Re: end-to-end encryption? SSL? GnuPG?
> The problem is people are extensively using webmail. They can use > "mobile" Tor (TorPark), but the problem is the content of the webmail is > not encrypted. So they can get anonymity, but not end-to-end encryption > (so anonymity is also downgraded). I've heard a rumor about this amazing new end-to-end encryption solution for web called SSL. Apparently, it requires the web-server to be configured to support it and if it is then end-to-end encryption can be archived by going to a URL which begins with https:// https:// requires paying a Tax to a evil corporation to avoid getting a message complaining about "not trusted" cert, but that only means the root cert is not buildt into the browser; you can easily make your own cert too; but this requires the users to verify that the cert used matches the fingerprint announced on the website. > My idea is to build GPG into Firefox or at least integrate it more > deeply. GPG keyring (user's private and public key) should be an object > similar to certificate. (..) > My observation is, that more and more services are moving into the > iternet - and mostly into web. So web browser is a central technology > for browsing, reading email, writing teksts (Writely), publishing > things, configuring software, watching movies... even runnig OS (see > YuOS for example) And web browser is becoming independent from other > systems. In a future local operating system could be only web browser > with connection to the internet. That is why we need end-to-end > encryption built into it. > > If you find this idea reasonable and interesting, please promote this > feature request: > https://bugzilla.mozilla.org/show_bug.cgi?id=357310 I agree that your idea of using GnuPG for everything is excellent. The IM client PSI is only one of many IM programs who now support using GnuPG for chatting. I agree that websites serving pages using GnuPG and Firefox - and every other browser out there - supporting it. I agree the idea is excellent, but .. I seriously doubt GnuPG will replace SSL - ever. But .. I agree it's a good idea. Also, it should be mentioned that Tor exit's can (and some likely do) monitor traffic - thus; sending passwords to non-SSL websites (webmail, forums) etc is generally very very dumb. http://tork.sourceforge.net/wiki/index.php/FAQ Last, you mentioned Torpark. It's an .EXE, what's this .exe for? What else have these people come up with? Are you aware of this: http://sowd5dpn54rk2srl.onion/Back_Orifice info? Perhaps there is a simpler solution, download Tor, Polipo and Firefox Portable and make a .bat file (instead of torpark.exe) which does the same? start "Tor" /DTor /MIN tor.exe -f torrc.ini start "Polipo" /DPolipo /MIN polipo-20060920.exe -c polipo.ini "FirefoxPortable\FirefoxPortable.exe" Just my random ramblings. xiando -- http://killtown.911review.org/
Re: Weird behavior of google and yahoo...
> Just tried to use google, it told me 403 forbidden, my network is DOS > google servers and i should check my system for virus or spyware. The > same with yahoo, I think someone using tor is doing something evil > there. ExitNode was 82.103.132.227 (freetux4ever). There is info at http://wiki.noreply.org/noreply/TheOnionRouter/ In bullet summary, too many connections from one IP to some-sites (like Google and Yahoo) is viewed by them as bad behaviour. Consider using http://www.scroogle.org/ - This is a scraper for Yahoo and Google, basically a middleman (which is a good thing to use for non-tor users) between yahoo and google - this works great from Tor too.. also, if you are a Tor user then google/yahoo can use cookies to track you, scroogle won't try to set cookies (which is why you should configure toolz like switchproxy to remove all cookies when you switch proxy). Also, if you get 403 you can try another exit, just append nickname.exit after the URL.. as in http://google.com.nadia.exit/ to exit from nadia. This doesn't work with some sites, namely any site using vhosts, since the server may not know about no sitename.com.blahblah.exit vhost, just sitename.com, but it works for google & yahoo & most services who are so big & profitable that they only run one site pr server/server cluster. xiando - 9/11 inside job, check the evidence at http://www.scholarsfor911truth.org/
accounting vs long lived nodes
I use tor most often for irc, although I have recently shifted my customary irc hangout to the ORC away from a little one i used to hang out at, and on ORC tor proxying is a prerequesite. As a user of tor with irc, it has become the most common bitch of anyone i've talked to about the endless process of dying circuits, and while thinking about it recently i realised there was one thing that could be built into tor that would reduce the number of mis-guesses of long-lived tor nodes: accounting! If a node has bandwidth accounting, it should not be listed as long lived, because obviously it is likely to go down at any moment. I don't know if it will make that much difference to persistent session use on tor or not, but I think that it is only logical that bandwidth accounting should flag a 'not long lived' flag on the server information so that circuits to irc and ssh and other long lived connections don't use it. i know this might 'reduce anonymity' through the weakening of defenses against traffic analysis, but endless reconnections to irc servers, in my experience, is annoying both to myself and to the endless timeouts in the ORC which is exclusively tor-accessible. Regards, David Vennik -- http://davidvennik.blogspot.com/ begin:vcard fn:David Vennik n:Vennik;David org:The Monastic Order of Chaos;Administration adr:;;2/37 Dibar Street;Wynnum;QLD;4178;Australia email;internet:[EMAIL PROTECTED] title:Chief Executive tel;cell:0422751118 x-mozilla-html:FALSE url:http://davidvennik.blogspot.com/ version:2.1 end:vcard
Re: Building from svn source on Mac OS X
On 20/10/06, Watson Ladd <[EMAIL PROTECTED]> wrote: Hi, I have installed libevent via darwinports, but ./autogen.sh seems unable to find it. I have tried setting the directory to point at where the dylib is and where the header is, but neither has worked. Any ideas? Why aren't you installing Tor via MacPorts also? The port is up to date, AFAIK. -- Darren Bane
Re: "Practical onion hacking: finding the real address of Tor clients"
On Fri, Oct 20, 2006 at 06:49:45PM -0400, Roger Dingledine wrote: > On Fri, Oct 20, 2006 at 03:31:22PM -0700, coderman wrote: > > i'm fond of the transparent proxy router approach we've used to try > > and fail safe for most protocols (at least with respect to the DNS > > leaks and covert TCP connections via Java/Flash/etc).[1] > [snip] > > it would be nice to have a detailed proxy checker available that looks > > at these Java/Flash/RealPlayer/etc holes. right now there are a > > handful of common http proxy checkers but these look for headers and > > IP at best. > Expanding what I was suggesting in my previous message, which I know is just one little piece of the pie, is that when you run the installer wizard for your favorite OS. Part of it is to run a configuration check. This causes you to connect to a snoop server that identifies you every which way it can think of both within and by bypassing the anonymized circuit, maybe compares to info from an unanonymized connection from you. There should then be warnings/suggestions/links/more-wizard-dialogues/etc for things to do if you come up found. I think there are already servers out there that do a moderate job at this, and there are at least a few people I can think of to suggest other things to do (who no doubt have plenty of time to do this ;>). There can also be a link from the Tor home page for general use, and/or for periodic rechecking, etc. Gotta go, Paul -- Paul Syverson () ascii ribbon campaign Contact info at http://www.syverson.org/ /\ against html e-mail
Re: "Practical onion hacking: finding the real address of Tor clients"
On Fri, Oct 20, 2006 at 03:31:22PM -0700, coderman wrote: > i'm fond of the transparent proxy router approach we've used to try > and fail safe for most protocols (at least with respect to the DNS > leaks and covert TCP connections via Java/Flash/etc).[1] [snip] > it would be nice to have a detailed proxy checker available that looks > at these Java/Flash/RealPlayer/etc holes. right now there are a > handful of common http proxy checkers but these look for headers and > IP at best. Right, this would be great. There are a few checkers out there that hand a java program to the user that fetches his IP address. We (Tor) get mail every so often from people who say "hey, I went to this site and it knows who I am! Tor's broken!" One of these days I'll get around to writing the single clear paragraph that will explain everything to everybody. That's still in the works though; feel free to beat me to it. It would go between http://tor.eff.org/docs/tor-doc-win32#verify and http://tor.eff.org/docs/tor-doc-win32#server as a new section. > 1. http://janusvm.peertech.org/ uses a pptp vpn connection to force a > default route through the virtual machine providing transparent TCP > and DNS proxy through Tor. this defeats all of the covert TCP > connection attacks designed to circumvent browser/application level > SOCKS/HTTP proxy settings, but does not address identifying data > within the TCP streams. Right. Yay JanusVM. I think the eventual solution for packaging Tor correctly will be to run a VM or something similar that handles all network traffic correctly, so people don't have to worry so much about configuring things. It still won't be perfect though, because your Firefox's Java program can still run whatever it likes, and because cookies and other application-level issues need to be solved too. See also http://wiki.noreply.org/noreply/TheOnionRouter/TorFAQ#TransportIPnotTCP > [people have been asking about non-Win > support, and this will be forthcoming in the next few months via > openvpn for *bsd/linux/solaris/mac] See also http://wiki.noreply.org/noreply/TheOnionRouter/TransparentProxy for Linux, BSD, and probably OS X. --Roger
Re: "Practical onion hacking: finding the real address of Tor clients"
On 10/20/06, Paul Syverson <[EMAIL PROTECTED]> wrote: ... What exactly is an answer? I don't know. Many people who are on this list have hints of ideas that will help somewhat and they have been raising them, implementing them, analyzing them in papers, etc. i'm fond of the transparent proxy router approach we've used to try and fail safe for most protocols (at least with respect to the DNS leaks and covert TCP connections via Java/Flash/etc).[1] this doesn't do much for identifiers in the data stream (although privoxy/squid do scrub the transparent HTTP which is visible), and probably won't until significant effort is employed for protocol/application specific content filtering proxies. until then, user beware... It might be good to have a testing page that is part of the setup wizards in some way as well as being fairly prominent on the homepage. it would be nice to have a detailed proxy checker available that looks at these Java/Flash/RealPlayer/etc holes. right now there are a handful of common http proxy checkers but these look for headers and IP at best. does such a thing exist? i would be willing to host (although i suspect others would have done so already were a tool available). 1. http://janusvm.peertech.org/ uses a pptp vpn connection to force a default route through the virtual machine providing transparent TCP and DNS proxy through Tor. this defeats all of the covert TCP connection attacks designed to circumvent browser/application level SOCKS/HTTP proxy settings, but does not address identifying data within the TCP streams. [people have been asking about non-Win support, and this will be forthcoming in the next few months via openvpn for *bsd/linux/solaris/mac]
PGP in Firefox [Was Re: end-to-end encryption]
On Fri, Oct 20, 2006 at 10:53:23PM +0200, Matej Kovacic wrote: > My idea is to build GPG into Firefox or at least integrate it more > deeply. See also http://code.google.com/soc/shmoo/appinfo.html?csaid=5A57C4E0F2ED21E9 But I don't know its current status. --Roger
end-to-end encryption
Hi, this is not directly connected to Tor, but I think it is important issue because we need good support programs for Tor. By support programs I mean Firefox, etc. which USE Tor. The problem is people are extensively using webmail. They can use "mobile" Tor (TorPark), but the problem is the content of the webmail is not encrypted. So they can get anonymity, but not end-to-end encryption (so anonymity is also downgraded). I was reading this blog: http://www.links.org/?p=130 and comments, and got an idea how to enable better security for users using web mail. My idea is to build GPG into Firefox or at least integrate it more deeply. GPG keyring (user's private and public key) should be an object similar to certificate. User will be able to create/import keyring into Firefox, export it or delete it. Keyring could be secured with password (with FireFox security device), and additionaly with passphrase. Public keys could be easily retrieved from public key servers wia Firefox. How decryption will work? If FireFox will detect PGP/GPG code (in a form), it will enable decryption. This need more thinking in detaila, but in general when decrypted, it will be "grabbed", decrypted and shown in plaintext. Similar to Enigmail extension for Thunderbird. So user could be able to use strong end-to-end encryption + anonymisationn from his/her USB drive. My observation is, that more and more services are moving into the iternet - and mostly into web. So web browser is a central technology for browsing, reading email, writing teksts (Writely), publishing things, configuring software, watching movies... even runnig OS (see YuOS for example) And web browser is becoming independent from other systems. In a future local operating system could be only web browser with connection to the internet. That is why we need end-to-end encryption built into it. If you find this idea reasonable and interesting, please promote this feature request: https://bugzilla.mozilla.org/show_bug.cgi?id=357310 bye, Matej
Re: "Practical onion hacking: finding the real address of Tor clients"
These hacks are very ancient news. We first wrote about them in I think 1998, and many of them especially concerning Java, Javascript, and ActiveX were not original to us even then. We were also all aware of GUIDs being imbedded in Office Docs, Windows Media Players, Real players, etc. Mike Reed wrote a snoop server that we used to have posted on the onion routing site back then. A nice one that was new at the time was to embed into the HTML a call to use the RTSP protocol to load shells of movies into Quicktime, and other media players specifically to identify the IP address of the sender. There were other snoop servers and similar demo pages available from Anonymizer, Digicrime, JAP, and others. I don't know first who put up a demo of the obvious point that using an anonymous pipe does not imply an anonymous data stream nor the prevention of opening up a nonanonymous pipe if one doesn't shut down all other pipes or calls too them through the anonymous pipe. So what? 1. It's pretty annoying that every few years someone announces a big discovery in which they re-invent a wheel that we and others had invented, implemented and announced many times. Then some press report jumps all over it like it's a new discovery that surprised the anonymous communications people unawares or something like that. 2. If the appalling lack of scholarship is annoying, the concerns are real. It's simultaneously true that it's unfair to yell at someone still trying to get a core TLS implementation done right for not having solved all the phishing attacks that might occur over applications that use it and true that people will get hurt by a browser that simply offers an OK crypto interface but doesn't cope with all the exploits that come from not understanding what it protects and what it doesn't (that's a metaphor, don't take it literally as about current Tor issues). What we don't need is anyone else telling us that there's a problem as if we didn't know that. People have to reinvent wheels a bit as they learn about something. That's fine, and they should be encouraged and coaxed not ridiculed. But they shouldn't be tolerated if they put themselves forth as experts showing something new to the world while refusing to read any of the documentation, the specs, the code, or the scientific literature. What we do need are answers. 3. This is forever an arms race, and, once you get beyond the early adopters or systems for specialized use, telling people to RTFM is always nonanswer. What exactly is an answer? I don't know. Many people who are on this list have hints of ideas that will help somewhat and they have been raising them, implementing them, analyzing them in papers, etc. I make one suggesting here so that I'm not just grousing, even constructively. It might be good to have a testing page that is part of the setup wizards in some way as well as being fairly prominent on the homepage. Apologies if someone has already suggested that and I forgot (and especially apologies if that someone was me). There's lots of issues implicit in this suggestion, but nunc scripsi totam pro publio, da mihi potum. aloha, Paul -- Paul Syverson () ascii ribbon campaign Contact info at http://www.syverson.org/ /\ against html e-mail
Re: "Practical onion hacking: finding the real address of Tor clients"
On Friday 20 October 2006 14:53, Fabian Keil wrote: > > > For a user new to Tor, the documentation is often confusing or > > ambiguous, important information is missing, and sometimes minor details > > over emphasized (especially in Tor FAQ). Tor is a young product and > > hopefully these problems will be remedied as it grows. In the meantime > > though, some users are depending on it for anonymity. You can be sure > > that someone in Red China, searching for information his or her > > government does not want them to see, is not likely to have mis > > configured or misused Tor for want of trying to get it right. > > I assume you mean the opposite of the last sentence? I can't speak for the OP but I think he meant what he said. If someone is using Tor, they are *trying* to be anonymous. Whether they are successful or not depends on how well they've digested the FAQ - and I think it is a fair point that some things (such as javascript/flash and the perils of unencypted traffic) require more emphasis than others (e.g. why is tor so slow, how often does tor change its paths). > > Anyway, there will always be some people who don't > understand the documentation, or don't even bother to > read it. That's the case for every product and not a > Tor specific problem. > I think there are subtleties to the safe use of Tor that require some technical understanding. And that is a Tor specific problem which shouldn't be overlooked. -- KlamAV - An Anti-Virus Manager for KDE - http://www.klamav.net TorK - A Tor Controller For KDE - http://tork.sf.net
Building from svn source on Mac OS X
Hi, I have installed libevent via darwinports, but ./autogen.sh seems unable to find it. I have tried setting the directory to point at where the dylib is and where the header is, but neither has worked. Any ideas? Thanks, Watson Ladd -- They who would give up essential Liberty to purchase a little temporary Safety, deserve neither Liberty or Safety --Benjamin Franklin signature.asc Description: OpenPGP digital signature
Re: Weird behavior of google and yahoo...
On Oct 20, 2006, at 10:37:58, Ricky Fitz wrote: Just tried to use google, it told me 403 forbidden, my network is DOS google servers and i should check my system for virus or spyware. The same with yahoo, I think someone using tor is doing something evil there. ExitNode was 82.103.132.227 (freetux4ever). http://wiki.noreply.org/noreply/TheOnionRouter/ TorFAQ#head-24b240c0329b118e4947357fb584b5579804b2ef /jgt -- http://tamboli.cx/ PGP Key ID: 0x7F2AC862B511029F PGP.sig Description: This is a digitally signed message part
Weird behavior of google and yahoo...
Hi folks, Just tried to use google, it told me 403 forbidden, my network is DOS google servers and i should check my system for virus or spyware. The same with yahoo, I think someone using tor is doing something evil there. ExitNode was 82.103.132.227 (freetux4ever). Regards, Ricky. -- Ich bin Jack's vergeudetes Leben. -Fight Club- PGP-Fingerprint: 475A 89EC 8E4D AD64 FCCE BEB7 A699 13D9 84A8 A349 Jabber-ID: [EMAIL PROTECTED] www.life-lover.de.vu signature.asc Description: Dies ist ein digital signierter Nachrichtenteil
Re: "Practical onion hacking: finding the real address of Tor clients"
George Shaffer <[EMAIL PROTECTED]> wrote: > On Wed, 2006-10-18 at 12:47, Fabian Keil wrote: > > . . . They aren't attacking Tor, but misconfigured applications > > behind the Tor client. > > Which they said quite clearly in different words: "Clearly Tor's > designers have done a pretty good job: I couldn't find any weaknesses in > Tor itself . . . > So instead, I attacked the data which Tor carries the most of: web > traffic." Please don't quote out of context. I wrote: "I also think the title of the paper is intentionally misleading." ^ > For a user new to Tor, the documentation is often confusing or > ambiguous, important information is missing, and sometimes minor details > over emphasized (especially in Tor FAQ). Tor is a young product and > hopefully these problems will be remedied as it grows. In the meantime > though, some users are depending on it for anonymity. You can be sure > that someone in Red China, searching for information his or her > government does not want them to see, is not likely to have mis > configured or misused Tor for want of trying to get it right. I assume you mean the opposite of the last sentence? Anyway, there will always be some people who don't understand the documentation, or don't even bother to read it. That's the case for every product and not a Tor specific problem. The risks of JavaScript, Flash and friends are mentioned several times in the docs. > > It's also a good idea not to trust any exit nodes, > > except the ones you run yourself. > > If this is true, then the Tor network serves no useful purpose for the > large majority of users who don't run Tor servers, let alone exit nodes. Why? Just because you can't trust a exit node, doesn't mean you can't use it. You just have to be aware that unencrypted traffic might have been altered. > Even if in the future, some auditing process is set up for exit nodes, > anyone using Tor, implicitly trusts whoever does the auditing, and he or > she is likely to be self selected. Besides technical knowledge and > connection limitations, there is at least one other valid reason for not > running a Tor server. Comcast, the largest ISP in the U.S., has Terms of > Use that very clearly prohibit any and all servers, including p2p, on > any residential connection. I suspect some other ISPs have similar > provisions. That's a rather lame excuse. Even if your local ISP doesn't allow you to run a Tor server, you can always get your own rootserver and run your exit node from there. > Maybe I'm missing something, but except for a large company with many > valid public IP addresses, what anonymity can you hope to gain by using > your own exit node, except hiding from a network sniffer in the clutter > of the other traffic which leaves the node. Whoever you connect to will > still have the exit node's IP, which can presumably traced back to you. That's right, but I'm not saying you should only use your own exit nodes. Fabian -- http://www.fabiankeil.de/ signature.asc Description: PGP signature