnews.reply_header_authorwrote and it's set to %s. I imagine that this is the way it should be, but it's not working as expected. thanks to you we are aware of this issue now. You might be interested in this trac ticket - which mentions currently known issues: https://trac.torproject.org/projects/tor/ticket/5797 -BEGIN PGP SIGNATURE- iF4EAREKAAYFAk+pb1IACgkQyM26BSNOM7aiVgD/WJnLv864uBg+92S3kQ1PV9H4 SvL1dM/iMzPyJYMzDbMA/1v4nKqlSVjkdWkGsA2vbCsizA2BYB873iMFS4PMTCkp =LUy4 -END PGP SIGNATURE- ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Towards a Torbutton for Thunderbird (torbutton-birdy)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Hi mix.tb, I'm curious whether you did write the following line - especially the word 'wrote' yourself or not? Jacob Appelbaum wrote: The word 'wrote' shouldn't be there - at least not auto generated by TB after installing the extension (language disclosure). (mailnews.reply_header_authorwrote) DNS and other connections leak during account creation (when Thunderbird is trying to work out how to connect), https://bugzilla.mozilla.org/show_bug.cgi?id=669238 regards, tagnaq -BEGIN PGP SIGNATURE- iF4EAREKAAYFAk+oFwoACgkQyM26BSNOM7Y4hQD/S4vVAJeTK/jGh1WbqAWPbBbM SCZaTJMbVcnGDXfx/50A/3+FtxxOxE385EcHp+xILacpOjzH/bYAVhK8yrVn4jVK =R8nP -END PGP SIGNATURE- ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Towards a Torbutton for Thunderbird (torbutton-birdy)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 [1] https://tails.boum.org/todo/Return_of_Icedove__63__/ Trying to hide we use Icedove seem unrealistic and/or impractical a goal, at least to start with. Therefore, we'll ignore tagnaq's suggestions whose single aim is that one. Why do you think that I aimed for hiding the use of Thunderbird? Hiding the fact that someone is using Thunderbird when he/she actually is, was not my intention: on page 3: Non-goals: hide the fact that we are using Thunderbird on page 21: As specified in section 2.3 the header information reduction does not aim to hide the fact that Thunderbird is the used MUA. The idea is to at least try to get this merged upstream (if not in Mozilla, perhaps at least in Debian) in some form, otherwise we're gonna ship an Icedove built from sources with these changes applied in Tails. Great! Thanks for explicitly mentioning this (I was about to ask you if you are going to submit it for upstream inclusion ;) I hope you are watching https://bugzilla.mozilla.org/show_bug.cgi?id=664633 It might be a good idea to submit/suggest it there? I hope you enable mailnews.auto_config_ssl_only by default and hide the disable button very well ;) It's unclear to me if you've done (or plan to do) some work on the autoconfig wizard in torbutton-birdy. I'd appreciate if you could elaborate on this. The basic idea is to get all issues that require code changes fixed upstream so that we do not have to bother about builds. Enabling privacy via an extension only gives you also a potentially bigger user base (=bigger anonymity set = better anonymity). ..but as we saw with firefox/torbutton getting things done upstream is not an easy and fast process. -BEGIN PGP SIGNATURE- iF4EAREKAAYFAk+oKG8ACgkQyM26BSNOM7ZRxwD9Hcr1LMP233YCTAq0wS8iVc9u 4t5pVoZwx2pkbYn3rVgBAIvS0rxV9fQ7JiN2o/23RPeF9WbbgD8lfrJcVaP9s/Xk =Mpcz -END PGP SIGNATURE- ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Firefox security bug (proxy-bypass) in current TBBs
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 See https://blog.torproject.org/blog/firefox-security-bug-proxy-bypass-current-tbbs for the security advisory. I'm quite surprised that you do not inform TBB users via the usual channel: via the default startpage in TBB (check.tpo) - even if there are no new TBBs yet. -BEGIN PGP SIGNATURE- iF4EAREKAAYFAk+i5GYACgkQyM26BSNOM7ZZWQD/asLtZpm0C9d6P++5c7F2hvX6 1+4iRtjn+J9eIKL8fvwBAKtatj70yDERZaCEWzw6POPWgzvcwOIrMtEKwGvfBXVG =yAS8 -END PGP SIGNATURE- ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
[tor-talk] testing TBBs
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 We are desperately in need of testers and auditors so this never happens in production again. After the last problem within a TBB release I signed up to tor-qa [1] to help with testing and expected something like: hey we are about to release a new version x, download it here, please send us your testresults and regression reports on that list everytime before a new release is published, but that list was not used [2] [1] https://trac.torproject.org/projects/tor/ticket/3939 [2] https://trac.torproject.org/projects/tor/ticket/4739 See also #3846 and consider signing up to test builds in your hardened, auditing setups. By 'signing up' do you mean, subscribe to #3846 or how does the 'sign up' process look like? https://trac.torproject.org/projects/tor/wiki/doc/build/BuildSignoff Where does one get the info that a new version is about to be released? Where are pre-releases available for download? -BEGIN PGP SIGNATURE- iF4EAREKAAYFAk+i8HEACgkQyM26BSNOM7Z7FgD/Zv53lIiRVZWCFY6Sb538YXyM pUwSGUa2Eg+//jaKGj0A/0pSREgkDmRbumkCFqoZch0si9Nv8La+nG3qvJP4vUaH =33ax -END PGP SIGNATURE- ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
[tor-talk] Exitrelay performing SSL MITM on port 995 (Dr. Web Netfilter)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Hi, there is an exit relay performing SSL MITM on POP3S connections (and probably others). The relay seams to be using Dr. Web Netfilter (see att. [mail to big att. removed]), so the harm is probably not done intentionally. Unfortunately I don't know which exit node I was using at the time. I assume that Mike's exit scanner will detect this node sooner or later. until then: do not ignore ssl warnings (not just now ;) -BEGIN PGP SIGNATURE- iF4EAREKAAYFAk+gb8EACgkQyM26BSNOM7bNxgEAlGaWkk9EeA6iz3PX29caa8mA +pFEJcpsWPHTnSKHGb0BAIB7CSpJgKD6kYpyZmZC0Eaqv9gUKykRTI8YmA1vd2eY =JLBp -END PGP SIGNATURE- ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] tor debian repository for non x86 arch? (arm)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 looks like we are going to see ARM (arch) .deb packages sooner or later: https://twitter.com/#!/torproject/status/176898932763394048 -BEGIN PGP SIGNATURE- iF4EAREKAAYFAk9bYF0ACgkQyM26BSNOM7a0VQD+J4dni1nJD0khInQTIa69x4ZW jXQDt76giRha+X0RqTQA/R0Uj6rmD42uqA+O4FW8lhxju/Y30e8Xjy5Iak9RlIM3 =2imB -END PGP SIGNATURE- ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] tor debian repository for non x86 arch? (arm)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 I suspect tagnaq meant arm, the architecture here - note how he asked for tor 0.2.3.x packages. Yes, I meant the architecture arm. Weasel doesn't have an arm machine to do the builds on, so we don't have those packages on deb.tpo. Sorry Would you consider building packages for arm if I would donate an arm device? regards, tagnaq -BEGIN PGP SIGNATURE- iF4EAREKAAYFAk9D3lgACgkQyM26BSNOM7ZRrAEAoY8R6vFDysfRNBikh56g3Jai 0abIp/tPXBl51lnIduYA/i2ADmQjWgNW6DnKWwGO5o4icXNHfDZgH45Ug+JabYhe =F896 -END PGP SIGNATURE- ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
[tor-talk] tor debian repository for non x86 arch? (arm)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Hi, I used to install packages from the torproject debian repos (https://www.torproject.org/docs/debian.html.en#development ) but apparently they do not include packages for arm. Is there a debian repo for arm somewhere? (containing tor 0.2.3.x packages for debian stable) thanks, tagnaq -BEGIN PGP SIGNATURE- iF4EAREKAAYFAk9C07EACgkQyM26BSNOM7ZURgEAgIGyPYppPJ89z7Togf5HoafS UoFQy4jlNcPNcbc8ilUA/jmVenA4+IF2YETKcF2iWvKv9H9Lswa7SGVyGY+qYb9A =wqS2 -END PGP SIGNATURE- ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] What is a guard node?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On 09/24/2011 03:54 PM, hi...@safe-mail.net wrote: What are those nodes listed as guards at the tor status pages? What does it take to get that status? I have heard that it has something to do with entry nodes, but a thoroughly explanation would be nice thanks. https://www.torproject.org/docs/faq.html.en#EntryGuards -BEGIN PGP SIGNATURE- iF4EAREKAAYFAk596gQACgkQyM26BSNOM7b/pAD+KGR6IfA260TT/h0gEb4P0Vys HAN3LqDllmNxPINt0LEA/Rfem6DyBR7asmgFJI/3z+kurmFFf7fOyOFVOlre0J6T =Tige -END PGP SIGNATURE- ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] How to verify the authenticity of the Torbutton xpi file
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 https://trac.torproject.org/projects/tor/ticket/4090 -BEGIN PGP SIGNATURE- iF4EAREKAAYFAk58nAAACgkQyM26BSNOM7ZbdQD+IhTTw04tCBr9lkw9RtA06ZWD GsnQVibaSNOPuWrU7DEA/0Sug1/317Dbq25M9g4gjf8FREkTMQLZe1GAM+jthvng =pWhA -END PGP SIGNATURE- ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
[tor-talk] How to use Torbutton (1.4.3) in 'Transparent Torification' Mode?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Hi, when trying to change Torbuttons settings to use the Transparent Torification Mode the final click on 'OK' does not do anything. It doesn't close the window and the only way to exit is to click on 'Cancel'. I suppose it as to do with the test that is performed to see if Firefox really uses Tor. Is someone successfully using Torbutton in 'Transparent Torification' Mode? thanks. -BEGIN PGP SIGNATURE- iF4EAREKAAYFAk57HGQACgkQyM26BSNOM7bP9wD8CZ9U6LNQLhAU+AXXjt8pYAmz N/W81+FJgIDpmaRz6K8A/1Y1DEyST9p6yywkt69hCuDpgn1NLhhABn28bl99jvKJ =mYTv -END PGP SIGNATURE- ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Torbutton: 'Disable Updates During Tor' - Option
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Mary Escondido wrote: Is this something new to Firefox 4.0? Is the authentication also done in Firefox 3.6? https://lists.torproject.org/pipermail/tor-talk/2011-July/020783.html Mike Perry wrote: We haven't blocked addon updates since Firefox started authenticating them in Firefox 3. -BEGIN PGP SIGNATURE- iF4EAREKAAYFAk4e6IAACgkQyM26BSNOM7aOywEAgMUgGBiDU9jIEd2+xTD/+G1A kdvgMhDPSMkLK8ELZM8A/Aoay68Uz0TLG8p13u1AwToBtWiFOfCMon8qRkIFBDVl =wHmt -END PGP SIGNATURE- ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
[tor-talk] Trac email interface
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Hi, is there a way to file bugs at trac.tpo via email? thanks -BEGIN PGP SIGNATURE- iF4EAREKAAYFAk4bHl4ACgkQyM26BSNOM7Z4+QD+PVPybirR+436gutzdT+0YSwz Z0oEQnjiqOn4rUEzbaoA/0PYhDrrzL5xpksIAJiRS4RBzpkDavXaOxo495QuHop7 =G2qY -END PGP SIGNATURE- ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Vidalia documentation
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Tomas Touceda wrote: There isn't such documentation yet. It's part of my TODO list. Ok, do you have any raw estimate when it will be available? (before or after 1 Sep 2011) For now, all I can offer you is to join #vidalia, and I'll answer your questions or explain how to understand Vidalia's settings from the code. Thank you for this offer. -BEGIN PGP SIGNATURE- iF4EAREKAAYFAk4aEf0ACgkQyM26BSNOM7bNagD/RPDdV++M8JDlqTHrwDMhdQl3 BJWALQTLEttdDjstpHkBAJyfbXddNRXVhTbzng4HCadhoSvAOBF2bsxZLBJWbgDZ =e29v -END PGP SIGNATURE- ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Torbutton 1.4.0 released
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Here is the complete changelog: * bug 3101: Disable WebGL. Too many unknowns for now. * bug 3345: Make Google Captcha redirect work again. * bug 3399: Fix a reversed exception check found by arno. * bug 3177: Update torbutton to use new TorBrowser prefs. * bug 2843: Update proxy preferences window to support env var. * bug 2338: Force toggle at startup if tor is enabled * bug 3554: Make Cookie protections obey disk settings * bug 3441: Enable cookie protection UI by default. * bug 3446: We're Firefox 5.0, we swear. * bug 3506: Remove window resize event listener. * bug 1282: Set fixed window size for each new window. * bug 3508: Apply Stanford SafeCache patch (thanks Edward, Collin et al). * bug 2361: Make about window work again on FF4+. * bug 3436: T(A)ILS was renamed to Tails. * bugfix: Fix a transparent context menu issue on Linux FF4+. * misc: Squelch exception from app launcher in error console. * misc: Make DuckDuckGo the default Google Captcha redirect destination. * misc: Make it harder to accidentally toggle torbutton. Torbutton 1.4.0 no longer displays the following info by default: Add-on update security checking is disabled. You may be compromised by updates. I haven't found anything regarding that in the changelog. related question: https://lists.torproject.org/pipermail/tor-talk/2011-June/020755.html thanks! -BEGIN PGP SIGNATURE- iF4EAREKAAYFAk4XFisACgkQyM26BSNOM7aehwEAlpsaIslR4di4D/yCphVrkyCp CwcCGXp+iACEe//NAg4A/3tYzS1lTtKgPxJud+kh2tva2wqrmubh8JPA/kTKx7tX =70j9 -END PGP SIGNATURE- ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Torbutton: 'Disable Updates During Tor' - Option
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 I concluded that the addon process is insecure because the versioncheck happens over HTTPS but the actual download of the new xpi file is over http. This simple conclusion is wrong if one doesn't check the entire update mechanism. To download something over an insecure channel is fine as long as you can check the file for modifications after the download. Authentication is done now. Thanks for confirming this. [1] https://bugzilla.mozilla.org/show_bug.cgi?id=653830#c4 http://kb.mozillazine.org/Software_Update This is extremely interesting. Seems to indicate that to preserve the same level of update security that Mozilla provides, yes, the certificate is hardcoded - I tried an addon update doing a MITM with my own root CA (manually installed) result: update refused (good!) we should be hardcoding certificates for both the HTTPS-Everywhere and torbutton update urls, as they do not go through versioncheck (anymore).. hardcoding your *.tpo wildcard cert will also make other services safer (check.tpo, www.tpo), but it will require new releases when the cert expires. -BEGIN PGP SIGNATURE- iF4EAREKAAYFAk4XWXUACgkQyM26BSNOM7ZtWQD7BaSlwl/1TGWQEoTFTLpEevEr L4/JcnMMKkAJroUB0qIBAIVpFM1RLnUN07a6DUzkx0F1dCXen/lT8A0yLbpYLcca =NwiA -END PGP SIGNATURE- ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Torbutton: 'Disable Updates During Tor' - Option
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - I assume requests to mozilla are encrypted + authenticated This assumption was and is wrong. Disabling such insecure update paths makes sense. I concluded that the addon process is insecure because the versioncheck happens over HTTPS but the actual download of the new xpi file is over http. This simple conclusion is wrong if one doesn't check the entire update mechanism. To download something over an insecure channel is fine as long as you can check the file for modifications after the download. The versioncheck mechanism provides the location of the new xpi file and the SHA256 Hash over SSL to the browser: == [...] em:updateLinkhttp://releases.mozilla.org/pub/mozilla.org/addons/722/noscript-2.1.1.1-fx+sm+fn.xpi/em:updateLink em:updateInfoURLhttps://addons.mozilla.org/versions/updateInfo/1246876/%APP_LOCALE%//em:updateInfoURL em:updateHashsha256:738eafacb3d3273b9d8ab46f7ffb34d6ba756dd7a35548ad73332106be88ae02/em:updateHash [...] == If firefox actually checks the SHA256 hash before installing the xpi it should be reasonable safe (beside the information leaks). Regarding SSL MITM: Mozilla seams to have a hardcoded check for the certificate of the versioncheck host.[1] What let Torbutton to the conclusion that the update mechanism is insecure and therefore disabled by default? (TBB: Add-on update security checking is disabled. You may be compromised by updates.) Is 'compromised' meaning in this context: someone may install arbitrary xpis or was it more the kind of your anonymity gets compromised because you disclose your addons incl. their versions I suppose thats a question for, Mike? thanks! [1] https://bugzilla.mozilla.org/show_bug.cgi?id=653830#c4 http://kb.mozillazine.org/Software_Update -BEGIN PGP SIGNATURE- iF4EAREKAAYFAk4HGpIACgkQyM26BSNOM7ZclgD9Ft2mbuVLR5Qj7Ny3TS1B4aU5 bZYzAqh51szODEvr9TIA/jPbRxrrE2ixnn7eMeIFo52v3eNS+dmxyOLpylMAup9z =A1VT -END PGP SIGNATURE- ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Torbutton: 'Disable Updates During Tor' - Option
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - I assume requests to mozilla are encrypted + authenticated This assumption was and is wrong. Disabling such insecure update paths makes sense. -BEGIN PGP SIGNATURE- iF4EAREKAAYFAk4Gea4ACgkQyM26BSNOM7amQAD/fWgEnSAetF6rOEganx9KEjNm 7N8b2fXupe2pL5wU+oAA/RId4BbpYhFImGDRgz0/9cetJcWe0jbA4OPQ+7Cc9Ym8 =cyJC -END PGP SIGNATURE- ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] How evil is TLS cert collection?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Mike Perry wrote: 1. User has a private network whose DNS is set to resolve private names to public IP addresses which normally would not have been reachable in the IPv4 scan, and whose TLS certs are also signed by a public trusted root CA. This is a weird setup, but it's a big world. I guess it could exist somewhere. Yes, this is the scenario I was concerned about. 2. User has private network on RFC 1918 space, yet uses an HTTP proxy to access it (which means we can't tell that it is private IP space). Said user is also using TLS certs signed by a public trusted root CA. This config is less weird, and detectable by us. It makes me think we should handle this user specially somehow? Your point is that in these two cases, with the default protection mechanisms defined in https://trac.torproject.org/projects/tor/wiki/doc/HTTPSEverywhere/SSLObservatorySubmission these two users could still end up sending their public-yet-private certs to EFF. Should we somehow warn the HTTP proxy user about the possibility of private TLS certs being submitted if they try to opt-in to the feature? I would suggest the following: - - user opts-in - - addon performs check if host can resolve hostnames to IPs (possible?) - - if it can't and the first adv. option isn't enabled, tell the user that the addon will not do anything, but still give the user the possibility to override this default check-and-disable procedure the next question would be: is the addon doing periodic checks to see if the situation changed? To give users the possibility to contribute while preventing leaks for specific domains they are concerned it would be great if the submission addon would have a blacklist feature where one could say never submit anything for *.example.com. This seems to be a reasonable option to me. I've added this to our spec page above. Thank you for the inclusion of this feature. But is there a better option? Do you think it might be likely that either of these users will disable OCSP for these certs, or otherwise indicate anything about these public-yet-private certs that we can detect in their config? And is there anything else? Another feature request just came to my mind: (actually it became more than just one) [ ] do not submit the IP address (server_ip argument) for private DNS domains (submits: '-2') [ ] do not submit the IP address for the following private DNS domains [input field] I see this useful in the following scenario: The user is fine with submitting certificates that would fall into the [ ] Check/submit certificates for private DNS domains option, but doesn't want to disclose the internal IP addresses. The new option is only available when the user enables the submission of certificats for private DNS domains. Or you submit -2 by default for private DNS domains (if he enabled the submission for private DNS domains) and give the user the possibility to further opt-in and say: I'm fine with submitting the IP address for private DNS domains (this would probably be the better way from a privacy point of view but will result in less people submitting that data) I don't know if you find submissions with empty domain argument valuable, but if you do, you could also consider adding an option like: [ ] do not submit the hostname (domain argument) for private DNS domains. [ ] do not submit the hostname for the following private DNS domains: [input field] One might argue, the hostname is also included in the certificate (CN), but this is not always the case (wilcard certificate). Giving the users fine grained possibility about what they disclose might result in more users willing to participate, but I totally agree to keep them in an expert section because non-technical users might be confused by these options. These options give a experts the possibility to disclose more if they are fine with that. -BEGIN PGP SIGNATURE- iF4EAREKAAYFAk4BCakACgkQyM26BSNOM7b6KgEAlepwfgenzJLP5VaPWi8bIgnh s1K88Ipz4XSwbqG9YhcBAIfn3M0EARvvZUiB0cJy3wloBKJ0noj6QGro9oQgKaqi =/zwt -END PGP SIGNATURE- ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] nesting proxies
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 0 wrote: Using firefox 3.6, vidalia, polipo, I'd like to know how to tunnel tor through another proxy, and further nest proxies. vidalia's proxy settings seem to mean proxy - tor, because https://check.torproject.org detects that I'm using tor even though using a proxy. Since tor is blocked on certain websites, I'd like to tor - proxy [- proxy - proxy, etc]. Depending on your OS / resources you could do the following to achieve that: - - configure firefox to use the proxy that you want to use after the Tor network. - - transparently route traffic into Tor (e.g. TransPort + iptables) - - use Torbutton in Transparent Mode (this setup would only use one proxy after Tor) - -- http://proxychains.sourceforge.net/ -BEGIN PGP SIGNATURE- iF4EAREKAAYFAk393CkACgkQyM26BSNOM7ZKVgD7BqLRqzkeYaC7nb48fKLkpFis bmGzCH/23olb9gL+oJcA/1KVLK5Kxsi2li20feYU3jKnKeQHRsovo9moQJqYubSL =kijd -END PGP SIGNATURE- ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] nesting proxies
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 tagnaq wrote: Depending on your OS / resources you could do the following to achieve that: - configure firefox to use the proxy that you want to use after the Tor network. - transparently route traffic into Tor (e.g. TransPort + iptables) - use Torbutton in Transparent Mode Manually setting a proxy (firefox settings) while using Torbutton might be a problem/no go. I didn't try the mentioned setup. -BEGIN PGP SIGNATURE- iF4EAREKAAYFAk393iYACgkQyM26BSNOM7a1nQEAkbrTJedrHnHDi4s5NVo2A8dK uCyEu3v5tK4Sw0qqgDwA/iEXKFzl6zxcDU0vj+6hE+uroCDdA5TaY7WC3RjI6+Ow =Ybfw -END PGP SIGNATURE- ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
[tor-talk] ControlPort read-only access?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 I'd like to give guys access to their Tor instance so they can view what their current used relays are at the moment (vidalia map), without giving them the possibility to actually issue commands that modify any settings. Looking through the manpage of Tor, I didn't spot something to do this. Is this possible? thanks! -BEGIN PGP SIGNATURE- iF4EAREKAAYFAk39IWEACgkQyM26BSNOM7aC/gEApDQ0QzZcJJLlwFPckCku1Zye 5tJ4Sy6v8kKHdXZa0SUBAKI6ziBQliVBAFd5Xsx9/ipMvKUGEzbQm+lZY6qfFJWY =b6aE -END PGP SIGNATURE- ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] ControlPort read-only access?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Damian Johnson wrote: Jake suggested adding this feature around a year back Is there a trac ticket for this feature request? -BEGIN PGP SIGNATURE- iF4EAREKAAYFAk39OZcACgkQyM26BSNOM7aItwEAhN0LQqSVcbKQR8815jvhD+ck DvySa6oUKZ96M3kspjgBALqwFbjP5ndyVXxhNQueddPRe3WeHNgUlVQCpEMvWIew =bu/k -END PGP SIGNATURE- ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Does my ISP know I'm using Tor?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Does my ISP know I'm using Tor? Very short answer: Yes. If your ISP would check, they would know, unless you're using bridges. The more technical explanation is this: Unless you're using bridges, you are connecting to a server from a publicly available list. If you would like to check that one out, you could open http://torstatus.blutmagie.de. Even if you are using bridges, it is technically possible, albeit rather hard (you need DPI for that one, probably), to determine that someone is using Tor. If you are unlucky and your ISP actually cares, he probably does it the chinese way: Fetch as many bridges as possible to detect as many bridge user as they can. Does my ISP know what information I'm looking at while using Tor? Let's say I use DuckDuckGo to search for suppliers of Silly String. I click on a link in the search results that takes me to SillyStringSupplier.com Does my ISP know what I was looking for and where I went? No. That's what Tor is good for - your ISP knows _only_ that you are connecting to a Tor node to do an encrypted transmission. It doesn't know where you're connecting to and also can't read the content of the communication. I think 'No.' is quite a strong wording here because it seams to imply certainty. I'd like to add some uncertainty to it to rise awareness. Awareness should help avoid dangerous situations or at least detect/recognize them. If you are unlucky and using an exit relay run by your ISP, this would mean your ISP is in the position of seeing some of your traffic (by correlation of input+output). 'some' because you won't use the same exit all the time. How much 'some' actually is, is influenced by the bandwidth (and other facts) of the ISP exit (if there is one). Tor does not aim to protect against such a powerful adversary. https://trac.torproject.org/projects/tor/wiki/doc/TorFAQ#Whatattacksremainagainstonionrouting - -- 52ecf9e2190d42846510587a1543883ab6aa5fbb1e44155263ab1536730b589e -BEGIN PGP SIGNATURE- iF4EAREKAAYFAk35ICwACgkQyM26BSNOM7bW7wD/TNQ+Nv9OGVXuSAlSui44XKwq yBcgTNiW28N+8kS+9AkA/A4V4XP/0J3XPTFZdnhZAjez74UKaGcoIVUXNJVDEq4f =7cv6 -END PGP SIGNATURE- ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Torbutton: 'Disable Updates During Tor' - Option
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Just adding this from the Design Document Disable Updates During Tor Option: extensions.torbutton.no_updates This setting causes Torbutton to disable the four Firefox update settings during Tor usage: extensions.update.enabled, app.update.enabled, app.update.auto, and browser.search.update. These prevent the browser from updating extensions, checking for Firefox upgrades, and checking for search plugin updates while Tor is enabled. This setting satisfies the Update Safety requirement. https://www.torproject.org/torbutton/en/design/index.html.en#id2663430 The Update Safety requirement is: The browser SHOULD NOT perform unauthenticated updates or upgrades via Tor. https://www.torproject.org/torbutton/en/design/index.html.en#updates -BEGIN PGP SIGNATURE- iF4EAREKAAYFAk32IF0ACgkQyM26BSNOM7Yb+wEArks0nqiVw17o/0XgktmRi3r5 1ONFtloQWYxZKVJvZOgA/Aq3ozvuPX7dHSn0OV2xtM9exp3meXcL7BdJQYg8xxmH =YE07 -END PGP SIGNATURE- ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] browser bundles
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On 06/11/2011 08:39 PM, Cristobal G wrote: HI All, I have downloaded tor browser bundles with firefox 4 and with an older firefox. They both seem to work well. A few questions I have are: Is there an advantage to one or the other? Firefox 4 supports HTML5 and this means you can watch certain videos even if you do not use flash ...for example on youtube. Currently you have to opt-in for HTML5 videos but I think the developers (of TBB) are working on settings to opt-in by default (seen in ticket on trac.torproject.org). The other question: the page says it comes with Polipo, but I see no evidence of Polipo in either bundle (in the script, in the processes or the files included). Is there an advantage to using Polipo or Privoxy with the Tor bundles? I've seen a lot of discussion about the browser fingerprint or user-agent string. I would imagine that one of these proxies would provide a good way to mask this info, but maybe the tor bundle does this in a different way now. Proxies such as polipo and privoxy were only a temporary workaround for a firefox bug (hardcoded SOCKS timeout). The goal was to get rid of these proxies. TBB takes care of application-level privacy leaks such as User-Agent Header and many other things. -BEGIN PGP SIGNATURE- iF4EAREKAAYFAk3zv+kACgkQyM26BSNOM7b8rwD+IqGe02mVPuXHvMGDdNfoIZlc 48GcshdR/lw5tCK9RlIBAKkINxxotl+g4qstZQA7MAyL4WQhrOz67XcQyCX9fYAX =bAda -END PGP SIGNATURE- ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Firefox-update in Tor Browser Bundle?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On 06/10/2011 04:13 PM, Max Hiehle wrote: Hello to all, Since a few days I use the Tor Browser Bundle and I like it. (Some time ago I had the Tor proxy installed in Firefox; that did not work, so I am glad to have the bundle ). Now Firefox comes with the announcement / advice to download and install with an upgrade to version 4. Is it possible to upgrade? What to do in this case? There are Tor Browser Bundles containing Firefox 4 https://blog.torproject.org/blog/new-tor-browser-bundles-1 -BEGIN PGP SIGNATURE- iF4EAREKAAYFAk3yTFYACgkQyM26BSNOM7arWgD+OHBhv1BxYJPFrYjTwfoLqlH0 Tvbff7UZhj4+GlhGyWIA/ieEA8uybLbMf0a6uy85GGNtFPKmmiTmkatyHYg7cm4Y =1kha -END PGP SIGNATURE- ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Directly vs. bridges
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On 06/09/2011 03:25 PM, kamyar fils wrote: what's difference between these two: directly connecting TOR users and TOR users via bridges ? Bridge relays (or bridges for short) are Tor relays that aren't listed in the main Tor directory. Since there is no complete public list of them, even if your ISP is filtering connections to all the known Tor relays, they probably won't be able to block all the bridges. If you suspect your access to the Tor network is being blocked, you may want to use the bridge feature of Tor. https://www.torproject.org/docs/bridges.html.en how can i find out which method i connect to TOR? If you use Vidalia the screenshots on the mentioned page will help you determine if you use bridges, but in general: If you didn't explicitly choose to use a bridge you connect to Tor directly. -BEGIN PGP SIGNATURE- iF4EAREKAAYFAk3w+RwACgkQyM26BSNOM7ZZowEAuEUFrAHfnAUlE8o6paXWUujy GISGT955EhI47c2EX3MA/RfuY9rdKDbIty0Yg7SjI06BQn1CVYv0lmKS1VmsiiU0 =oagY -END PGP SIGNATURE- ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Tor 0.2.2.28-beta is out
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On 06/07/2011 05:08 PM, tagnaq wrote: Hi, 0.2.2.28 is already in the repo [1] but I couldn't find the tar.gz. Was it removed from [2] or was it not yet there? thanks! [1] http://deb.torproject.org/torproject.org/pool/main/t/tor/ [2] https://www.torproject.org/dist/ https://www.torproject.org/download/download.html.en#source Thanks, fixed now. https://www.torproject.org/dist/tor-0.2.2.28-beta.tar.gz -BEGIN PGP SIGNATURE- iF4EAREKAAYFAk3xDfkACgkQyM26BSNOM7bOXQD+KGxiDZmKvV2KS1WWkCXDpdYq AuReTutVRTRz+lhFJRoA/RZNtW4baPbsFPhgLvCbTy44XMDmwGqUgl4wwXn+Mgth =azOW -END PGP SIGNATURE- ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Tor 0.2.2.28-beta is out
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Hi, 0.2.2.28 is already in the repo [1] but I couldn't find the tar.gz. Was it removed from [2] or was it not yet there? thanks! [1] http://deb.torproject.org/torproject.org/pool/main/t/tor/ [2] https://www.torproject.org/dist/ https://www.torproject.org/download/download.html.en#source -BEGIN PGP SIGNATURE- iF4EAREKAAYFAk3uPwEACgkQyM26BSNOM7aCzgD9G/GIzoznJKly6Kg0RqgTN6mJ 3MnSP+d3Kb3UHX48WE4A+gI62wkoM9An2CPEw19ZrT7HDkcGrzGekEkhmp27nbVN =C8Sa -END PGP SIGNATURE- ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] How evil is TLS cert collection?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On 06/04/2011 12:52 PM, Robert Ransom wrote: My understanding was that EFF would query DNS for a hostname, and if the hostname does not exist, assume that it's private. (This should scare you even more.) Well, if the EFF is able to ask the DNS regarding the hostname then the submission to the EFF took already place :) -BEGIN PGP SIGNATURE- iF4EAREKAAYFAk3qFHUACgkQyM26BSNOM7ZcgQEAnDKTd0GGldwsnrElSs7FON/B f425GsmZ466/SzuzmXsA/ROi6wNEt3W21TcsGJMFOIwdnmjs+SrrUuG3tbUIfKY2 =S0u2 -END PGP SIGNATURE- ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] How evil is TLS cert collection?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On 06/04/2011 09:56 PM, Mike Perry wrote: Thus spake Robert Ransom (rransom.8...@gmail.com): On Sat, 4 Jun 2011 12:09:52 -0700 Mike Perry mikepe...@fscked.org wrote: Thus spake Robert Ransom (rransom.8...@gmail.com): My understanding was that EFF would query DNS for a hostname, and if the hostname does not exist, assume that it's private. (This should scare you even more.) EFF only needs to do this query if the browser could not (because it was using an HTTP proxy without a SOCKS proxy). Does this scare you less or more? I'm getting confused by the reactions in this thread. If EFF needs to perform a DNS query on each hostname it receives a certificate for, EFF will leak information to an attacker watching its servers. If EFF tries to not log hostnames which do not exist, EFF will leak a user's request time *every time* that it receives a certificate associated with a non-existent hostname. I think you missed the first half of my email where I explicitly said EFF shouldn't need to do this under normal circumstances. It only needs to do this when the browser fails to do so itself. Do you expect this to be common? The observatory itself could also be running a tor client for these resolutions, just in case they do end up being common. P.S. When the browser does attempt to do these resolutions, should they be done via Tor or via whatever local resolver/proxy was used to access the domain? Doing it via Tor exposes potentially private names to exits Yes, instead of asking the EFF to resolve a hostname an internal client could just use Tor to get an outside view regarding a hostname. This way hostnames don't have to go through a central point (EFF) for the 'is this hostname private?' - check. -BEGIN PGP SIGNATURE- iF4EAREKAAYFAk3qkz0ACgkQyM26BSNOM7ZYBgEAjPYkTkP8R8BpJl5Wl24DvGve sRKAywVBTv4Vxeql9y4BAJ8AGofNSR5W/Y3HqY1ieWGRJksd+5GD2/QatB0oTEWl =SreM -END PGP SIGNATURE- ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] SMTP POP3 Email over Tor.. Anonymity breaking?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On 06/03/2011 03:03 PM, Anon Mus wrote: Great thats just what I wanted. Also if these few settings seam to be what you wanted, please keep in mind that they cover only the most obvious information leaks and there might be a lot of other vectors that can be used to reduce your anonymity set - after all it is experimantal. -BEGIN PGP SIGNATURE- iF4EAREKAAYFAk3o6AcACgkQyM26BSNOM7bOMQD/aoCP6j6Bgu2Fadt4h5UorsPI lkfgSFpAjcMd9vdOcRgA/2gszI6V04uL4FXWkUVXCsCGysfAO6Q6bX1STL6fMCrq =PPhn -END PGP SIGNATURE- ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] How evil is TLS cert collection?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On 03/21/2011 01:58 AM, Mike Perry wrote: I've spent some time working with the EFF recently to build a distributed version of the SSL Observatory (https://www.eff.org/observatory) to be included with HTTPS Everywhere. The draft API and design sketch is here: https://trac.torproject.org/projects/tor/wiki/HTTPSEverywhere/SSLObservatorySubmission The brief summary is that it will be submitting rare TLS certificates through Tor to EFF for analysis and storage. We will also leverage the database of certificates to provide notification in the event of targeted MITM attacks**. I am trying to decide if this is a bad thing to enable by default for users. On the one hand, we have taken a lot of precautions to ensure that the EFF is given the minimal amount of useful information, and retains even less (such as no high-resolution timing information). The EFF is extremely trustworthy, and has an army of lawyers on-hand to defend against subpoenas or legal requests for excessive data retention. Furthermore, the OCSP revocation servers have just as much or more information, and who knows what they do with this same information. In all likelihood, they probably sell it to netcraft and whoever else. It is valuable. On the other hand, the EFF intends to publish as much of the information gathered with this system as it can for analysis by the wider Internet community. This will likely include raw SQL dumps of the resulting certificate database. So, the question for the bikeshed discussion then is what should the default state of this collection be? Our thought is to provide HTTPS-Everywhere users with this dialog on first-run https://trac.torproject.org/projects/tor/wiki/HTTPSEverywhere/SSLObservatorySubmission#ClientUIandconfigurationVariables However, I'm not sure that this is going to work for Tor Browser Bundle users (which ships with HTTPS Everywhere) who may have the TBB on readonly USB keys or live cds. They may end up being asked each time they start. Is this a decent compromise? The other option is to not even bother to ask users who have a working tor installed, on the assumption that since we can submit certs through tor, it is always safe to do so. We may end up doing this instead of always asking them. Is this wrong? If so, why? Someone running this (SSLObservatorySubmission) in a non-public network (i.e. an internal corporate network) with Internet access will probably disclose internal hostnames including IP addresses, if that is the case I would identify this as an issue. What do you think about it? btw: sorry for my late reply to this topic, but it was still 'unread' till now on my side. -BEGIN PGP SIGNATURE- iF4EAREKAAYFAk3pgi8ACgkQyM26BSNOM7bfAQEAmib2/dGbUwP/kLJz9Dus2S3e 8h8KKCrFOQEypUz6SHAA+QFRPKGt7UJROpeCkd/aG0jZ4WuOXfQppGnPm+qeQFLW =6Ad/ -END PGP SIGNATURE- ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Securing a Relay - chroot
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On 05/27/2011 03:44 PM, cac...@quantum-sci.com wrote: On Thursday 26 May, 2011 06:44:19 cac...@quantum-sci.com wrote: On Thursday 26 May, 2011 05:37:06 Eugen Leitl wrote: Why don't you like Linux vserver? My relay did some 350 GByte/day, in a vserver guest on a low-end Atom box. It must necessarily share the network setup with the host, and so the LAN class C since I can't set up the router downstream with multiple IPs. Not secure. Also it would have the same firewall settings, and that is not acceptable either. So nobody's actually thought about security for a relay and the need for a relay to be in the same class C as the LAN in order to access the router? What can be done? You do not mention the threats you worry about and assets you care about (thread model + security requirements). In [1] you mentioned can monitor traffic and Marsh gave you already hints how to address this (VLAN, virtual host only networks) [2]. [1] https://lists.torproject.org/pipermail/tor-talk/2011-May/020441.html [2] https://lists.torproject.org/pipermail/tor-talk/2011-May/020442.html If you want specific answers you should pose specific questions. security for a relay is quite general. -BEGIN PGP SIGNATURE- iF4EAREKAAYFAk3fvvYACgkQyM26BSNOM7ZaRwD9GfFRAHgryR71FbrXTPJrind2 bWGwqZpSUsXeoOntdSwBAKD9Wrn86LjwLIvohlqCV4bZBPC9SjjxqLGIoKeUH9Zj =0Q8T -END PGP SIGNATURE- ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
[tor-talk] drop all vulnerable relays from the consensus
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Hi, If someone publishes or demonstrates a code-exec exploit [...] we should drop all vulnerable relays from the consensus [1] - - Does Tor provide Authority Directories with an easy way to reject/drop relays from the consensus based on the platform string or is this only possible based on FP or IP? - - How will Directory Authorities determine if a relay is vulnerable? (inspecting the platform string only)? thanks, tagnaq [1] #2751 CVE-2011-0427 CVE-2010-1676 -BEGIN PGP SIGNATURE- iF4EAREKAAYFAk3QOdUACgkQyM26BSNOM7bRhgD/VeeAefHnfTK+PzdBMOThwchd w18WFpZDw3Y6BcMXY3ABALRzOc6gSYcBER5Zp5XVyq6h2ShpEdhovFZ0PgjWLocJ =gSvm -END PGP SIGNATURE- ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Hidden Services using same onion address?
On 05/05/2011 01:08 PM, Anon Mus wrote: Hi, What happens if 2 Tor systems supported different Hidden Services using same abc.onion address? Is this possible? 1. If not possible, will they clash or will just one be refused? 2. If is possible, could that also be used to support the same hidden service (essentially location fragmentation of the hidden service) from different machines? (Could this be used to launch a pseudo DOS/hijack attack on existing hidden services, after they've been down, say, for a minute or 2?) Thanks, Jo You might be interested in this thread: https://lists.torproject.org/pipermail/tor-relays/2011-April/000736.html ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
[tor-talk] fetching all server descriptors
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Hi, if I understand it correctly metrics-db does not fetch all descriptors[1] so the server-descriptor archives on metrics[2] does not contain all descriptors. If my assumption is correct: Are there also archives that contain all descriptors? (referenced + unreferenced) Does the directory-archive script[3] archive/fetch all descriptors? thanks, tagnaq [1] karsten wrote: metrics-db fails to download non-referenced descriptors https://trac.torproject.org/projects/tor/ticket/3022#comment:9 [2] https://metrics.torproject.org/data.html [3] https://metrics.torproject.org/tools.html#dirarch https://gitweb.torproject.org/tor.git/tree/HEAD:/contrib/directory-archive -BEGIN PGP SIGNATURE- iF4EAREKAAYFAk26sN8ACgkQyM26BSNOM7b4uwEAhBbcwM0QqWjRJ3TFrQiz/btP 5hYgzI6+XgDoXhcSeZkA/0UHN0xJdt9wtgON6iji76BDW6dMENwwAIubXTtiD/1z =jGf6 -END PGP SIGNATURE- ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Better Privacy for Tor Node Operators
On 04/25/2011 02:50 AM, cmeclax-sazri wrote: The obvious way Alice can fix that is to set up the example.com account with Tor. Then example.com will see Alice coming from an exit node and will have no idea where Alice really is. The question was not How do you fix this specific example. One should see it at a higher level I used the example only to explain what I meant. I don't think that the Tor Project expects that every Tor node operator routes his entire traffic through Tor to avoid this issue (this is not even recommended or possible). The question was: How would one implement such a feature if Alice was not running a Tor node at her IP? because if you can implement this same feature if Alice was not running a Tor node at her IP than this is not an issue Tor has to worry about. btw: If Alice is unlucky and has an unique (or near unique) screen resolution in her ISPs network (AS) than you might fingerprint Alice also if she is not running a Tor node at her IP address (fingerprinting based on a combination of her screen resolution[1], installed fonts[2], STS State[3], time[4], ISP/AS). [1] https://trac.torproject.org/projects/tor/ticket/2875 [2] https://trac.torproject.org/projects/tor/ticket/2872 [3] https://trac.torproject.org/projects/tor/ticket/2877 [4] https://trac.torproject.org/projects/tor/ticket/1517 ...but Torbutton/TorBrowser will probably fix all these issues in the future. ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Torbutton: Resize windows to multiples of 50px during Tor usage
I run the test on http://ip-check.info with Torbutton 1.2.5 and the latest Tor Browser Bundle (Torbutton 1.3.2-alpha). The results in both cases show that the window resolution is not set to multiples of 50px. Compaired to a bunch of other websites [1] that do similar checks ip-check.info seams to be the only one detecting the real screen/window resolution. I guess [1] use JavaScript to get screen/window size and ip-check.info doesn't. [1] https://panopticlick.eff.org http://browserspy.dk/window.php http://ha.ckers.org/mr-t/ http://mybrowserinfo.com http://whoer.net/extended ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
[tor-talk] Torbutton: Resize windows to multiples of 50px during Tor usage
Hi, I run the test on http://ip-check.info with Torbutton 1.2.5 and the latest Tor Browser Bundle [1] (Torbutton 1.3.2-alpha). The results in both cases show that the window resolution is not set to multiples of 50px. Resize windows to multiples of 50px during Tor usage was enabled in both cases. I verified the window size - the test result page shows correct values. Can someone confirm this? thanks, tagnaq [1] https://blog.torproject.org/blog/lots-new-tor-and-vidalia-packages ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
[tor-talk] announcing releases
Hi, just noticed (via [1], later via [2]) that 0.2.2.24-alpha was released. I would find it valuable if relaeses would be announced at the same day as they are available for download. [1] https://twitter.com/rmack/status/58134044151525376 https://blog.torproject.org/blog/lots-new-tor-and-vidalia-packages [2] https://twitter.com/torproject/status/58142693624258560 best regards, tagnaq ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Torbutton 1.3.2-alpha released
On 03/21/2011 12:03 PM, Mike Perry wrote: Torbutton 1.3.2-alpha has been released at: https://www.torproject.org/torbutton/releases/torbutton-1.3.2-alpha.xpi This release features several fixes for some annoying Firefox 4 exceptions and popup issues, as well as a score of other bugfixes. I am hoping that this will be the last release before 1.4.0, so please report any issues you notice on our bugtracker: https://trac.torproject.org/projects/tor/report/14 https://trac.torproject.org/projects/tor/ticket/2881 Mike, thanks for your continued work on Torbutton! regards, tagnaq ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] list archive files gziped twice?
On 04/08/2011 05:07 PM, Andrew Lewman wrote: I don't see this behavior. Are you sure your browser didn't rename the file or try to do something to it? Indeed, downloading the file with firefox results in a different output file when compared to the wget output file: md5sum */* 5987e124389cc1cc156663f41d54d3cd ff/2011-March.txt.gz 2598b636064e3884893a93268eb1fbdb wget/2011-March.txt.gz (reproducible not only on my host) ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Arm Release 1.4.2
arm version 1.4.2.2 (released April 6, 2011) typo in the manpage: -v, --verion provides version information ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Is tor-announce still being used?
On 03/01/2011 05:04 AM, Andrew Lewman wrote: On Mon, Feb 28, 2011 at 04:07:07PM -0500, and...@torproject.org wrote 0.6K bytes in 17 lines about: : Yes, it's still being used and I just received the seul.org archives : today. I'm going to import them in the next few days for all migrated : lists. And archives are imported. Updating or resubscribing the mailing list to gmane maybe a good idea? http://dir.gmane.org/gmane.network.onion-routing.general ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
