to end. They don't have the
MITM problems that using Tor to access Internet services has; there are
no Exit Nodes are involved. So there's no real point in adding a layer
of SSL on top.
--
Mike Cardwell https://grepular.com/ https://twitter.com/mickeyc
Professional http://cardwel
/documentation.html
https://www.torproject.org/docs/hidden-services.html is a good overview
of the way that hidden services work on top of Tor, and there is a link
at the bottom of that page to a more technical description.
--
Mike Cardwell https://grepular.com/ https://twitter.com/mickeyc
her. We have the Tor DNSEL, and
there are also a few Apache modules which allow you to perform DNSBL
style lookups on the client IP and perform different actions based on
the result, such as setting environment variables/headers etc.
--
Mike Cardwell https://grepular.com https://emailprivacytest
rship resistance and fault tolerance. If access to a website gets
blocked or fails for some reason, the browser may be able to pop up a
message informing the user how else they can access the content if they
have previously visited the site and received a list of
alternate domains.
--
Mike Cardw
remember
your cookie preferences, because those of us who know what we're
doing don't allow cookies to persist for long, so end up seeing
the warning every time we visit a site (unless we're using the
above filter list in Adblock of course).
--
Mike Cardwell https://grepular.com http
y, I delete these 1st party cookies as soon as the page / tab is
> closed - which is kind of a pain. If these 1st party cookies (used
> today) were not deleted, not sure they'd pose any privacy threat, like
> 3rd party cookies.
That can be entirely automated:
http
okies:
> Main page: http://www.medscape.com
> http://www.medscape.com/?cc=aHR0cDovL3d3dy5tZWRzY2FwZS5jb20vaG9tZQ==&cookieCheck=1
Then allow cookies?
If your worry is that the adblock filter I mentioned will have hidden
this particular notice from you, then don't. Nobody has written that
rule, and the nat
can talk to hidden services, without
having to install Tor on each of them, albeit less securely than if
they all had Tor installed locally of course.
--
Mike Cardwell https://grepular.com https://emailprivacytester.com
OpenPGP Key35BC AF1D 3AA2 1F84 3DC3 B0CF 70A5 F512 0018 461F
XMPP OTR
6 addresses and then
one of your Apps tries to connect to a host which supports v6, like for
example Google or Facebook, then it will bypass your iptables rules.
You need to set up rules using ip6tables for IPv6 too.
Also, make sure that the rules are applied prior to any network
connectivity
r any other existing hidden service?
--
Mike Cardwell https://grepular.com https://emailprivacytester.com
OpenPGP Key35BC AF1D 3AA2 1F84 3DC3 B0CF 70A5 F512 0018 461F
XMPP OTR Key 8924 B06A 7917 AAF3 DBB1 BF1B 295C 3C78 3EF1 46B4
signature.asc
Description: Digital signature
--
tor
I don't think I'm being dramatic when I say this proves that Tor
hidden services are now completely broken. I'd like somebody to
show me that I'm wrong for some reason though...
--
Mike Cardwell https://grepular.com https://emailprivacytester.com
OpenPGP Key35BC AF1D 3AA2
f of it ("facebook"), which is only 40 bits
> so it's possible to generate keys over and over until you get some keys
> whose first 40 bits of the hash match the string you want.
Getting one ending "corewwwi" seems incredibly lucky to me. Did they tell
you how many keys
t; > --
> > tor-talk mailing list - tor-talk@lists.torproject.org
> > To unsubscribe or change other settings go to
> > https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
> --
> tor-talk mailing list - tor-talk@lists.torproject.org
> To unsubscribe or change
eah, I'm a fan of SPDY and I think Tor especially will benefit
hugely from sites enabling it.
--
Mike Cardwell https://grepular.com/ http://cardwellit.com/
OpenPGP Key35BC AF1D 3AA2 1F84 3DC3 B0CF 70A5 F512 0018 461F
XMPP OTR Key 892
ou
log in, you have to hope that the server didn't send you some new
backdoored JS. However, if it's your own webmail installation on your
own server, you're using your own browser and all traffic goes over
https, you might feel that you can trust it.
Personally, I avoid
nion.
Similar things could be done for XMPP.
--
Mike Cardwell https://grepular.com/ http://cardwellit.com/
OpenPGP Key35BC AF1D 3AA2 1F84 3DC3 B0CF 70A5 F512 0018 461F
XMPP OTR Key 8924 B06A 7917 AAF3 DBB1 BF1B 295C 3C78 3EF1 46B4
signature.asc
ssuming not.
Did anyone think to ask them? Maybe they are. Maybe they're not, but
will do if asked? There's not much point speculating.
--
Mike Cardwell https://grepular.com/ http://cardwellit.com/
OpenPGP Key35BC AF1D 3AA2 1F84 3DC3 B0CF 70A5 F512 0018 461F
XMPP OTR Key 89
-list is a very bad
idea. StackExchange should be used as a knowledge base, not as a
replacement for the mailing list.
> But I am open to guidance from other list members. And I'll post a
> question in http://meta.tor.stackexchange.com/.
That discussion belongs here, not on StackExchan
ount for accessing it from multiple different countries in a short
period of time too.
You shouldn't just route people through Tor without their knowledge.
They need to understand the risks and adapt their use accordingly.
--
Mike Cardwell https://grepular.com/ http://cardwellit.com/
O
r every action that will be tied
> to me? No.
I did not say, "don't route people through Tor". I said, "don't route
people through Tor without their knowledge."
--
Mike Cardwell https://grepular.com/ http://cardwellit.com/
OpenPGP Key35BC AF1D 3AA2 1F84
t
spot and target a couple of coffee drinkers reading the news. Or I
could spend a couple of minutes setting up a Tor exit node from the
comfort of my office, getting sustained access to the traffic of
thousands of strangers all over the World. This is why I think
malicious Tor Exit nodes are
ail to:
mike.cardwell@grepularmmmiatj7.onion
Obviously, that's not very anonymous as the .onion address contains
a substring of my normal domain, and my real name is included too,
and I've also not configured my SMTP server to obfuscate various
things about my machine that are leaked in
rol-Allow-Origin header is returned with the response,
and only if that Access-Control-Allow-Origin header allows your
particular origin (or all origins) to do so.
--
Mike Cardwell https://grepular.com/ http://cardwellit.com/
OpenPGP Key35BC AF1D 3AA2 1F84 3DC3 B0CF 70A5 F512 0018 461F
XM
evented by default.
If you have a web server listening on 127.0.0.1 and that web server
sends a Access-Control-Allow-Origin header with it's response, then
yes, you will be able to communicate with it from other websites.
By design.
--
Mike Cardwell https://grepular.com/ http://cardwel
isn't using CORS, and then read the response, then
there is a bug, and you will get a healthily sized cheque from Google
or Mozilla for reporting it to them. If you can't read the response
then there isn't a bug. What you're seeing is: how the web works.
--
Mike Cardwell http
f connections are
being made from TBB without going via Tor, then there is a serious
leak in TBB. I'm not convinced this is happening though.
--
Mike Cardwell https://grepular.com/ http://cardwellit.com/
OpenPGP Key35BC AF1D 3AA2 1F84 3DC3 B0CF 70A5 F512 0018 461F
XMPP OTR Key 8924 B06A 791
of in your
usual (potentially torified) web browser. Bypassing any other defenses
you might also have, including NoScript etc.
--
Mike Cardwell https://grepular.com/ http://cardwellit.com/
OpenPGP Key35BC AF1D 3AA2 1F84 3DC3 B0CF 70A5 F512 0018 461F
XMPP OTR Key 8924 B06A 7917 AAF3
* on the Sun, Jan 26, 2014 at 05:33:45PM +, Andrew F wrote:
>> YIKES... Are you sure, how did this slip by?
Yes, I am sure.
> Also you might want to post this on the tails list.
I am not on the Tails list. Perhaps somebody who is already there might
bring it up?
--
Mike Cardwe
moderate.
It has been over two years since I told them about it and it hasn't
been fixed, hence why I am now making it public.
--
Mike Cardwell https://grepular.com/ http://cardwellit.com/
OpenPGP Key35BC AF1D 3AA2 1F84 3DC3 B0CF 70A5 F512 0018 461F
XMPP OTR Key 8924 B06A 7917 AAF
me they'll be unlocking it at some
point.
Unfortunately, in this instance, I think this private disclosure has
allowed the issue to go unfixed for a long time. I probably should have
made it public much sooner.
--
Mike Cardwell https://grepular.com/ http://cardwellit.com/
OpenPGP Key
sue here exactly so that those sorts of
issues could be investigated.
I suggest if you are going to make any further statements about the
way the bug works, you replicate it first.
The bug report is now public. Somebody has submitted a patch, but
they've also suggested that there may be si
ny further. If anyone
is interested in following the issue, see:
https://bugzilla.mozilla.org/show_bug.cgi?id=700979
--
Mike Cardwell https://grepular.com/ http://cardwellit.com/
OpenPGP Key35BC AF1D 3AA2 1F84 3DC3 B0CF 70A5 F512 0018 461F
XMPP OTR Key 8924 B06A 7917 AAF3 DBB1 BF1B 295C 3C78 3EF1 4
a single (or two?) TCP connection per pair of relays.
Unless your VOIP app talks to the Tor Control Port, and sets up each circuit
and stream it's self, rather than letting Tor do it automatically.
--
Mike Cardwell https://grepular.com/ http://cardwellit.com/
OpenPGP Key35BC AF1D 3AA2 1F8
gh we run a Jingle node and act as a media relay, I assume
> users still will not be able to do voice and video while connected to
> our server over Tor.
If any of this relies on UDP, then no. Even if it's entirely TCP, the
latency added by onion routing will probably be too
34 matches
Mail list logo
