[tor-talk] Looking for information about onion site user deanonymization

Hi tor-talk, I'm working as a consultant to a criminal defense lawyer who's representing a defendant in a case involving Tor and an investigation by U.S. law enforcement and foreign law enforcement. In 2019 a foreign law enforcement agency claimed to identify the clearnet IP addresses of a large

Re: [tor-talk] >170 tor relays you probably want to avoid (Oct 2019 @ Choopa)

nusenu writes: > InjureWellprepred > ChicgoHopeful > VillgerVenice > FemleDiffer > PossibilityCreture > CrownDutchmn > BeyondNtionl > BridegroomDisster > HrmonyCrown > NurseryGreement > RibbonUnderline > CookbookRoundbout > SectionPolitics > PerfectThlete Very odd naming convention. It's kind

Re: [tor-talk] Tor to become illegal in Europe?

hi...@safe-mail.net writes: > They're basically talking about eliminating criminal activities facilitated > online by the darknet, by making Tor and the dark web illegal and > inaccessible > in Europe. But this discussion is one politician's view in a keynote address at a police congress --

Re: [tor-talk] You Can Now Watch YouTube Videos with Onion Hidden Services

Seth David Schoen writes: > if its operator knew a vulnerability in some clients' video codecs, (or in some other part of Tor Browser, since the proxy can also serve arbitrary HTTP headers, HTML, CSS, Javascript, JSON, and media files of various types) > it could also serve a malic

Re: [tor-talk] You Can Now Watch YouTube Videos with Onion Hidden Services

bo0od writes: > This is another front end to YouTube: Hi bo0od, Thanks for the links. This seems to be in a category of "third-party onion proxy for clearnet service" which is distinct from the situation where a site operator provides its own official onion service (like Facebook's

Re: [tor-talk] Post Quantum Tor

Kevin Burress writes: > honestly, ideally it would be a lot easier to do things with tor if it > actually internally followed the unix philosophy and the layers of service > could be used as a part of the linux system and modular use of the parts. I > was just looking at BGP routing over tor. I'm

Re: [tor-talk] Intercept: NSA MONKEYROCKET: Cryptocurrency / AnonBrowser Service - Full Take Tracking Users, Trojan SW

grarpamp writes: > [Quoting The Intercept] > financial privacy “is something that matters incredibly” to the > Bitcoin community, and expects that “people who are privacy conscious > will switch to privacy-oriented coins” after learning of the NSA’s > work here. Or, maybe people who are privacy

Re: [tor-talk] catastrophe: ip-api.com sees me

Dash Four writes: > Roger Dingledine wrote: > >Using any browser with Tor besides Tor Browser is usually a bad idea: > >https://www.torproject.org/docs/faq#TBBOtherBrowser > I disagree with that statement. It is certainly _not_ a bad idea, provided > you know what you are doing. As the

Re: [tor-talk] Privacy Pass from Cloudflare, and the CAPTCHA problem

bob1983 writes: > 3. Even if this protocol is integrated in Tor Browser, after clicking "New > Identity", all local data will be erased. Considering this feature is > frequently > used by Tor users, we still need to solve some CAPTCHAs. If the protocol is sound here in its unlinkability

[tor-talk] Proposed DV certificate issuance for next-generation onion services

Coinciding with the Tor blog post today about next-generation onion services, I sent a proposal to the CA/Browser Forum to amend the rules to allow issuance of publicly-trusted certificates for use with TLS services on next-generation onion addresses (with DV validation methods, in addition to the

Re: [tor-talk] noise traffic generator?

Matej Kovacic writes: > Hi, > > there is some interesting project called Noiszy: https://noiszy.com/ > > It generates fake traffic. It is more "artists" project that real > countermeasure, but I am thinking to implement something like this on my > network with several machines inside. > >

Re: [tor-talk] How to find trust nodes?

George writes: > But ultimately, Tor's topography mitigates against one of the three > nodes in your circuit being compromised. If the first hop is > compromised, then they only know who you are, but not where your > destination is. If the last hop is compromised, they only know where > you're

Re: [tor-talk] New OONI release: Test sites you care about!

Arturo Filastò writes: > That said, something to keep in mind, is that OONI Probe is not a privacy > tool, but rather a tool for investigations and as such poses some risks (as > we explain inside of our informed consent procedure). > > We are not aware of any OONI Probe users having gotten

Re: [tor-talk] Tor users in US up by nearly 100,000 this month

Roger Dingledine writes: > Asking Cloudflare how many people are deciding to solve their captchas > today is measuring a different thing -- if I try to load a news article, > see a cloudflare captcha, and say "aw, fuck cloudflare, oh well" and > move on, am I a bot? I'm just figuring that you

Re: [tor-talk] Tor users in US up by nearly 100,000 this month

Scfith Riseup writes: > Nope. > > Indication that Tor in use uptick unfortunately could point to more > bots collecting Tor, not necessarily people using Tor. Wish there was > a way to differentiate bots from meat. Amusingly, CloudFlare would probably be in a position to do so because they

Re: [tor-talk] Neal Krawetz's abcission proposal, and Tor's reputation

Paul Syverson writes: > As the cryptographic design changes for next generation onion services > are now being rolled out, that > in-my-opinion-never-actually-well-grounded concern will go away. I > cover at a high level, a design for onion altnames in "The Once and > Future Onion" [1] that I

Re: [tor-talk] Neal Krawetz's abcission proposal, and Tor's reputation

Roger Dingledine writes: > I think finding ways to tie onion addresses to normal ("insecure web") > domains, when a service has both, is really important too. I'd like to > live in a world where Let's Encrypt gives you an onion altname in your > https cert by default, and spins up a Tor client by

Re: [tor-talk] Motivations for certificate issues for onion services

Dave Warren writes: > I don't completely understand this, since outside the Tor world it's > possible to acquire DV certificates using verification performed on > unencrypted (HTTP) channels. > > Wouldn't the same be possible for a .onion, simply requiring that the > verification service act as

[tor-talk] Motivations for certificate issues for onion services

Hi folks, For a long time, publicly-trusted certificate authorities were not clearly permitted to issue certificates for .onion names. However, RFC 7686 and a series of three CA/Browser Forum ballots sponsored by Digicert have allowed issuance of EV certificates (where the legal identity of the

Re: [tor-talk] Tor's work

Suhaib Mbarak writes: > Dear Seth Schoen: > > Thank you very much for your extremely appreciated answer: > > It seems that you were the most person who got what I'm looking for. > To be honest I'm doing my best to find away to figure out how to achieve my > goal to show student how TOR works as

Re: [tor-talk] tor-talk Digest, Vol 77, Issue 9

Suhaib Mbarak writes: > I'm a master student and doing some researches on TOR . I'm using shadow > simulator; not real tor network; my goal is only to run an experiment and > from the output of that experiment I can confess my students that Tor > really : [...] It seems to me that one useful

Re: [tor-talk] Tor source code

By the way, there's an interesting new study https://www.ieee-security.org/TC/SP2017/papers/84.pdf that claims that many people believe communications security is "futile" because of inaccurate mental models of cryptography, and strongly endorse security through obscurity. I've been thinking a

Re: [tor-talk] Tor source code

Suhaib Mbarak writes: > Dear all. > > My question is to make sure wether tor source code is open and available > for public or not? Yes, it has always been since the beginning of the project. Currently, the code is available at https://gitweb.torproject.org/tor.git > In case it is open

Re: [tor-talk] State of bad relays (March 2017)

nusenu writes: > that put users at risk because they potentially see traffic entering > _and_ leaving the tor network (which breaks the assumption that not > every relay in a circuit is operated by the same operator). (strictly speaking, the assumption that no more than one relay in a circuit is

Re: [tor-talk] Exits: In Crossfire on the Front Lines

grarpamp writes: > [quoting movrcx] > In today’s cyberwar, Tor exit nodes represent the front line of > battle. At this location it is possible to directly observe attacks, > to launch attacks, and to even gather intelligence. An alarming figure > disclosed by The Intercept’s Micah Lee attributed

Re: [tor-talk] Will Quantum computing be the end of Tor and all Privacy?

Seth David Schoen writes: > Notably, Google has even experimentally deployed a PQ ciphersuite > in Chrome (that uses elliptic-curve cryptography in parallel with > Alkim et al.'s "new hope" algorithm). > > https://security.googleblog.com/2016/07/experimenti

Re: [tor-talk] Will Quantum computing be the end of Tor and all Privacy?

Flipchan writes: > I dont think so, quantum 4times at fast so we just need to generate 4times as > strong keys the entropy will just be bigger, But as Long as we are not useing > like 56 bit des keys its okey You're probably thinking of safety of symmetric encryption, where there is a

Re: [tor-talk] Will Quantum computing be the end of Tor and all Privacy?

hi...@safe-mail.net writes: > So, where does this put Tor, encryption and general privacy? Shouldn't we > start preparing ourselves for the inevitable privacy apocalypse? People have been working on this for years, and they're making good progress.

Re: [tor-talk] What is the different between Official TorBrowser and Browser4Tor?

Jason Long writes: > Hello. > I found a version of Tor in "http://torbrowser.sourceforge.net/;, But what is > the different between it and official TorBrowser? Is it a trust version? This is an unrelated project that seems to be trying to confuse people by visually imitating the old design of

Re: [tor-talk] Find Real IP via ISP.

Jason Long writes: > Are you kidding? Iranian relays are good in this scenario? Why? Because they might be less likely to cooperate with ISPs in other countries to track Tor traffic. -- Seth Schoen Senior Staff Technologist https://www.eff.org/

Re: [tor-talk] Please Remove Tor bridge and... from Censorship countries.

Jason Long writes: > To be honest, I guess that I must stop using Tor It is not secure.I can > remember that in torproject.org the Tor speaking about some peole that use > Tor. For example, reporters, Military soldiers and...But I guess all of them > are ads. Consider a soldier in a

Re: [tor-talk] Please Remove Tor bridge and... from Censorship countries.

Jason Long writes: > Not from ISP!! It is so bad because ISPs are under > governments control. If an ISP can see I use Tor then it is a good evidence > in censorship countries.You said " If a government is running the bridge, it > will know where the users are who are using

Re: [tor-talk] Timing attacks and fingerprinting users based of timestamps

Flipchan writes: > So i was thinking about timing attacks and simular attacks where time is a > Big factor when deanonymizing users . > and created a Little script that will generate a ipv4 address and send a get > request to that address >

Re: [tor-talk] Please Remove Tor bridge and... from Censorship countries.

Jason Long writes: > You said the governments can see a user bandwidth usage and it is so bad > because they can understand a user use Tor for regular web surfing or use it > for upload files and... > You said governments can see users usages but not contents but how they can > find specific

Re: [tor-talk] Please Remove Tor bridge and... from Censorship countries.

Jason Long writes: > Hello Tor Developers and administrator.The Tor goal is provide Secure web > surfing as free and Freedom but unfortunately some countries like Iran, > China, North Korea and... Launch Tor bridges for spying on users and sniff > their traffics and it is so bad and decrease

Re: [tor-talk] Tor and Google error / CAPTCHAs.

Alec Muffett writes: > To a first approximation I am in favour of maximising all of those, but > practically I feel that that's a foolhardy proposition - simply, my Netflix > viewing, or whatever, does not need to be anonymised. I appreciate your approach to analyzing what Tor-like tools need to

Re: [tor-talk] Tor-Retro' for OS/2 Warp 4.52 Latest Release (2001) ?

NTPT writes: > There is no motivation to make exploits and other stuff on rare OSses.. There's a certain circularity to this: if you use rare OSes because attackers aren't interested in them and you convince lots of people that this is a good strategy, attackers may then get more interested in

Re: [tor-talk] Could Tor be used for health informatics?

Paul Templeton writes: > Where Tor may fit... > > The Tor network would provide the secure transport - each site would create > an onion address. Central servers would keep tab of address and public keys > for each site and practitioner. I'm not convinced this is a good tradeoff for this

Re: [tor-talk] augmented browsing - "sed inside torbrowser"

haaber writes: > Hello, > > I wonder if there are more interested people out there to include a > "postprocessing" of the HTML code via *sed* type search & replace > expressions. A tiny sed copy could be included in the brwoser and a > domainbased list of expressions be given to sed that

Re: [tor-talk] Does Facebook Onion Work?

Fkqqrr writes: > Oskar Wendel writes: > > BTW, Does facebook has a onion version? Probably one of the most famous onions, https://facebookcorewwwi.onion/. See https://lists.torproject.org/pipermail/tor-talk/2014-October/035421.html -- Seth Schoen Senior

Re: [tor-talk] .onion name gen

Scfith Rise up writes: > I'm pretty sure that the onion address is generated directly from the private > key, at least if you have every played around with scallion or eschalot. So > what you just wrote doesn't apply in that way. But again, I could be wrong. Mirimir's reference at

Re: [tor-talk] .onion name gen

Scfith Rise up writes: > It _would_ be the same private key. Good luck with generating 1.2 septillion > permutations (16^32). This would be true if the public key were used directly as the onion name (which might be possible in certain elliptic curve systems because keys are so small). But in

Re: [tor-talk] Lets Encrypt compared to self-signed certs

ban...@openmailbox.org writes: > Hi David. Thanks for chiming in. Please add a feature for pinning at > the key level as IMO it provides the best protection. We don't have any tools for pinning at all but you can read people's tips about it on the Let's Encrypt community forum. > Will the logs

Re: [tor-talk] Lets Encrypt compared to self-signed certs

ban...@openmailbox.org writes: > How secure is Lets Encrypt compared to a pinned self signed cert? > Can Lets Encrypt be subverted by NSLs? You can use pinning with Let's Encrypt certs too. The default client behavior changes the subject key on every renewal, but I can add a feature to keep the

Re: [tor-talk] Bridges and Exits together

Anthony Papillion writes: > I already run an exit node and would like to also run a bridge. Is it > acceptable to run a bridge and an exit on the same machine and on the > same instance of Tor? If so, are there any security issues I should be > aware of in doing so? Any special precautions or

Re: [tor-talk] Tracking blocker

Paul A. Crable writes: > A NYT article yesterday discussed tracking blockers and > recommended Disconnect from among four candidates for > Intel-architecture computers. Disconnect would be installed > as an add-on to Firefox. You have a standing recommendation >

Re: [tor-talk] PGP and Signed Messages,

Seth David Schoen writes: > People also don't necessarily check it in practice. Someone made fake > keys for all of the attendees of a particular keysigning party in > 2010 (including me); I've gotten unreadable encrypted messages from > over a dozen PGP users as a result, because t

Re: [tor-talk] PGP and Signed Messages,

Cain Ungothep writes: > This is not just the "traditional" answer, it's the only proper answer. There are other ideas out there too, like CONIKS. https://eprint.iacr.org/2014/1004.pdf -- Seth Schoen Senior Staff Technologist https://www.eff.org/

Re: [tor-talk] PGP and Signed Messages,

Nathaniel Suchy writes: > I've noticed a lot of users of Tor use PGP. With it you can encrypt or sign > a message. However how do we know a key is real? What would stop me from > creating a new key pair and uploading it to the key servers? And from there > spoofing identity? The traditional

Re: [tor-talk] Not able to download Tor to droid]

libertyinpe...@ruggedinbox.com writes: > The url Tor was downloaded from is guardianproject.info/apps/orbot > direct download(.apk). I tried doing so again after your response. The > tablet operating system indicated it had downloaded, -- but it had not. If > it is still on the droid hard

Re: [tor-talk] onion routing MITM

populationsteam...@tutanota.com writes: > I'm new to tor, trying to understand some stuff. > > I understand the .onion TLD is not an officially recognized TLD, so it's not > resolved by normal DNS servers. The FAQ seems to say that tor itself resolves > these, not to an IP address, but to a

Re: [tor-talk] onion routing MITM

populationsteam...@tutanota.com writes: > The question is: From a user perspective, http://3g2upl4pq6kufc4m.onion just > looks like random characters. (And in fact, if it's a hash of a public key, > which was originally randomly generated, then indeed these *are* random > characters). You

Re: [tor-talk] Hello I have a few question about tor network

Lucas Teixeira writes: > Are there references for "real life" usage of traffic confirmation? I've mentioned the Jeremy Hammond and Eldo Kim cases, which can be seen as "good enough" coarse-grained correlation. I think there are others if we look for them. -- Seth Schoen

Re: [tor-talk] Hello I have a few question about tor network

Oskar Wendel writes: > Seth David Schoen <sch...@eff.org>: > > > As I said in my previous message, I don't think this is the case because > > the correlation just requires seeing the two endpoints of the connection, > > even without knowing the complete path.

Re: [tor-talk] Hello I have a few question about tor network

Aeris writes: > > Does it apply also to traffic going from/to hidden services? How safe are > > users of hidden services when compared to users that browse clearnet with > > Tor? > > Correlation is possible but very more difficult, because 3 nodes for client > to > rendez-vous points, then 3

Re: [tor-talk] Hello I have a few question about tor network

Oskar Wendel writes: > Does it apply also to traffic going from/to hidden services? How safe are > users of hidden services when compared to users that browse clearnet with > Tor? The hidden service users can be identified as users of the individual services using the same sybil approach: if a

Re: [tor-talk] Hello I have a few question about tor network

Alexandre Guillioud writes: > " That's definitely an improvement, although there's an issue in the long > run that the crypto in HTTPS is getting better faster than the crypto > in Tor's hidden services implementation. :-) " > > I don't understand why you are saying that this is an 'issue'. > If

Re: [tor-talk] Hello I have a few question about tor network

권현준 writes: > I subscribe tor-talk > > Hello I'm Korean student studying security > First of all sorry for my bad english. > I have a few question about tor network > > 1. Tor network is 100% security network? that can not be hacked by other > cracker? > > 2. If not, How can cracker

Re: [tor-talk] Ordering a .onion EV certificate from Digitcert

Fabio Pietrosanti (naif) - lists writes: > Hello, > > we asked on Twitter to Digicert to provide a quick guide on how order an > x509v3 certificate for TLS for a .onion, they've just published this > small guide: > https://blog.digicert.com/ordering-a-onion-certificate-from-digicert/ > >

Re: [tor-talk] I am getting European nodes only?

forc...@safe-mail.net writes: Hello! Using the last release of Tor Browser, I am a bit surprised: Circuits are made ONLY with European nodes! I changed identity a few times, asked New Tot circuit for this site, every time there are only European nodes! I cannot believe that Northern

Re: [tor-talk] Letsencrypt and Tor Hidden Services

Fabio Pietrosanti (naif) - lists writes: Hello, does anyone had looked into the upcoming Letsencrypt if it would also works fine with Tor Hidden Services and/or if there's some complexity/issues to be managed? As it would/could be interesting if Tor itself would support directly

Re: [tor-talk] Letsencrypt and Tor Hidden Services

elrippo writes: Hy, i don't think letsencrypt will work on a HS because letsencrypt checks [1] if the domain you type in, is registered. So for example on a clearnet IP which has a registered domain at mydomain.com called myserver.tld, letsencrypt makes a DNS check for this clearnet IP and

Re: [tor-talk] Letsencrypt and Tor Hidden Services

Alec Muffett writes: Pardon me replying to two at once... Thanks for all the helpful clarifications, Alec. -- Seth Schoen sch...@eff.org Senior Staff Technologist https://www.eff.org/ Electronic Frontier Foundation https://www.eff.org/join 815 Eddy

Re: [tor-talk] Letsencrypt and Tor Hidden Services

Flipchan writes: Im wondering , have anyone got letsencrypt to work with a .onion site? Or is it jus clearnet For the reasons described elsewhere in this thread, it's definitely just clearnet for the foreseeable future. -- Seth Schoen sch...@eff.org Senior Staff Technologist

Re: [tor-talk] Why is my message reject at tor-announce-ow...@lists.torproject.org ?

Qaz writes: Hi there, Yeah the title pretty much says it. How do I go about this? tor-announce isn't a discussion list and the public isn't allowed to send messages to it. The place where you can have public discussions is tor-talk -- this list right here. -- Seth Schoen sch...@eff.org

Re: [tor-talk] General question regarding tor, ssl and .onion.

MaQ writes: Also, while it was said that .onion encryption was of lower standard, wouldn't a high degree of privacy and randomness still be assured, except for maybe alphabet agencies and more nefarious types out there specifically targeting a subject or .onion addresses in general, and some

Re: [tor-talk] General question regarding tor, ssl and .onion.

Jeremy Rand writes: It's theoretically possible to use naming systems like Namecoin to specify TLS fingerprints for connections to Tor hidden services, which would eliminate the need for a CA. I'm hoping to have a proof of concept of such functionality soon. Is there a way to prevent an

Re: [tor-talk] General question regarding tor, ssl and .onion.

MaQ writes: Hello, I'm curious, I'm developing an app whereas sharing/collaboration can be done by localhost through tor and .onion address between pairs or multiples. When I use standard http there seems to not be any problems connecting different computers, different IPs, etc. and

Re: [tor-talk] tor not running

Bill Cunningham writes: #3 and on I did not know. Never usesd Keys. But I have the gp44win know. I will let you know the results. After having imported the keychain If that's the correct wording. How does this download site work for others and not me? I am showing my ignorance I know, but

Re: [tor-talk] HORNET onion routing design

str4d writes: * No replay detection - packet replay is ignored within the lifetime of a session. They suggest that adversaries would be deterred by the risk of being detected by volunteers/organizations/ASs, but the detection process is going to add additional processing time and therefore

[tor-talk] HORNET onion routing design

Has anybody looked at the new HORNET system? http://arxiv.org/abs/1507.05724v1 It's a new onion routing design that seems to call for participation by clients, servers, and network-layer routers; in exchange it claims extremely good performance and scalability results. I think it also calls for

Re: [tor-talk] pdf with tor

mtsio writes: If you to Preferences-Applications-Portable Document Format there is the option 'Preview in Tor Browser' that opens the PDF without opening an external application. What's the problem with that? There are two kinds of risks that lead to the suggestion not to view documents like

Re: [tor-talk] Is this still valid?

Seth David Schoen writes: If you read the original Tor design paper from 2004, censorship circumvention was actually not an intended application at that time: https://svn.torproject.org/svn/projects/design-paper/tor-design.pdf (Tor does not try to conceal who is connected to the network

Re: [tor-talk] Is this still valid?

U.R.Being.Watched writes: http://www.deseret-tech.com/journal/psa-tor-exposes-all-traffic-by-design-do-not-use-it-for-normal-web-browsing/ There are some mistakes in the article -- for example the notion that Tor was built for a specific purpose, which was the circumvention of restrictive

Re: [tor-talk] a question about ip addresses

Heigrade writes: Hello, I am new to TOR and networking in general and had a question about ip addresses that TOR connects to. My question is this: After analyzing tcpdump data of TOR traffic, I've noticed that TOR always connects to the same ip address, even after restarts, whereas I

Re: [tor-talk] What is being detected to alert upon?

Frederick Zierold writes: Hi, I am very curious how a vendor is detecting Tor Project traffic. My questions is what are they seeing to alert upon? I have asked them, but I was told that is in the special sauce. Is the connection from the users computer to the bridge encrypted?

Re: [tor-talk] SIGAINT email service targeted by 70 bad exit nodes

Roger Dingledine writes: I know we could SSL sigaint.org, but if it is a state-actor they could just use one of their CAs and mill a key. This is not great logic. You're running a website without SSL, even though you know people are attacking you? Shouldn't your users be hassling you to

Re: [tor-talk] New Tor project idea for internet comments

Lee Malek writes: Hi, I am new here. I have an idea for a tor sub-project that would serve our purpose (fighting censorship) perfectly. This would be a different version of tor - a sort of sub-tor... and a browser plugin. Everyone that installs this version of tor would be forced to

Re: [tor-talk] Tor Browser Bundle with Chromium

Luis writes: What are the reasons that makes building a Tor Browser using Chromium not such a good idea? I recall reading somewhere that while making a Tor Browser with a Chromium base would have its benefits due to Chromium's superior security model (i.e. sandboxing), there are serious

Re: [tor-talk] Confidant Mail

Mike Ingle writes: As far as HTTPS: The NSA has the ability to get into Amazon EC2 and mess with files too, no doubt. And they have a variety of compromised HTTPS CA certs they could use to MITM. If they wanted to do that they could, HTTPS or no. If they did it on a large scale, they would

Re: [tor-talk] Confidant Mail

Andrew Roffey writes: michael ball: On *Tue Feb 3, Mike Ingle wrote:* I don't have HTTPS because there is nothing secret on the site, and because I don't place much trust in it i may be mistaken that it is kinda stupid not to use HTTPS on a website with downloads, as documents

Re: [tor-talk] TOR issues

Hollow Quincy writes: Dear TOR community, I spend some time to understand how TOR works. I still cannot understand some design assumptions. Could you please help me to understand some issues ? I think some of your questions are based on misunderstanding the difference between circuits that

Re: [tor-talk] All I Want For X-mas: TorPhone

spencer...@openmailbox.org writes: Awesome! Though a tablet could work, I am more for a more pocket-sized mobile device. Also, Seth, thanks for the more in-depth concern regarding the WiFi MAC address and guard nodes, however, though I am all for people knowing how their devices work and

Re: [tor-talk] All I Want For X-mas: TorPhone

spencer...@openmailbox.org writes: Ideally it would run an open OS tied to an open organization and come with nothing installed on it except for a mobile version of TorBrowser. The best example I can think of now is a forked version of Android with Orweb/bot installed. Other applications

Re: [tor-talk] Anonbib November papers without papers

Sebastian G. bastik.tor writes: Anonbib's header states Selected Papers in Anonymity and I have no clue who selects them. Historically I thought mostly Roger Dingledine and Nick Mathewson; it looks like there have been a number of other contributions over the years, though!

Re: [tor-talk] CA signed SSL bad for censorship resistance?

Miles Richardson writes: Has there been any research into the effect that CA signed SSL certs on .onion services have on the ability of Tor to circumvent censorship authorities? Is it possible there could be some leakage to the certificate authority that could be picked up by an ISP? There's

Re: [tor-talk] Hidden Services vs Onion services

Nathan Freitas writes: On Wed, Nov 12, 2014, at 11:38 PM, Virgil Griffith wrote: I'll start trying onion service and just see if it catches on. Since these things are mostly used for websites, why not call them onion sites or onionsites? Typical users don't talk about web services,

Re: [tor-talk] Bitcoin over Tor isn’t a good idea (Alex Biryukov / Ivan Pustogarov story)

Gregory Maxwell writes: On Mon, Oct 27, 2014 at 11:19 PM, Seth David Schoen sch...@eff.org wrote: First, the security of hidden services among other things relies on the difficulty of an 80-bit partial hash collision; even without any new mathematical insight, that isn't regarded by NIST

Re: [tor-talk] Bitcoin over Tor isn’t a good idea (Alex Biryukov / Ivan Pustogarov story)

s7r writes: All use Bitcoin default port 8333. These servers are up all the time and very fast. Hidden services are end-to-end encrypted so the risk of MITM between nodes does not exist. Also, if you run bitcoin in such a way with onlynet=tor enabled in config, nobody listening your wire

Re: [tor-talk] Tor in other software

Derric Atzrott writes: Good day all, Would it be useful at all, when developing other software, to route its communications through Tor? I'm mostly just curious if it would be useful to the Tor project to design software that makes use of Tor in order to help provide more cover traffic

Re: [tor-talk] (no subject)

ben ho writes: get bridges Hi, Unfortunately you sent this to a public discussion list for talking about Tor, which isn't the right address for requesting bridges. The right place to send that request is brid...@bridges.torproject.org. If you do that and your bridges don't work, you can also

Re: [tor-talk] isp monitoring tor

Mirimir writes: Tor is vulnerable to two general sorts of attacks. One involves the use of malicious relays in various ways to deanonymize circuits. The other involves the use of traffic analysis to correlate traffic captured at edges of the Tor network (to users and the websites that they

Re: [tor-talk] wake up tor devs

Ted Smith writes: There's a reason why the NSA has Tor Stinks presentations and not I2P stinks presentations. I don't know of a good basis for estimating what fraction of NSA's capabilities or lack of capabilities we've learned about. And even when someone _working at NSA_ writes that attack

Re: [tor-talk] I have a quick question about security of tor with 3 nodes

John Doe writes: How can I set the number of relays in the configuration file? Also can you explain why 3 is enough? I hear things of analysis being able to track people trough the various relays they use. This worries me some. Care to help me understand?

Re: [tor-talk] Why make bad-relays a closed mailing list?

Roger Dingledine writes: But in this particular case I'm stuck, because the arms race is so lopsidedly against us. We can scan for whether exit relays handle certain websites poorly, but if the list that we scan for is public, then exit relays can mess with other websites and know they'll

Re: [tor-talk] Spoofing a browser profile to prevent fingerprinting

Joe Btfsplk writes: I'm no expert on fine details of this, but over a long time of checking TBB, Firefox, JonDo Fox, etc., on multiple test sites, it's always clear that far more info is available when JS is enabled. The EFF says ~ 33 bits of identifying info (ii) are needed to accurately

Re: [tor-talk] Spoofing a browser profile to prevent fingerprinting

Mirimir writes: Discussions of measured entropy and stuff are too abstract for me. Maybe someone can help me with a few simpleminded questions. About 2.2 million clients are using Tor these days. Let's say that I've toggled NoScript to block by default, and that I have a unique pattern of

Re: [tor-talk] Spoofing a browser profile to prevent fingerprinting

Mirimir writes: The risk from doing that, of course, is that each user will tend to customize their NoScript profile in a distinct way. And that will allow websites to tell them apart. Even so, Panopticlick can't report anything about that. For that, one would need a version of

Re: [tor-talk] Spoofing a browser profile to prevent fingerprinting

Mirimir writes: For instance, suppose that you went to site A at 16:00 one day and to site B at 20:00 the following day. If site A and site B (or people spying on them) can realize that you're actually the same person through browser fingerprinting methods, then if someone has an

Re: [tor-talk] ISP surveillance.

Marcos Eugenio Kehl writes: Hello experts! TAILS, running by usb stick, protect me against forensics tecnics in my pc. Ok. TOR, running as a client only or as a relay, protect (theoretically) my privacy. Ok. But... if my static IP, provided by my ISP, is under surveillance by a legal

  1   2   >