[tor-talk] Why do you hide the fact that "Ex-CIA in Tor" from all of Tor users?

[Unknown]

trac.torproject.org/projects/tor/ticket/19513

I'm fine with who joins to the Tor Project.
The difference to the code is reviewable by the community using diff tool.

I'm disappointed the fact that you, Tor Project, hide this truth without
sharing to the Tor users.



signature.asc
Description: OpenPGP digital signature
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] OK to disable TorLauncher addon in TBB in Transparent Torification Setup?

[unknown]

On Sun, 25 May 2014 18:49:14 +
Nusenu  wrote:

> Hello,
> 
> I'm running Torbrowser on a system that is transparently routed through
> Tor. Is it OK to disable the TorLauncher Addon within Torbrowser in such
> a setup or has that any negative consequences?
> 
> Is it ok to start TBB via directly executing
> tor-browser_en-US/Browser/firefox instead of using the default
> start-tor-browser script?

I'm running TorBrowser directly from the script, but completely remove
tor-browser_en-US/Data/Browser/profile.default/extensions/tor-lanunc...@torproject.org.xpi

Instead of use a new identity option, I close TorBrowser, make rebuild
tor circuits
from tor-arm and restart TBB again in the clean state.

I use about:config to remove annoying autocheck updates:

extensions.torbutton.test_url about:blank
extensions.torbutton.versioncheck_url about:blank

I use https://check.torproject.org/RecommendedTBBversions
manually.

Theoreticaly, some evil scripts can read this non-standart configuration
and profile me :)
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] The heartbleed bug, hidden service private_key leakages and IP revealing

[unknown]

At first, the local interceptor can extracts private authentication key
from heartbleeded guard. Then emulate connection to IP of this guard (a
substituted faked MiTM-ed version of the Guard) for the targeted users.

Something like this can be done at the any parts of the Tor-network for
MiTMing and stripping connections between heartbleeded Tor-nodes for
extracting some parts of information about routed circuits.


On Fri, 11 Apr 2014 18:28:36 -0400
Roger Dingledine  wrote:


> For example, I think the SSL spec says that you shouldn't be able to ask
> for a heartbeat until the SSL handshake is finished, but I think OpenSSL
> lets you ask for a heartbeat during the SSL handshake. If so, that means
> any local network mitm attacker, not just your entry guard, can intercept
> your outgoing TCP connection and ask you for some heartbeats.
> 
> --Roger
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] TBB 3.5.3 signatures messing

[unknown]

Thank you for closing the problem in:
https://trac.torproject.org/projects/tor/ticket/11256

-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

[tor-talk] TBB 3.5.3 signatures messing

[unknown]

I download the files:

https://www.torproject.org/dist/torbrowser/3.5.3/sha256sums.txt
https://www.torproject.org/dist/torbrowser/3.5.3/sha256sums.txt-mikeperry.asc
https://www.torproject.org/dist/torbrowser/3.5.3/tor-browser-linux64-3.5.3_en-US.tar.xz.asc
https://www.torproject.org/dist/torbrowser/3.5.3/tor-browser-linux64-3.5.3_en-US.tar.xz

Previous version files are missing:

sha256sums.txt-erinn.asc
sha256sums.txt-linus.asc


I run the script:


#! /bin/bash

echo "" | cat - > file.txt

sha256sum -c sha256sums.txt 2>&1 | grep OK >> file.txt

echo >> file.txt

for a in sha256*.asc ; do 
 gpg --verify $a sha256sums.txt >> file.txt 2>&1 ; 
 echo >> file.txt
done

echo >> file.txt

gpg --verify tor-browser-linux64*.asc >> file.txt 2>&1

echo >> file.txt
#

Running less file.txt I can see a singnatures mess: 

gpg: Signature made Wed 19 Mar 2014 09:25:30 PM MSK using RSA key ID 63FEE659
gpg: Good signature from "Erinn Clark "
gpg: aka "Erinn Clark "
gpg: aka "Erinn Clark "
gpg: WARNING: This key is not certified with a trusted signature!
gpg:  There is no indication that the signature belongs to the owner.
Primary key fingerprint: 8738 A680 B84B 3031 A630  F2DB 416F 0610 63FE E659


gpg: Signature made Wed 19 Mar 2014 09:26:01 PM MSK using RSA key ID 63FEE659
gpg: Good signature from "Erinn Clark "
gpg: aka "Erinn Clark "
gpg: aka "Erinn Clark "
gpg: WARNING: This key is not certified with a trusted signature!
gpg:  There is no indication that the signature belongs to the owner.
Primary key fingerprint: 8738 A680 B84B 3031 A630  F2DB 416F 0610 63FE E659

I check "mikeperry" signature manually:

gpg --verify sha256sums.txt-mikeperry.asc sha256sums.txt

gpg: Signature made Wed 19 Mar 2014 09:25:30 PM MSK using RSA key ID 63FEE659
gpg: Good signature from "Erinn Clark "
gpg: aka "Erinn Clark "
gpg: aka "Erinn Clark "
gpg: WARNING: This key is not certified with a trusted signature!
gpg:  There is no indication that the signature belongs to the owner.
Primary key fingerprint: 8738 A680 B84B 3031 A630  F2DB 416F 0610 63FE
E659

Why Mike Perry signature displayed as Erinn?
Where is the other signatures? 
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Using Tor Browser without Tor?

[unknown]

On Thu, 6 Feb 2014 02:00:02 -0500
Soul Plane  wrote:

> Is it ok to use the Tor Browser without Tor? I don't need Tor but I like
> the privacy features that the browser offers.

Yes you can. I use that way for transparent torifycation in Linux, 
manually restarting Browser and changing tor-circuits.

  1. Unpack TBB 3.5.X in separate dir.
  2. Delete tor-launcher:
  
~/TorBrowser/tor-browser_en-US/Data/Browser/profile.default/extensions/tor-launcher@...
  3. Start Tor Browser, type about:config in address bar, enter.
  4. Ignore warning "This might void your warranty!", 
 press the button "I'll be carefull, I promise!"
  5. Enter in searchfield: torproject
  6. Replace fields:
 extensions.torbutton.test_url https://check.torproject.org/?TorButton=true
 extensions.torbutton.test_url_interactive 
https://check.torproject.org/?lang=__LANG__
 extensions.torbutton.versioncheck_url 
https://check.torproject.org/RecommendedTBBVersions

   to
 
 extensions.torbutton.test_url about:blank
 extensions.torbutton.test_url_interactive 
https://check.torproject.org/?lang=__LANG__
 extensions.torbutton.versioncheck_url about:blank

  Don't forget to check new versions manually!

  7. Go to Tor button (green onion icon). Select preferences, check on: 
 "Transparent Torifycation (Requires Custom Transproxy or Torrouter)"

For using Tor Browser without tor you don't need any of this 
transparent helping tools.

Hope that helps!

  I believe, developers stay hold this feature to make Tor Browser independent 
from inner tor
 and to easy making transparent torifycation into system Tor-router.


> Recently I noticed that if the Tor Browser is used without Tor and is set
> to manual proxy, but there is no HTTP/HTTPS/SOCKS proxy, name lookups will
> fail. I filed it as a bug here:
> 
> DNS lookup fails without proxy (TorBrowser without tor)
> https://trac.torproject.org/projects/tor/ticket/10808
> 
> But it was closed as not a bug. If the Tor Browser is able to be used
> without Tor would you consider that a bug?
> -- 
> tor-talk mailing list - tor-talk@lists.torproject.org
> To unsubscribe or change other settings go to
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Tor mentioned on Canadian News Network (and in Russian too)

[unknown]

See a Russian prime time "Central News" video
in the middle of the records there is a reportage
about Tor:
http://www.ntv.ru/peredacha/CT/m23400/o201340

Tor and Bitcoin depicted in highly dark and 
criminal ways to organise networks for drugdealers,
illegal weapons, killers, etc.

No words about dissidents, leakers, whistleblowers, 
or privacy rights.

On Sat, 30 Nov 2013 21:58:02 -0500
Rick  wrote:

> Global National is a popular Canadian news channel based in Ottawa. On 
> the 29th they aired a two minute segment on Bitcoin in which Tor was 
> mentioned. They immediately tag Bitcoin with Silk Road and Black Market 
> Reloaded: "To reach it [the site] you need the software called Tor. To 
> buy something you can only use Bitcoin."
> 
> For those interested, the site is globalnews.ca. This piece seems to 
> have been an excerpt (promo) for a fifteen minute Bitcoin segment that 
> aired on their "16X9" program today. I haven't been able to get that 
> program yet.
> 
> The takeaway for the typical viewer is likely that Tor is an enabler for 
> the Dark Side.
> 
> "Darth Dingledine" would be a rather catchy moniker. :)
> 
> Rick
> -- 
> tor-talk mailing list - tor-talk@lists.torproject.org
> To unsubscribe or change other settings go to
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Basics of secure email platform

[unknown]

On Sat, 2 Nov 2013 13:50:18 +0100
 wrote:

>   1) Create a list of tor exit nodes that do not block port 25
>   2) Command the tor daemon to exit those nodes exclusively.

SSL-SMTP configured to works over 465 port in most cases.

-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Web of Trust, gpg vs OTR - was: Re: New GPG key for Mike Perry

[unknown]

Using "Web of Trust" you sacrifice your anonimity, 
forward secrecy and deniability for the sake of privacy 
in the term of "security and integrity of a message context".

The graph of your contacts disclosured, 
timing information leaked for traffic analysis etc.

This is a cross purpose to the goals related to Tor ideology.

OTR and GPG (like Tor and any other similar tools) 
sometimes refer to intersected, sometimes to disjoint 
ranges of usage.

On Sat, 28 Sep 2013 03:55:05 +
adrelanos  wrote:

> Mike Perry:
> > [...]
> > While I dislike the Web of Trust for a number of reasons*, 
> > [...]
> > * Ensuing flamewars about the Web of Trust should reply only to tor-talk.
> > [...]
> 
> I am not interested in a flamewars, just in hearing opinions.
> 
> What's the big deal with the Web of Trust?
> 
> It's a geeky thing, too difficult for non-computer freaks? That's what I
> would say.
> 

> I find the usability of OTR a lot better. Unfortunately, there is no
> easy solution to sign files or mails with OTR, it doesn't work well for
> software vendors.
> 
> Wondering, can we ever get a replacement for gpg which has same
> features, is at least as secure and better usability, while gpg is so
> established and conservative?
> -- 
> tor-talk mailing list - tor-talk@lists.torproject.org
> To unsusbscribe or change other settings go to
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsusbscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Tor browser can be fingerprinted

[unknown]

On Fri, 13 Sep 2013 14:06:45 -0700
Mike Perry  wrote:

> harmony:
> > Mike Perry:

> 
> Maybe. It depends on if you resizing the window is actually as "random"
> as you think it is. If you keep doing that, and you're one of the few
> people who does, you might stand out over time?  On the other hand, it
> seems like a tricky algorithm for an advertiser-class adversary to
> write, and for little economic gain since it is rare behavior.
> 
> However, if your adversary includes people with access to raw
> advertising logs, that may be a different matter. My guess is
> capital-t-They wouldn't bother with that vector though. Too expensive
> for too little information.

"Transparent torification" option in TB carryied into disabled "New identity" 
option. 
New identity can be emulated manually by sending signal to Tor and
restarting Tor Browser. Users with Tor routers and other
transparent torificated solutions builds a class of anomaly random windowsize
 fingerprinted set.
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsusbscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Post Quantum Cryptography

[unknown]

On Mon, 19 Aug 2013 12:55:13 -0700
Max  wrote:

> Hallo Tor-Devs,
> 
> considering that D-Wave now claims to have a programmable quantum
> computer, wouldn't it be nice for Tor to use post-quantum cyrptography?

Unfortunately, a lot of quantum "secure" cryptography already broken without 
any quantum computations.
PQ-crypto is still very experimental, not really understood and sometimes
 ineffective area for research and implementation.
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsusbscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] TBB signatures broken or missing

[unknown]

Thnx, now everything is OK

___
tor-talk mailing list
tor-talk@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

[tor-talk] TBB signatures broken or missing

[unknown]

At the time of writing:

https://www.torproject.org/dist/torbrowser/linux/tor-browser-gnu-linux-x86_64-2.3.25-9-dev-en-US.tar.gz

OpenPGP signature broken.

https://www.torproject.org/dist/torbrowser/linux/tor-browser-gnu-linux-x86_64-2.3.25-10-dev-en-US.tar.gz

OpenPGP signature missing.

Why unsigned files were uploaded on the server?


___
tor-talk mailing list
tor-talk@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] NSA supercomputer

[unknown]

On Sat, 6 Apr 2013 23:54:34 -0400
cmeclax  wrote:

 
> *The NSA runs a Tor relay called Eve. It's picked as the rendezvous point for 
> a hidden service. Can Eve read the plaintext?

No.
Encryption with HS is end-to-end in any case. 
Eve cannot reroute data to fake HS without knowledge of onion identity private 
key.

Active (Mallory) attacker can drop or modulate circuits stream without 
decryption.

Worse attack scenario: obtain a copy of identity private keys >50% DA --
Directory Authority nodes
(undercover operations, installing bugs, TEMPEST, etc) and 
full emulate connection with fake consensus to
virtual Tor network through DPI on ISP-level
and decrypt all the traffic on the fly.
___
tor-talk mailing list
tor-talk@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Tor Browser Bundle .deb packaging solution

[unknown]

On Wed, 30 Jan 2013 11:58:01 -0800
Micah Lee  wrote:

> If you want more than one TBB at a time you won't be able to install
> them from the package manager anyway. This is true of all software. If
> you want to run more than one apache2 server at the same time, you'll
> need to do it manually.

Yes: for any system servers (one Tor server, system-daemon).
No: for any client soft (Torbrowser without inner tor component - "disbundled" 
TBB).

You can add many users to your /home/user1, /home/user2, /home/userX, etc.
After upgrading with package manager /homedir settings of users
(programm configs for chat, accounts in mail-agents, etc) remains individual 
and different.

In my case any user (my anonymous profile)
has personal X-servers (running in parallel mode) to be fully isolated
from another and separated with firewall to individual 
circuits creation in system tor-daemon individual users ports.

Yes, system tor-daemon will be no more than one at the same time like apache.
And don't need to be to.

This works for any client software, but TBB is tightly bundled in not very 
friendly
unixish way and more restrictive and unconventional deb-packaging makes 
upgrades painful
for some slightly advanced using cases instead of any other Linux client soft.
___
tor-talk mailing list
tor-talk@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Directory Server Decentralization

[unknown]

On Wed, 30 Jan 2013 15:49:54 -0400
Mike Perry  wrote:

> Longer term, I'm interested in having some form (or better: many forms)
> of multipath consensus validation:

May be that algo is relevant to independed control of consensus data:
https://en.wikipedia.org/wiki/Linked_timestamping

Any Tor node or some active users can do it potentially.
___
tor-talk mailing list
tor-talk@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Directory Server Decentralization

[unknown]

On Wed, 30 Jan 2013 12:17:04 -0600
Raynardine  wrote:

> What happens if a government (such as the United States)
> demands the private keys for the Directory Authorities? Would you even
> know if it has already happened years ago?

And what? Everyone can run your own tor node and see in the consensus: if 
sinister DA falsified that node key (and sign it!), then that node can proof 
that fact to everyone too.

And signed consenus data archive from all years tor stats can be downloaded 
from torproject.
Find one false key from this archive or from your cache of local tor-stats and 
proof node authentication forgery to everyone.

In the case of fully decentralised p2p-networks defining trust is more hard.
 
Without centralised stats analizing and authenticated broadcasting consensus to 
users,
evil goverment or ISP-like adversary can isolate your connections from "good" 
nodes and 
inject into your network connections
zillions virtually unexist (DPI-emulated) faked controlled bad
nodes with adversary predefined keys, and rerouting your or group of peoples
traffic to surveillance centres.

No need to steel any keys, just decrypt traffic predefined to you with faked 
nodes on the fly, so good?

If DA is down or compromised then temporally new DA can be started 
on new addresses and placed in users tor-configs, then new TBB version will 
include them. 

___
tor-talk mailing list
tor-talk@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Tor Browser Bundle .deb packaging solution

[unknown]

On Wed, 30 Jan 2013 09:26:22 +0100
Jérémy Bobbio  wrote:


> > >> Releasing updated versions is simple. The update would include a new TBB
> > >> tarball and the launcher script would include a new version, so the next
> > >> time a user runs Tor Browser it will extract the new version in their
> > >> ~/.torbrowser dir.
> 
> If I understand correctly, old versions are not cleaned up. Not the
> nicest in the long run.
> 
> Also, this approach does not help users to keep their bookmarks or
> certficate database from one version to another. It means that a package
> upgrade will result in unexpected loss of bookmarks. Even if it's only
> from sight and the data are still there, I think it would result in a
> pretty bad user experience.
> 
> 

Just my personal example.

I use up to 6 anonymous installations of TBB in one Debian system. 
They runs in parallel, with parallel runned X-session from different users
and pointed with iptables to different ports of one system Tor-daemon to 
complete
circuits isolations.

I don't use tor-binaries from TBB and ignore most of Vidalia options (only "new 
identities" is used).
And only "transparent mode" in T-button is used. Discontinuing separate Vidalia 
affect me some way.
Some of my TBB-profiles not pretend to be strong anonymous and consist and 
preserve minimum of installed bookmarks and tuned plugins. Another ones 
complete wiped before replaced.

Too simple "replace TBB in all homedirs" model complete broke my ways of using 
tor in Debian.



___
tor-talk mailing list
tor-talk@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Directory Server Decentralization

[unknown]

On Tue, 29 Jan 2013 19:49:23 -0600
Raynardine  wrote:

> I just wanted to ask here in Tor-Talk where the efforts to decentralize
> the Tor directory servers have gone so far?

One of the goals of centralizing is protect Tor against attacks
based on the desynchronisation and dividing stats for users.

Without unified consensus from DA available to all users synchronously,
an adversary can effectively divide users to small anonimity sets.

IMHO that points to some your others proposals to.
___
tor-talk mailing list
tor-talk@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] First TBB-2013 signatures missed

[unknown]

OK, now all signatures at the place, thanks.


On Sun, 6 Jan 2013 13:30:56 +
unknown wrote:

> 
> https://www.torproject.org/dist/torbrowser/linux/
> 
> https://www.torproject.org/dist/torbrowser/linux/tor-browser-gnu-linux-i686-2.3.25-2-dev-en-US.tar.gz
> https://www.torproject.org/dist/torbrowser/linux/tor-browser-gnu-linux-i686-2.4.7-alpha-1-dev-en-US.tar.gz
> https://www.torproject.org/dist/torbrowser/linux/tor-browser-gnu-linux-x86_64-2.3.25-2-dev-en-US.tar.gz
> https://www.torproject.org/dist/torbrowser/linux/tor-obfsproxy-browser-gnu-linux-i686-2.4.7-alpha-1-dev-en-US.tar.gz
> https://www.torproject.org/dist/torbrowser/linux/tor-obfsproxy-browser-gnu-linux-x86_64-2.4.7-alpha-1-dev-en-US.tar.gz
> 
> And other languages versions. GnuPG signatures missing at present.
> 
> ___
> tor-talk mailing list
> tor-talk@lists.torproject.org
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk  



> tor-talk@lists.torproject.org
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
___
tor-talk mailing list
tor-talk@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

[tor-talk] First TBB-2013 signatures missed

[unknown]

https://www.torproject.org/dist/torbrowser/linux/

https://www.torproject.org/dist/torbrowser/linux/tor-browser-gnu-linux-i686-2.3.25-2-dev-en-US.tar.gz
https://www.torproject.org/dist/torbrowser/linux/tor-browser-gnu-linux-i686-2.4.7-alpha-1-dev-en-US.tar.gz
https://www.torproject.org/dist/torbrowser/linux/tor-browser-gnu-linux-x86_64-2.3.25-2-dev-en-US.tar.gz
https://www.torproject.org/dist/torbrowser/linux/tor-obfsproxy-browser-gnu-linux-i686-2.4.7-alpha-1-dev-en-US.tar.gz
https://www.torproject.org/dist/torbrowser/linux/tor-obfsproxy-browser-gnu-linux-x86_64-2.4.7-alpha-1-dev-en-US.tar.gz

And other languages versions. GnuPG signatures missing at present.

___
tor-talk mailing list
tor-talk@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] What's written to HD?

[unknown]

On Sun, 11 Nov 2012 20:19:56 +
Dan Hughes  wrote:

> Hello,
> 
> Does browsing with TBB installed on the HD or a USB stick 
> and downloading files (.PDFs, S&M vids etc.;)) to a USB stick (but 
> not opening online) result in the content of what's browsed or 
> downloaded being written to the HD at all? 
> 


See this for one of the possible examples:
https://trac.torproject.org/projects/tor/ticket/7449
___
tor-talk mailing list
tor-talk@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Putin's fascist band intend to ban the Tor

[unknown]

On Fri, 21 Sep 2012 18:28:57 +
James Brown  wrote:

> Putin's fascist junta intend to ban the Tor and other anonimous
> services:  http://izvestia.ru/news/535724

Please keep in sight the facts but ignore political hysteria.
___
tor-talk mailing list
tor-talk@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Hidden Services

[unknown]

On Wed, 19 Sep 2012 02:05:30 -0400
Gregory Maxwell  wrote:

> It seems to me that there is a common expectation is that onion urls
> provide a degree of name privacy— generally, if someone doesn't know
> your name they can't find you to connect to you. If someone violates
> that expectation it risks harming people until the new risks are well
> known (and still even then some, as no matter how well known it is
> some people will miss the fact that something enumerates the darn
> things)

From tor manual:

"
HiddenServiceAuthorizeClient auth-type client-name,client-name,...

   If configured, the hidden service is accessible for authorized
   clients only. The auth-type can either be 'basic' for a
   general-purpose authorization protocol or 'stealth' for a less
   scalable protocol that also hides service activity from
   unauthorized clients. Only clients that are listed here are
   authorized to access the hidden service. Valid client names are 1
   to 19 characters long and only use characters in A-Za-z0-9+-_ (no
   spaces). If this option is set, the hidden service is not
   accessible for clients without authorization any more. Generated
   authorization data can be found in the hostname file. Clients need
   to put this authorization data in their configuration file using
   HidServAuth
"
___
tor-talk mailing list
tor-talk@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Please review Tails stream isolation plans

[unknown]

On Mon, 27 Aug 2012 12:33:51 +0200
intrigeri  wrote:

> Hi,
> 
> we are told that Tor 0.2.3.x is good enough for Tails,
> so a bunch of Tails developers have eventually spent some time
> thinking what could be the initial step towards basic usage of Tor
> stream isolation within Tails.
> 

Using separate Tor streams for applications runned from different users and 
separated with firewall (iptables) is a good idea but relaying only on DestAddr 
may be risky.
___
tor-talk mailing list
tor-talk@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Transparent e-mail encryption?

[unknown]

On Fri, 6 Jul 2012 12:12:56 +0200
Matej Kovacic  wrote:

> Hi,
> 
> I know this is a bit off-topic, but since here are people who know a lot
> about security and since I was unable to find relevant answers I would
> like to ask one question.

Virtually still not existing today 
but interesting project from GnuPG people, STEED:

http://lists.gnupg.org/pipermail/gnupg-devel/2011-October/026264.html


___
tor-talk mailing list
tor-talk@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Firefox security bug (proxy-bypass) in current TBBs

[unknown]

On Fri, 4 May 2012 07:27:35 +0200
"Fabio Pietrosanti (naif)"  wrote:



> > Any potential DNS-leakage can be prevented with iptables (Debian GNU/Linux 
> > way):
> 
> Well, this can also be prevented if the "starter" of TBB would be a
> binary/executable rather than a shell script, and that binary executable
> would provide "LD_PRELOAD" tsocks like approach wrapping the connect().
> 
> That way the entire TBB will run over the TBB_STARTER that will provide
> an "application-level" firewall that would prevent any kind of socket
> API to get-out directly.
> 
> -naif
> ___

An "application-level" firewall is an illusion of security. Procesess can be 
separated by owners
with users and groups but programs itself cannot be authenticated to iptables. 
That's a reason to exclude an "application-level" firewall options --owner 
--cmd-owner 
from the kernel iptables modules.

Stronger way to manage network connections associated to programs is SELinux 
security contexts or
similar security modules. Even a path based ACLs and MACs such as AppArmor can 
be avoided and failed 
and only strong security context isolation in SELinux is a right decision.

Or just simple use system groups with iptables: not so secure, not so strong.
___
tor-talk mailing list
tor-talk@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Firefox security bug (proxy-bypass) in current TBBs

[unknown]

On Wed, 2 May 2012 22:43:52 +
Robert Ransom  wrote:

> See 
> https://blog.torproject.org/blog/firefox-security-bug-proxy-bypass-current-tbbs
> for the security advisory.
> 
> 
> Robert Ransom
> ___
> tor-talk mailing list
> tor-talk@lists.torproject.org
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk


Any potential DNS-leakage can be prevented with iptables (Debian GNU/Linux way):

Edit /etc/login.defs, Replace "ENCRYPT_METHOD DES" to "ENCRYPT_METHOD SHA-512"

Run command for create tbb-group with password:

addgroup --system tbb-tor

Add this rules to your firewall:


#tor anonymous users;

DIRECT_OUT_GID="tbb-tor" #group id for TBB

TOR_UID="debian-tor" #system tor (if you use it)

#anonymous user runs programs with transparent torification to system tor
#(if you use it):

$IPTABLES -t nat -A OUTPUT -p tcp -m owner --uid-owner anonymoususer ! 
--gid-owner $DIRECT_OUT_GID -m tcp --syn  -j REDIRECT --to-ports 9040
$IPTABLES -t nat -A OUTPUT -p udp -m owner --uid-owner anonymoususer ! 
--gid-owner $DIRECT_OUT_GID -m udp --dport 53 -j REDIRECT --to-ports 53
$IPTABLES -t nat -A OUTPUT -m owner --uid-owner anonymoususer ! --gid-owner 
$DIRECT_OUT_GID  -j DNAT --to-destination 127.0.0.1

#Accept output for system-tor itself (if you use it)
$IPTABLES -A OUTPUT -m owner --uid-owner $TOR_UID -j ACCEPT

#Direct output for TBB without udp and tcp 53 port
$IPTABLES -A OUTPUT -m owner  --gid-owner $DIRECT_OUT_GID ! -p tcp -j REJECT
$IPTABLES -A OUTPUT -m owner  --gid-owner $DIRECT_OUT_GID -p tcp --dport 53 -j
REJECT
$IPTABLES -A OUTPUT -m owner  --gid-owner $DIRECT_OUT_GID -j ACCEPT


Run your tor-browser with sg from x-terminal emulator:

sg tbb-tor -c start-tor-browser.sh

Unfortunately, this is not an ideal solution for transparent torification TBB. 
All (but udp and dns-tcp) tcp trafic goes away. Using unix groups is not a way 
to separate start-script, vidalia, browser and TBB-tor itself. A more 
fine-tuned firewall solution is still desirable
___
tor-talk mailing list
tor-talk@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] wget - secure?

[unknown]

In theory smart adversary can reduce anonimity set with statisticaly profiling 
any non-TBB downloaders on the service side or through intercepting exit node 
traffic. Wget'll get a different responce than standart TBB or another 
downloaders to cookies and active elements injection, fonts manipulation on a 
page, etc. 
___
tor-talk mailing list
tor-talk@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Adblock Plus and Ghostery should be included in Tor bundle

[unknown]

On Sun, 12 Feb 2012 17:00:59 +0100
Martin Hubbard  wrote:

> RefControl set to spoof referrer as host webroot is also useful, I think.
> - Original Message -
> From: Brian Franklin
> Sent: 02/12/12 09:53 AM
> To: tor-talk@lists.torproject.org
> Subject: [tor-talk] Adblock Plus and Ghostery should be included in Tor bundle
> 
>  Adblock Plus and Ghostery should be included in Tor bundle Two reasons 1. 

Exit nodes and sites can make a traffic analysis 
based on unique profiles of banned urls.

Malicious exits nodes even can inject invisible blocked patterns
to make this analysis more active.

Adblock and other similar user-tunable plugins should be avoided.

Check https://www.torproject.org/projects/torbrowser/design/
"The Design and Implementation of the Tor Browser [DRAFT]"
___
tor-talk mailing list
tor-talk@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Mail through Tor

[unknown]

On Thu, 26 Jan 2012 14:41:06 +0100
 wrote:

> Hi,
> 
> are there any issues in controlling email-boxes through the provider-
> webfrontends (gmail, gmx, etc.) using tor?
> I read for example about referers in between entering account information and 
> being redirected to mail-provider-http-sites for a short moment so that 
> session hijacking by the exit node operator is possible (intercepting auth-
> cookies etc.).
> Any behavior suggestions here? I didn't find much on the web.
> 
> Thanks!
> Tor-User
Gmail works with SSL-webfrontends. 

In TBB by default "HTTPS-everywhere" plugin redirect your HTTP to HTTPS
for Gmail profile. Intercepting SSL (HTTPS) is not so easy if you will 
be carefull with browser messages.

Another mail and webservice providers may (or not) provide https-login
and theyr https-profiles may (or not) be missing in https-everywhere.
___
tor-talk mailing list
tor-talk@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] which apps require an http proxy?

[unknown]

On Sun, 30 Oct 2011 23:35:18 -0700
Jacob Appelbaum  wrote:

> On 10/30/2011 05:37 PM, Roger Dingledine wrote:
> > On Sun, Oct 30, 2011 at 05:31:34PM -0700, Jacob Appelbaum wrote:
> >>  otherwise, I sometimes use a
> >> HTTP proxy with proxychains to prevent DNS leaky applications that have
> >> not and will never implement SOCKS.
> > 
>> 
> wget is the most common example that other people use - with wget, I set
> the HTTP headers match Torbutton:
> 
> HTTP_PROXY=http://127.0.0.1:8118/
> http_proxy=http://127.0.0.1:8118/
> FTP_PROXY=http://127.0.0.1:8118/
> HTTPS_PROXY=http://127.0.0.1:8118/
> https_proxy=http://127.0.0.1:8118/
> ftp_proxy=http://127.0.0.1:8118/
> usewithtor wget -e robots=off --random-wait --wait 3.145
> --user-agent="Mozilla/5.0 (Windows NT 6.1; rv:5.0) Gecko/20100101
> Firefox/5.0" -m -np http://www.example.com/
> 
> Python's web/http processing libraries could probably be improved in the
> core language to always use SOCKS proxies that are set:
> https://github.com/ioerror/TeaTime/blob/master/teatime.py#L46
> 
> Those are both useful building blocks.

apt-get update ; apt-get upgrade/install is another good example for hiddenly 
and privately downloading small Linux packages. secure-Apt uses gpg 
verification, then
adversary on the exit node cannot substitute or modify thats packages.
Good for hidden services especially for hiding system administrative activity.

apt-get runs trought root and proxy is only way to do it through tor.

Using privoxy 'forward socks4a / 127.0.0.1:9050 [proxy address]' in
privoxy conf (similar in polipo) user can hide the fact of using Tor
and use (and abuse) proxy servers in the chain after exit-nodes to using
tor-blocked resources, for example.
___
tor-talk mailing list
tor-talk@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Debian-tor 0.2.2.34-1~~squeeze+1 PID/UID bug

[unknown]

On Fri, 28 Oct 2011 18:52:12 +
unknown  wrote:

 
> Sorry for the misinformation. ps aux always displays numerical ID's for long 
> usernames. 
> I trying to repeat this situation on another Debian Linux machine with 
> similar versions updates and 
> iptables settings and got no results. Everything works fine without any 
> troubles.
> ___

I think I found the reason of the problem. /etc/tor/torrc permisson changed to 
640 root:root and 
after 'killall -SIGHUP tor' Tor cannot read the config. Log message is:

===
[notice] Received reload signal (hup). Reloading config and resetting internal
state.
[warn] Could not open "/etc/tor/torrc": Permission denied
[notice] Configuration file "/etc/tor/torrc" not present, using reasonable 
defaults.
===

"Reasonable defaults" not include options for transparent torification.

I found that previous version use 644 root:root permission. 
I not use any secret parameters in config and change the permission to old 
value and everything
work's fine again with -SIGHUP
___
tor-talk mailing list
tor-talk@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Debian-tor 0.2.2.34-1~~squeeze+1 PID/UID bug

[unknown]

On Fri, 28 Oct 2011 17:44:59 +
unknown  wrote:

> If I run previous version of tor Linux-Debian packages and type 'ps aux | 
> grep tor'
> then the first field is the user "debian-tor".
> 
> After upgrade that field displays only uid (106) but /etc/passwd for 
> debian-tor is correct.
> 
> I use transparent firewalling for rerouting local traffic into Tor 
> and use a name "debian-tor" as iptables option.
> 
> After that update this option is not working. I just replace "debian-tor" to 
> "106" in iptables rules and
> everything works again. I think some leakage of private information is 
> possible, depends of personal 
> firewall settings but not significant. Most of programms just not works with 
> wrong username firewalling.
> 

Sorry for the misinformation. ps aux always displays numerical ID's for long 
usernames. 
I trying to repeat this situation on another Debian Linux machine with similar 
versions updates and 
iptables settings and got no results. Everything works fine without any 
troubles.
___
tor-talk mailing list
tor-talk@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

[tor-talk] Debian-tor 0.2.2.34-1~~squeeze+1 PID/UID bug

[unknown]

If I run previous version of tor Linux-Debian packages and type 'ps aux | grep 
tor'
then the first field is the user "debian-tor".

After upgrade that field displays only uid (106) but /etc/passwd for debian-tor 
is correct.

I use transparent firewalling for rerouting local traffic into Tor 
and use a name "debian-tor" as iptables option.

After that update this option is not working. I just replace "debian-tor" to 
"106" in iptables rules and
everything works again. I think some leakage of private information is 
possible, depends of personal 
firewall settings but not significant. Most of programms just not works with 
wrong username firewalling.





___
tor-talk mailing list
tor-talk@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] TBB as user debian-tor

[unknown]

On Fri, 14 Oct 2011 17:20:08 +
unknown  wrote:

 
> Debian/Linux/(other Unix-like) has two choices now:
> 
> 1. Officialy recommended: use TBB as is, starting from start-tor-browser.sh,
> with Vidallia and "local-tor with-users-rights" -- from your own username.
> 
> 2. Risky and complex if configured mistakenly: also use start-tor-browser.sh
> but just to start TBB-FF (avoiding new restrictive measures), then kill -9
> Vidallia and local Tor and use firewall to send your traffic to system-tor.
> 
> 2-nd point is actual if you use different tor profiles, transparently 
> anonimyzing
> (with iptables + system tor), anonymizing routers, virtual machines, parallel 
> running
> separated X-sessions, global SELinux policies, etc.
> 
> I trying discuss it before: 
> 
> https://lists.torproject.org/pipermail/tor-talk/2011-October/021739.html

I found open ticket relevant to the problem: 

https://trac.torproject.org/projects/tor/ticket/2308

Now it's time to test it broadly to find a solution before closing it
 or make alternatives without running vidalia.
___
tor-talk mailing list
tor-talk@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] TBB as user debian-tor

[unknown]

On Fri, 14 Oct 2011 12:00:15 +0200
Marco Bonetti  wrote:

> - Original Message -
> > it's files to debian-tor with: chown -R debian-tor tor-browser_en-US/
> maybe "chown -R debian-tor:debian-tor tor-browser_en-US/" should be a little 
> better

Mixing permissions from "local-browser-tor" from TBB and 
"global-system-debian-package-tor"
seems to be an unnecessary confusion.

> > xhost + & sudo -u debian-tor /tor-browser_en-US/start-tor-browser
> as already pointed out, "xhost +" is a bit too wide open, try with "xhost 
> local:" to accept only localhost X11 connections
> 

It's still too broad permission: any user from localhost can connect to Xserver
In xhost command username can be specifyed. IMHO it's still a dangerous way.


Debian/Linux/(other Unix-like) has two choices now:

1. Officialy recommended: use TBB as is, starting from start-tor-browser.sh,
with Vidallia and "local-tor with-users-rights" -- from your own username.

2. Risky and complex if configured mistakenly: also use start-tor-browser.sh
but just to start TBB-FF (avoiding new restrictive measures), then kill -9
Vidallia and local Tor and use firewall to send your traffic to system-tor.

2-nd point is actual if you use different tor profiles, transparently 
anonimyzing
(with iptables + system tor), anonymizing routers, virtual machines, parallel 
running
separated X-sessions, global SELinux policies, etc.

I trying discuss it before: 

https://lists.torproject.org/pipermail/tor-talk/2011-October/021739.html

You can follow this tread and find working solution.

Use it at your own risk!

Will be better if TBB provide officialy options for using 
system Tor-daemon for Linux users.

Self-made measures is the best way to "shoot yourself in the foot", 
but very restrictive and rigide ways to use current TBB
 are "unix-unfriendly" overmuch.

I think some secure, officially adopted, broadly tested tradeoff between 
advanced 
and unexperienced using of Tor in Unix-like is needed.

First step may be an option (non-default) in some config to start T-Browser 
without 
 bundling it to local Tor and Vidallia. 

I hope that developers finds a way to give users a choice for experimenting
even though this choice is potentialy way to "shoot yourself in the foot".

___
tor-talk mailing list
tor-talk@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Trouble with 2.2.33-3 - Dirty workaround to avoid user local-tor in Linux

[unknown]

On Thu, 13 Oct 2011 20:28:52 +0100
Julian Yon  wrote:
 
> OOI, what's your rationale for believing that your globally configured
> tor is more secure than the one in TBB?

1. Globally configured tor provided specially for Debian-Linux from 
http://deb.torproject.org . 
Signigicant part of Tor-network servers works with it. Manually configured 
without Vidallia.

2. System tor can be started or stopped only by root user
(or starting/stopping with system itself),
than it drops rights to group "debian-tor" -- special restricted group without 
associated shell.

Local Tor haves rights similar to most weak part of network connected system - 
Browser itself.

Potentialy malicious code executing from the browser
with user rights for "user-local-tor" reveal your IP.

You can hide within virtual machine or behind a Tor-router or make multi-users 
separated profiles
(with separated X-servers running in parallel) and use system Tor and 
transparent anonimyzing. Only with users rights (non root) an adversary can't 
reveal your 
IP directly. 

3. Global Tor may be configured with transparent firewalling to anonimyze any 
users traffic and
block any leakages. Not only from firefox, but for any user programm
 (leaving potentially identifying headers from that programm as is of course).

4. Global tor can be used with special restricted rules provided with SELinux 
or more broadly
rules provided for system daemons. 

In Linux system daemons more secure than user-running programms by design. 
___
tor-talk mailing list
tor-talk@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Trouble with 2.2.33-3 - Dirty workaround to avoid user local-tor in Linux

[unknown]

> 
> > : Hope that Debian packages with separated tor-daemon itself, Tor-browser 
> > and
> > : Tor-browser-plugins will be created sometime
> > 
> > This is unlikely unless someone else does the work.
> 

Dirty workaround recipe:

1. Leave your transparency torifying iptables-firewall rules as is.
2. Run start-tor-browser scripts.
3. Vidalia runs local tor.
4. Local tor slowly builds circuits throw torifying connections:
 double torifying, double circuits length, slow connection.
5. Vidalia starts TBB-FF.
6. kill -9 Vidalia, and user-tor (not system-tor!)
7. Change in the T-button random socks-port to your system tor-port:
select "Use custom proxy settings" "127.0.0.1" "9050"

Now you work through system-tor, started from /etc/init.d/tor, 
secured with low privilegy group debian-tor, integrated with SELinux, etc.

You can use 'sudo killall -SIGHUP tor' as newnym command or tune control ports.

If you make an error in any point (instead of first - firewalling) then 
your connection will not be working,
or will be slow because doubling overhead.
But none of thats mistakes cannot make plain traffic leakages.

May be developers just give TBB-Linux users non-default config options: "Use 
system Tor".

Please, don't enforce to use TBB with local Tor for advanced users!

Don't ruin a flexibility of transparency tor-firewalling and 
security of using /etc/init.d/tor !
___
tor-talk mailing list
tor-talk@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Trouble with 2.2.33-3

[unknown]

On Wed, 12 Oct 2011 14:01:33 -0400
 wrote:

 
> did it call a different profile?

Before this I just use full path without start-script and not bother about 
profiles.
This version not working without changing $HOME environment variable to `pwd` 
in start-script.
OK, I use relative path to start Tor-browser firefox from script and see clean 
profile.
What can I do to change it back?

> : Hope that Debian packages with separated tor-daemon itself, Tor-browser and
> : Tor-browser-plugins will be created sometime
> 
> This is unlikely unless someone else does the work.

I understandt that this is not a priority (or very low) for the project. 
And core developers has more important goals to make Tor better and 
 widespread this great software.

if it makes someone else, this will be good.

Thanks every Tor developers for their good work in any way!
___
tor-talk mailing list
tor-talk@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Trouble with 2.2.33-3

[unknown]

On Wed, 12 Oct 2011 17:18:14 +
unknown  wrote:

> On Mon, 3 Oct 2011 21:39:46 +0400
> unknown  wrote:
> 
> > We talk about it day ago on some web-resource. Possible with you personally 
> > :-)
> > 
> > Linux provided system Tor-daemon seems more secure then tor started from 
> > user.
> > 
> > I propose next steps but concern about any "Gotcha!" here:
> > 
> > 1) Download, check gnupg signatures and unpack tor-browser. 
> > 
> > Keep system Tor-daemon from deb-package 
> > http://deb.torproject.org/torproject.org with carefully settings including 
> > your transparent firewalling.
> > 
> > 2) Activate plug-ins (HTTPS-Everywhere, NoScipt, TorButton) with copying:
> > 
> > cp -r ../tor-browser_en-US/Data/profile/extensions/* 
> > ../tor-browser_en-US/App/Firefox/extensions
> > 
> > (or use symlinks).
> > 
> > 3) Don't run Bundle start script, ignore vidalia and tor from bundle.
> > 
> > Run '../tor-browser_en-US/App/Firefox/firefox' directly. Check that plugins 
> > is working and you use system tor correctly without leaking information 
> > (Use Torstatus check sites, local sniffers).
> > 
> > 4) Don't use vidalia. Use 'sudo killall -SIGHUP tor' instead of vidalia 
> > newnym control-port command. And restart your tor-browser after that newnym.
> > 
> > Any comments? 
> > 
> 
> 
> Everything works OK before
> tor-browser-gnu-linux-x86_64-2.2.33-3-dev-en-US.tar.gz
> in Debian stable
> 
> Now I can't use Tor-browser directly that way described above:
> 
> >WARNING: Application calling GLX 1.3 function "glXCreatePixmap" when GLX 1.3 
> >is 
> >+not supported!  This is an application bug! 
> >   
> >failed to create drawable
> 
> start-tor-browser script from TBB itself works correct 
> but using tor tunneling from system tor-daemon with Linux 
> transparent firewalling torifycation double increased tor overhead.
> 
> Using Tor with users permissions instead of debian-tor daemon
>  is not a best way for secure integration with a system too.
> 
> Is it version developed especially for enforcing use TBB as is?
> 

I comment running Vidalia from startscript 
and insert command to run tor-firefox directly.

Now firefox started and working wihout crash but I see
this error message again. And I lost all my bookmarks with this.

Hope that Debian packages with separated tor-daemon itself, Tor-browser and
Tor-browser-plugins will be created sometime.

___
tor-talk mailing list
tor-talk@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Trouble with 2.2.33-3

[unknown]

On Mon, 3 Oct 2011 21:39:46 +0400
unknown  wrote:

> We talk about it day ago on some web-resource. Possible with you personally 
> :-)
> 
> Linux provided system Tor-daemon seems more secure then tor started from user.
> 
> I propose next steps but concern about any "Gotcha!" here:
> 
> 1) Download, check gnupg signatures and unpack tor-browser. 
> 
> Keep system Tor-daemon from deb-package 
> http://deb.torproject.org/torproject.org with carefully settings including 
> your transparent firewalling.
> 
> 2) Activate plug-ins (HTTPS-Everywhere, NoScipt, TorButton) with copying:
> 
> cp -r ../tor-browser_en-US/Data/profile/extensions/* 
> ../tor-browser_en-US/App/Firefox/extensions
> 
> (or use symlinks).
> 
> 3) Don't run Bundle start script, ignore vidalia and tor from bundle.
> 
> Run '../tor-browser_en-US/App/Firefox/firefox' directly. Check that plugins 
> is working and you use system tor correctly without leaking information (Use 
> Torstatus check sites, local sniffers).
> 
> 4) Don't use vidalia. Use 'sudo killall -SIGHUP tor' instead of vidalia 
> newnym control-port command. And restart your tor-browser after that newnym.
> 
> Any comments? 
> 


Everything works OK before
tor-browser-gnu-linux-x86_64-2.2.33-3-dev-en-US.tar.gz
in Debian stable

Now I can't use Tor-browser directly that way described above:

>WARNING: Application calling GLX 1.3 function "glXCreatePixmap" when GLX 1.3 
>is 
>+not supported!  This is an application bug!   
> 
>failed to create drawable

start-tor-browser script from TBB itself works correct 
but using tor tunneling from system tor-daemon with Linux 
transparent firewalling torifycation double increased tor overhead.

Using Tor with users permissions instead of debian-tor daemon
 is not a best way for secure integration with a system too.

Is it version developed especially for enforcing use TBB as is?

___
tor-talk mailing list
tor-talk@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Getting of Tor Browser

[unknown]

On Mon, 3 Oct 2011 22:46:08 -0500
David Carlson  wrote:

>
> In the Windows download section there is a variation called Vidalia
> Bundle which allegedly sets up an environment within which the standard
> Windows version of Firefox is expected to behave nicely.  As a Windows
> user, this is what I use.
>
> I notice, however, that there is no comparable package for Linux,
> although there is a link to another page
>  which I
> suppose means something to Unix users.

Linux version of TorBrowser just works simple like Windows too.
But "advanced" Linux users and distros developers needs a separate packages
for flexibility:

(see info about transparency torification for any traffic:

https://trac.torproject.org/projects/tor/wiki/doc/TransparentProxy
https://trac.torproject.org/projects/tor/wiki/doc/BlockNonTorTrafficDebian)

and some sort of security (using system provided tor-daemon starting from 
restricted
users, SeLinux integration).

We know that developers works in the direction of better integrating Tor for 
Linux
not only for "point-and-click" users:

https://trac.torproject.org/projects/tor/ticket/3994

Users comfortable with Linux-packaging system need a way to getting separate
TorBrowser as well, with
separated depended/recommended packages for neccecary plug-ins.





___
tor-talk mailing list
tor-talk@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Getting of Tor Browser

[unknown]

We talk about it day ago on some web-resource. Possible with you personally :-)

Linux provided system Tor-daemon seems more secure then tor started from user.

I propose next steps but concern about any "Gotcha!" here:

1) Download, check gnupg signatures and unpack tor-browser. 

Keep system Tor-daemon from deb-package 
http://deb.torproject.org/torproject.org with carefully settings including your 
transparent firewalling.

2) Activate plug-ins (HTTPS-Everywhere, NoScipt, TorButton) with copying:

cp -r ../tor-browser_en-US/Data/profile/extensions/* 
../tor-browser_en-US/App/Firefox/extensions

(or use symlinks).

3) Don't run Bundle start script, ignore vidalia and tor from bundle.

Run '../tor-browser_en-US/App/Firefox/firefox' directly. Check that plugins is 
working and you use system tor correctly without leaking information (Use 
Torstatus check sites, local sniffers).

4) Don't use vidalia. Use 'sudo killall -SIGHUP tor' instead of vidalia newnym 
control-port command. And restart your tor-browser after that newnym.

Any comments? 



___
tor-talk mailing list
tor-talk@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Users profiling through personаl banners filtering settings

[unknown]

On Tue, 22 Mar 2011 18:26:34 +
unknown  wrote:

> Too many users dislikes of annoying web elements -- banners, popups, scripts,
> strange frames. They use a tools to blocks that elements or change webpage 
> rendering.
> 
> Traditional programs for filtering is a local proxys -- privoxy or polipo are 
> examples with 
> close relation to Tor and used actively. This programs cannot filtering 
> SSL-content and evil site
> can use mix of SSL-ed and non-SSL-ed banners, pop-ups, etc to determine a fact
> of using such proxy and trying to guess personal users filtering settings.
> 
> The problem may be even worse, with or without using this proxy, even if 
> users block
> contents within a browser itself (with Firefox plugins to block banners, and 
> scripts). Not
> only sites, but "mans in the middles", adversarial clusters of evil exit nodes
> can does parsing traffic and modifying web contents by injecting banners, 
> misconfigured
> cookies, incorrect frames.
> 
> Injected traffic for various sites, in different times
> and seances can be the way of revealing users with personal blocking rules. 
> Data
> about blocking profiles of that users may be statistical processed and 
> correlated.
> 
> Is it a real threat? Should Tor users stop blocking contents
> selectively? Or they can use predefined and shared rules in analogy of 
> Torbutton?

Let me describe a two examples about users blocks banners in 
privoxy/polipo/adblock/etc:

1. Webhost can see that user block russian/german/chinese/etc big portal 
banners. Webservers owner can make a conjecture about specific language of the 
user.

2. One exit or colluding exit nodes can compare banners blocking profiles from 
time to time. Profiles can be linked from different seances.

Any comments?



___
tor-talk mailing list
tor-talk@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

[tor-talk] Users profiling through personаl banners filtering settings

[unknown]

Too many users dislikes of annoying web elements -- banners, popups, scripts,
strange frames. They use a tools to blocks that elements or change webpage 
rendering.

Traditional programs for filtering is a local proxys -- privoxy or polipo are 
examples with 
close relation to Tor and used actively. This programs cannot filtering 
SSL-content and evil site
can use mix of SSL-ed and non-SSL-ed banners, pop-ups, etc to determine a fact
of using such proxy and trying to guess personal users filtering settings.

The problem may be even worse, with or without using this proxy, even if users 
block
contents within a browser itself (with Firefox plugins to block banners, and 
scripts). Not
only sites, but "mans in the middles", adversarial clusters of evil exit nodes
can does parsing traffic and modifying web contents by injecting banners, 
misconfigured
cookies, incorrect frames.

Injected traffic for various sites, in different times
and seances can be the way of revealing users with personal blocking rules. Data
about blocking profiles of that users may be statistical processed and 
correlated.

Is it a real threat? Should Tor users stop blocking contents
selectively? Or they can use predefined and shared rules in analogy of 
Torbutton?
___
tor-talk mailing list
tor-talk@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk