Re: [tor-dev] Hidden Service authorization UI

2014-11-09 Thread Andrea Shepard
On Sun, Nov 09, 2014 at 09:16:40PM -0500, Griffin Boyce wrote: > On 2014-11-09 15:30, Fabio Pietrosanti - lists wrote: > >On 11/9/14 8:58 PM, Jacob Appelbaum wrote: > >>>For example, it would be interesting if TBB would allow people to > >>>input a password/pubkey upon visiting a protected HS. Prot

Re: [tor-dev] Running a Separate Tor Network

2014-11-09 Thread Tom Ritter
On 22 October 2014 05:48, Roger Dingledine wrote: >> What I had to do was make one of my Directory Authorities an exit - >> this let the other nodes start building circuits through the >> authorities and upload descriptors. > > This part seems surprising to me -- directory authorities always publi

Re: [tor-dev] Hidden Service authorization UI

2014-11-09 Thread Griffin Boyce
On 2014-11-09 15:30, Fabio Pietrosanti - lists wrote: On 11/9/14 8:58 PM, Jacob Appelbaum wrote: For example, it would be interesting if TBB would allow people to input a password/pubkey upon visiting a protected HS. Protected HSes can be recognized by looking at the "authentication-required" fi

Re: [tor-dev] Hidden Service authorization UI

2014-11-09 Thread grarpamp
On Sun, Nov 9, 2014 at 3:30 PM, Fabio Pietrosanti - lists wrote: > On 11/9/14 8:58 PM, Jacob Appelbaum wrote: >>> For example, it would be interesting if TBB would allow people to >>> input a password/pubkey upon visiting a protected HS. Protected HSes >>> can be recognized by looking at the "auth

Re: [tor-dev] HSDir Auth and onion descriptor scraping

2014-11-09 Thread grarpamp
On Sun, Nov 9, 2014 at 3:22 PM, Gareth Owen wrote: > I have several hundred thousand (or million? Haven't counted) hs descriptors > saved on my hard disk from a data collection experiment (from 70k HSes). > I'm a bit nervous about sharing these en masse as whilst not confidential > they're suppose

[tor-dev] Pluggable-transport implementations of your website fingerprinting defenses

2014-11-09 Thread David Fifield
NB I'm copying the tor-dev mailing list on this message. At CCS I saw Rishab present these papers: "CS-BuFLO: A Congestion Sensitive Website Fingerprinting Defense" http://www3.cs.stonybrook.edu/~rnithyanand/pubs/wpes2014-csb.pdf "Glove: A Bespoke Website Fingerprinting Defense" http://www3.cs.st

Re: [tor-dev] Hi everyone!

2014-11-09 Thread Damian Johnson
Hi Connny, glad you want to get involved! Please take a peek at... https://www.torproject.org/getinvolved/volunteer.html.en#Projects If you're interested in Java then Orbot (https://guardianproject.info/apps/orbot/) and Metrics (https://metrics.torproject.org/) are your best bets. Cheers! -Damia

[tor-dev] Hi everyone!

2014-11-09 Thread Conny Hermansson
Hi! I´m new to the Tor project and I´m looking for some easy project to get me started. preferebly in Java, I can do debugging or write some code. Conny ___ tor-dev mailing list tor-dev@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/li

Re: [tor-dev] yes hello, internet supervillain here

2014-11-09 Thread Paul Syverson
On Sun, Nov 09, 2014 at 07:25:39PM +, Fears No One wrote: > I have some news to report, along with more data. > > The August DoS attempt appears to have been a crawler bot after all. An > old friend came forward after reading tor-dev and we laughed about his > dumb crawler bot vs my dumb "must

Re: [tor-dev] Hidden Service authorization UI

2014-11-09 Thread Fabio Pietrosanti - lists
On 11/9/14 8:58 PM, Jacob Appelbaum wrote: >> For example, it would be interesting if TBB would allow people to >> input a password/pubkey upon visiting a protected HS. Protected HSes >> can be recognized by looking at the "authentication-required" field of >> the HS descriptor. Typing your passwo

Re: [tor-dev] HSDir Auth and onion descriptor scraping

2014-11-09 Thread Gareth Owen
I have several hundred thousand (or million? Haven't counted) hs descriptors saved on my hard disk from a data collection experiment (from 70k HSes).  I'm a bit nervous about sharing these en masse as whilst not confidential they're supposed to be difficult to obtain in this quantity.  However,

Re: [tor-dev] Hidden Service authorization UI

2014-11-09 Thread Jacob Appelbaum
> In the future "Next Generation Hidden Services" specification there > are again two ways to do authorization: > https://gitweb.torproject.org/torspec.git/blob/HEAD:/proposals/224-rend-spec-ng.txt#l1446 > One way is with a password and the other is with a public key. A {shared secret,key} and a u

Re: [tor-dev] yes hello, internet supervillain here

2014-11-09 Thread Matthew Finkel
On Sun, Nov 09, 2014 at 07:25:39PM +, Fears No One wrote: > In other news, the same guy runs a bot that records uptimes for various > onions, and he gave me output related to up/down times for doxbin, > Cloud9, and Silk Road 2.0. > > NOTE: Time zone is GMT+9:30 on all of these. He used sed to

Re: [tor-dev] yes hello, internet supervillain here

2014-11-09 Thread Fears No One
I have some news to report, along with more data. The August DoS attempt appears to have been a crawler bot after all. An old friend came forward after reading tor-dev and we laughed about his dumb crawler bot vs my dumb "must-serve-200-codes-at-everything" nginx config. His user agent string only

Re: [tor-dev] [HTTPS-Everywhere] "darkweb everywhere" extension

2014-11-09 Thread rufo
This might be a good use for the Alternate-Protocol header currently used by Chrome to allow opportunistic upgrade from HTTP to SPDY. See also the Alt-Svc header proposed by the HTTPbis WG earlier this year. ___ tor-dev mailing list tor-dev@lists.torproj

[tor-dev] HSDir Auth and onion descriptor scraping

2014-11-09 Thread grarpamp
> George K: > I suspect that HS authorization is very rare in the current network, > and if we believe it's a useful tool, it might be worthwhile to make > it more useable by people. Is anyone making their HSDir onion descriptor scraping patches available somewhere? I'd suspect the rarity of HS au

Re: [tor-dev] [tor-internal] HS attack blog post (was Re: Hidden services and drug markets takedown)

2014-11-09 Thread A. Johnson
I think the option to rate-limit guard selection is a great idea to defend against guard DoS. The downside is possible connection loss even if you’re not under attack and you just happen to pick flaky guards. In case you’re interested, I examined this defense and how often such benign service lo

Re: [tor-dev] Hidden Service authorization UI

2014-11-09 Thread Vlad Tsyrklevich
I'm probably missing significant Tor development history here, but section 5.2 of the tor design paper mentions using the domain format x.y.onion where x is used for authorization and y.onion is used for actual the actual addressing. I'm not

[tor-dev] high latency hidden services

2014-11-09 Thread Mansour Moufid
Hi everyone, Operation Onymous, the anecdotes about it (I don't think the DoS was a DoS), the wording of the related legal documents, and the previous CMU research... make me think that traffic confirmation attacks are now widely used in practice. Other, cat-and-mouse implemetation vulnerabilitie

Re: [tor-dev] Hidden Service authorization UI

2014-11-09 Thread Garrett Robinson
SecureDrop (and former Firefox) dev here. A few months ago I started working on a patch to support prompting users for an authenticated hidden service cookie in the manner of HTTP Basic Auth. [0] We require journalists who use SecureDrop to download submissions from an authenticated Tor hidden serv

Re: [tor-dev] Hidden Service authorization UI

2014-11-09 Thread Yawning Angel
On Sun, 9 Nov 2014 16:19:24 + Andrea Shepard wrote: > How would Tor Browser learn about this reason for not being able to > connect/ tell Tor the authentication info? This is starting to sound > like wanting SOCKS5 extensions to indicate different causes for > connection failures in #6031 di

Re: [tor-dev] Hidden Service authorization UI

2014-11-09 Thread Andrea Shepard
On Sun, Nov 09, 2014 at 12:50:00PM +, George Kadianakis wrote: > I suspect that HS authorization is very rare in the current network, > and if we believe it's a useful tool, it might be worthwhile to make > it more useable by people. Yes, HS authoritzation is rare. It's rare enough that it wa

Re: [tor-dev] Hidden Service authorization UI

2014-11-09 Thread Andrea Shepard
On Sun, Nov 09, 2014 at 08:18:40AM -0500, Griffin Boyce wrote: > So most of my work over the next three days is writing and editing > documentation on hidden services. > > I'm in Boston and the purpose of this trip is to rewrite existing > documentation to be more useful, but with authenticated h

Re: [tor-dev] Hidden Service authorization UI

2014-11-09 Thread Griffin Boyce
So most of my work over the next three days is writing and editing documentation on hidden services. I'm in Boston and the purpose of this trip is to rewrite existing documentation to be more useful, but with authenticated hidden services, what's available is extremely sparse. GlobaLeaks and S

[tor-dev] Hidden Service authorization UI

2014-11-09 Thread George Kadianakis
Hidden Service authorization is a pretty obscure feature of HSes, that can be quite useful for small-to-medium HSes. Basically, it allows client access control during the introduction step. If the client doesn't prove itself, the Hidden Service will not poroceed to the rendezvous step. This allow