[tor-talk] crashsafari.com

2016-01-26 Thread tor_talk
Hi Tor Talkers, are you aware of it already: http://www.wired.com/2016/01/hack-brief-dont-be-trolled-by-this-iphone-crashing-link-meme/ "Crashsafari appears to run javascript code that overloads the victim’s address bar with an infinite series of numbers." It's not only Safari who is about to cr

Re: [tor-talk] Warning: 37 new booby trapped onion sites

2016-01-26 Thread Juha Nurmi
Hi, > If somebody hosts a dark website, that doesn't have a verifiable external way > to lookup their URL, then the only way you can verify them is to talk with a > bunch of other people, web-of-trust style. Which also has a bunch of ways it > can be undermined. > That's true. You have to tru

Re: [tor-talk] Network Analysis of Overlay Networks, Capabilities, Fill Traffic [was: VPN less safe?]

2016-01-26 Thread Cain Ungothep
> It would be harder for that analysis to succeed against networks > that filled between all the nodes with fill traffic when unused and > not needed for user traffic. (And in the sense of Tor, between clients > and some number of guards). But that's hard to design so that it > is functional. And n

[tor-talk] Darknets: Full of onions, and eeps, and other wondrous things

2016-01-26 Thread grarpamp
> Email to tor-talk@ [0] made me wonder if (some of) these > are run by the same people that have been trying to hijack > Bitcoin transactions. In the first step, they could enumerate > services by crawling them That would be useful to get an early start in the spamming / seeding publication belo

[tor-talk] Network Analysis of Overlay Networks, Capabilities, Fill Traffic [was: VPN less safe?]

2016-01-26 Thread grarpamp
On Tue, Jan 26, 2016 at 3:09 PM, juan wrote: > On Mon, 25 Jan 2016 10:25:20 -0500 > Paul Syverson wrote: > > >> "20,000 In League Under the Sea: Anonymous Communication, Trust, >> MLATs, and Undersea Cables" available at >> http://www.degruyter.com/view/j/popets.2015.1.issue-1/popets-2015-0002/po

Re: [tor-talk] onion routing MITM

2016-01-26 Thread Flipchan
Try to put up a server n run it throw tor and the generate a key with scallion for example https://github.com/lachesis/scallion , or ur favorite programming lang a55de...@opayq.com skrev: (26 januari 2016 19:37:24 CET) >A CA will not validate a '.onion' address since it's not an official >TLD >a

Re: [tor-talk] onion routing MITM

2016-01-26 Thread Coyo Stormcaller
On Tue, 26 Jan 2016 18:31:50 + (UTC) wrote: > When I look at thehiddenwiki.org, I see a bunch of .onion sites, with > random looking names. Why is this? What if someone at > thehiddenwiki.org registered a new .onion site (for example > http://somerandomletters.onion), which then relayed traff

Re: [tor-talk] Using VPN less safe?

2016-01-26 Thread juan
On Mon, 25 Jan 2016 10:25:20 -0500 Paul Syverson wrote: > "20,000 In League Under the Sea: Anonymous Communication, Trust, > MLATs, and Undersea Cables" available at > http://www.degruyter.com/view/j/popets.2015.1.issue-1/popets-2015-0002/popets-2015-0002.xml?format=INT As far as I can

Re: [tor-talk] Warning: 37 new booby trapped onion sites

2016-01-26 Thread populationsteamsir
Juha, thank you for identifying the real and fake sites. This re-raises the question, when you get a URL from somewhere, how do you know it's the real one? Which upon further thought requires definition of "the real one." If two guys on the internet both claim to be John Doe, how is it possible

Re: [tor-talk] onion routing MITM

2016-01-26 Thread Seth David Schoen
populationsteam...@tutanota.com writes: > The question is: From a user perspective, http://3g2upl4pq6kufc4m.onion just > looks like random characters. (And in fact, if it's a hash of a public key, > which was originally randomly generated, then indeed these *are* random > characters). You obvio

Re: [tor-talk] onion routing MITM

2016-01-26 Thread Paul Syverson
Probably should also have noted wrt the original question that for people who use PGP/GPG there are things that can be done now and onionsites that do make use of that. Cf. See "Bake in .onion for Tear-free and Stronger Website Authentication" https://github.com/saint/w2sp-2015/blob/master/SP_SPSI

Re: [tor-talk] onion routing MITM

2016-01-26 Thread populationsteamsir
26. Jan 2016 18:37 by a55de...@opayq.com: > A CA will not validate a '.onion' address since it's not an official TLD > approved by ICANN. > I understand that. > The numbers aren't random. From Wikipedia:  > "16-character alpha-semi-numeric hashes which are automatically generated > bas

Re: [tor-talk] onion routing MITM

2016-01-26 Thread Green Dream
> What prevents a person from registering a new .onion site, such as > http://laobeqkdrj7bz9pq.onion and then relaying all its traffic to > http://3g2upl4pq6kufc4m.onion, and trying to get people to believe that > *they* are actually the duckduckgo .onion site? Nothing. > When you see a link lik

Re: [tor-talk] onion routing MITM

2016-01-26 Thread Seth David Schoen
populationsteam...@tutanota.com writes: > I'm new to tor, trying to understand some stuff. > > I understand the .onion TLD is not an officially recognized TLD, so it's not > resolved by normal DNS servers. The FAQ seems to say that tor itself resolves > these, not to an IP address, but to a hid

Re: [tor-talk] onion routing MITM

2016-01-26 Thread Paul Syverson
This is false. First of all '.onion' is an officially recognized reserved top level domain according to IETF RFC 7686. Second, a CA _will_ validate a .onion address, but only to provide an EV (extended validation) Cert. EV Certs are typically only had by big companies etc. Typical browsers repre

Re: [tor-talk] onion routing MITM

2016-01-26 Thread a55deaba
A CA will not validate a '.onion' address since it's not an official TLD approved by ICANN. The numbers aren't random. From Wikipedia: "16-character alpha-semi-numeric hashes which are automatically generated based on a public key when a hidden service

[tor-talk] onion routing MITM

2016-01-26 Thread populationsteamsir
I'm new to tor, trying to understand some stuff. I understand the .onion TLD is not an officially recognized TLD, so it's not resolved by normal DNS servers. The FAQ seems to say that tor itself resolves these, not to an IP address, but to a hidden site somehow. When I look at thehiddenwiki.org

Re: [tor-talk] Onion service discovery

2016-01-26 Thread Katya Titov
Joshua Hull: > I've been thinking about how to get onion services transparently > selected over non-onion services in order to drive adoption. It seems > to me that a simple strawman proposal would be that before attempting > to connect to a domain name, do a lookup for a specific type of TXT > rec

Re: [tor-talk] Warning: 37 new booby trapped onion sites

2016-01-26 Thread I
Thank you very much for being so vigilant and proactive. -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

[tor-talk] Warning: 37 new booby trapped onion sites

2016-01-26 Thread Nurmi, Juha
Hello Tor community, In June I warned Tor users about the presence of hundreds of fake and booby trapped .onion websites [1]. Someone runs a fake site on a similar address to the original one and tries to fool people with that. The sites look like the original ones. These sites are actually work

Re: [tor-talk] A multi-layer proof of work system to solve the Tor/CloudFlare problem?

2016-01-26 Thread Pickfire
On Mon, Jan 25, 2016 at 09:09:37PM +0100, Cain Ungothep wrote: That way a normal web client, normally browsing a website, would not be impacted from end-user experience, but any automated system (the ones causing problems to Cloudflare) Why can't people separate Tor from Tor Browser in their mi