Re: My ISP block Tor Servers
Thus spake Koh Choon Lin ([EMAIL PROTECTED]): > >> If you can't or don't want to switch ISP you could > >> rent a server with uncensored net access and use > >> it as proxy. > > I am working in Singapore and the government branded Tor as "criminal > skills". Thus, I have to go through a proxy even to get the Tor > client! Heh. This reminds me of a lawfirm one of my friends used to work at. They told me when they tried to visit my website the content filter denied them with that same message: "Criminal skills". Never did get a copy of the censor page though. This was in the USA. Content filters are awesome. -- Mike Perry Mad Computer Scientist fscked.org evil labs
Re: Importance of HTTP connection keep-alive
>> Polipo/tor was still 13% faster? > To which numbers are you referring here? Sorry, I got confused. > However if I understand you correctly, you're saying that > I intentionally... My apologies, I got carried away. Juliusz
Re: Importance of HTTP connection keep-alive
[CC-ing polipo-users again] >> this is an HTTP/1.0 site. There are fortunately very few of these >> left nowadays. > What exactly is the problem with the site? Watching the circuits in > Vidalia I had the impression that Polipo used keep-alive. HTTP/1.0 keepalives and HTTP/1.1 persistent connections are not quite the same thing. From memory, the limitations of HTTP/1.0 are - HTTP/1.0 kept-alive connections must be broken after every dynamic object; - pipelining is not allowed in HTTP/1.0; - HTTP/1.0 keepalives are not allowed when speaking to a proxy. Polipo respects the first two limitations. It doesn't respect the third limitation, but instead plays a number of tricks that ensure that it works with common HTTP/1.0 proxies (Squid, WWWOFFLE, Privoxy). In order to be nice to the network, Polipo limits itself to 2 connections when speaking to a server that can do persistent connections or keepalives. This works fine when there are opportunities for pipelining, but results in poor performance otherwise. You can customise the magic value 2 with the variable serverSlots. I'd actually be very curious to see the results for your previous test with serverSlots set to 5. (I guess I should be more aggressive with HTTP/1.0 servers by default; ideally, I'd like to work-out a scheme to tune serverSlots automatically depending on our traffic patters.) There's a paper about the tradeoffs involved on http://www.w3.org/Protocols/HTTP/Performance/Pipeline.html > Can you name some other sites that you consider valid targets then? There's no good answer to that, unfortunately, as there are so many variables involved; I don't think there's a typical web site, there are a few classes of web sites that I believe are typical, and that Polipo should deal with pretty well. The easiest case is an HTTP/1.1 web server with purely static content, or dynamic content generated by people who knew what they were doing. Unfortunately, such servers have been becoming rare as most sites have moved to dynamic content generation. The KDE site is what I believe is quite typical of a modern web site: on the one hand the content is dynamically generated by crufty PHP scripts (no useful validators are provided), but the HTTP is generated by a fully HTTP/1.1 web server (Apache 2). Polipo is slightly suboptimal in such a case, but it should be reasonably good. Another fairly common case is that of a mis-configured server that doesn't do persistent connections at all -- for example http://www.gnome.org/. Polipo will notice that after a few requests, and switch to using up to 8 connections to that server. Unless there's something really wrong in either Polipo or Privoxy, performance should be roughly identical in the two implementations (except for the effects of caching and range requests, of course). The Spiegel.de web site that you tested against is actually an interesting case. It appears to be a bunch of typical PHP scripts (no ETags) running on an HTTP/1.0 web server hidden behind no less than two HTTP/1.0 front-end proxies (somebody is probably trying to do load-balancing with a total budget of 12 pf. and an old button). While such interesting configurations are uncommon, single HTTP/1.0 front-end proxies do happen sometimes, so I'll increase serverSlots when speaking to such a site in the next version of Polipo. Juliusz
Re: [Fwd: High-traffic Colluding Tor Routers in Washington, D.C. Confirmed]
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi Karsten, (strange to write that *g*) > do you run a TOR server on a virtual server without connection faults? > A year ago, I tested a tor server on virtual hardware (Virtuozzo) and I > got many TCP connection faults in "/proc/user_beancounters". > > Is a TOR server now ready to run with less then 1024 TCP connections? > Or do you have a virtual server, which does not have low limits for TCP > connections? In this case the offer of 1blu is very nice for TOR. At the moment I count 630 TCP connections using netstat. And I don't know about /proc/user_beancounters, but that file is empty. I don't have any long-term experience with 1blu so far. Maybe they shut down my node as soon as they find out why it produces so much traffic. And maybe they change their contracts as soon as everybody is running Tor servers at them from now on. Let's wait and see. > - - Begin Off-Topic --- > I know, it is a Tor list. But please let me write this: > What do you think about a remailer (Mixmaster or Mixminion), something > like TOR for emails. Emails are more private than surfing in my opinion. > If you did have the power to admin a few tor server, you may run a > remailer too. It may share a server together with TOR. The traffic is > not very high: 5.000 mails per day. It uses at max. 16 TCP connections. > And it can act as a middle-man like TOR. For Mixmaster a working MTA > ("exim4" or something else) is required, for a Mixminion middle-man nothing. > > The size of the remailer networks decreases in the last 6 month down to > 35 nodes for Mixminion and less than 30 nodes for Mixmaster. Hope, we > can stop this trend. Large networks for high anonymity are needed. > > I am ready for help, if somebody needed any docs. (in German too) Personally, I don't know so much about e-mail anonymizers, yet. So, if you have information that I cannot find in a two-minutes Google session, yes, please send it to me. > - -- End Off-Topic -- - --Karsten -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.7 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFGJnGz0M+WPffBEmURAg0+AKDUnONqZSlnhxxb/29QWIevsg1tbgCgza10 9NGVDrMDsAxIVj5oDGswbbE= =9zMm -END PGP SIGNATURE-
Re: Importance of HTTP connection keep-alive
Juliusz Chroboczek <[EMAIL PROTECTED]> wrote: > > With http://www.kde.org/screenshots/: > > So according to this test, this page downloads roughly two times > faster through Polipo/tor than through Privoxy/tor, right? It certainly did for the five samples I took. > > I also tested with another website (http://www.spiegel.de/): > > This test is not representative: this is an HTTP/1.0 site. There are > fortunately very few of these left nowadays. What exactly is the problem with the site? Watching the circuits in Vidalia I had the impression that Polipo used keep-alive. > > Privoxy may have had a slight advantage here, because by removing > > three tracking pixels it had to do three requests less. > > And notwithstanding the fact that you so carefully crafted this test > to advantage Privoxy, Polipo/tor was still 13% faster? To which numbers are you referring here? Repeating my results: Firefox + Privoxy + Tor: 110.619s, 78.505s, 20.397s, 36.926s, 73,442s 63.983s 62,956s 43,588s Firefox + Polipo + Tor: 93.979s, 33.102s, 34.242s, 123.365s, 99.740s 76.886s 75.987s 53,774s So Polipo+Tor were slightly slower, while the reason seems to be bad luck with the speed of the Tor circuits. However if I understand you correctly, you're saying that I intentionally chose a site where Polipo has problems? Can you name some other sites that you consider valid targets then? I can test again with Privoxy's actions disabled. Fabian signature.asc Description: PGP signature
Re: Importance of HTTP connection keep-alive
> With http://www.kde.org/screenshots/: So according to this test, this page downloads roughly two times faster through Polipo/tor than through Privoxy/tor, right? > I also tested with another website (http://www.spiegel.de/): This test is not representative: this is an HTTP/1.0 site. There are fortunately very few of these left nowadays. (Interesting that you should have chosen to test with this particular site.) > Privoxy may have had a slight advantage here, because by removing > three tracking pixels it had to do three requests less. And notwithstanding the fact that you so carefully crafted this test to advantage Privoxy, Polipo/tor was still 13% faster? > It certainly looks like keep-alive's effects aren't big enough to > guarantee faster web browsing through Tor, though. I guess there's no point in continuing this discussion, then. Juliusz
Re: Importance of HTTP connection keep-alive
[CC-ing the Polipo-users list] > Speaking of which, it occurred to me a little while ago that > persistent connections between the http proxy and the website, > through Tor, can have an impact on anonymity. > If the user is figuring they're rotating their connections over > different Tor circuits over time (after all, they're clicking at > different times, right?), but polipo is holding open the same > persistent connection [...] It will certainly facilitate grouping requests into sessions. I'm not sure it counts as an anonymity threat, since the session itself is still anonymous; furthermore, there are easier ways to track requests into sessions (cookies, ``Referer'' headers, unique tokens embedded into URLs, If-Modified-Since requests, etc.). But I agree that it should at the very least be documented somewhere. > Is it documented anywhere how Polipo does its keepalives and timeouts > for persistent connections? Polipo will keep a persistent connection open as long as possible, but it will shut an idle connection down after its normal timeout (120s by default). Additionally, the server's idle timeout will usually come into play; in my experience, it's usually between 4 and 15 seconds. But that's irrelevant, since a malicious server could choose a much larger timeout. For people who do believe this is a serious threat, I can think of the following mitigations: (1) use a smaller timeout for idle connections; (2) shut down a connection after some number of serviced requets; (3) shut down a connection after it's been used for some time. Trouble is, either of these will harm performance in some cases; the obvious example being two polipi on the two ends of an ssh or ssl tunnel, where avoiding the intial handshake helps a lot. So I guess I'd have to implement different behaviour for parent proxies and direct connections. Roger, I'd like to know whether you think this is worth implementing for the next version of Polipo (and of course whether you have any better ideas). As I've stated, I don't believe this threat is real, but I'm quite willing to do the work if you disagree. Juliusz
Re: [Fwd: High-traffic Colluding Tor Routers in Washington, D.C. Confirmed]
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 > I would like to contribute some more Tor servers running at different > providers across Germany (probably not in the same /16 network). My > current server is a virtual server at 1blu that has a bandwidth of 931 > KB/s which makes it the 71st fastest Tor server in the network. Maybe > other providers are even faster than 1blu. Just as a comparison: the > fastest Tor server at the moment has 4533 KB/s. Hi, do you run a TOR server on a virtual server without connection faults? A year ago, I tested a tor server on virtual hardware (Virtuozzo) and I got many TCP connection faults in "/proc/user_beancounters". Is a TOR server now ready to run with less then 1024 TCP connections? Or do you have a virtual server, which does not have low limits for TCP connections? In this case the offer of 1blu is very nice for TOR. - - - Begin Off-Topic --- I know, it is a Tor list. But please let me write this: What do you think about a remailer (Mixmaster or Mixminion), something like TOR for emails. Emails are more private than surfing in my opinion. If you did have the power to admin a few tor server, you may run a remailer too. It may share a server together with TOR. The traffic is not very high: 5.000 mails per day. It uses at max. 16 TCP connections. And it can act as a middle-man like TOR. For Mixmaster a working MTA ("exim4" or something else) is required, for a Mixminion middle-man nothing. The size of the remailer networks decreases in the last 6 month down to 35 nodes for Mixminion and less than 30 nodes for Mixmaster. Hope, we can stop this trend. Large networks for high anonymity are needed. I am ready for help, if somebody needed any docs. (in German too) - - -- End Off-Topic -- Karsten N. - --- [EMAIL PROTECTED] 0x1C10A42F - - - -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2.2 (GNU/Linux) iQEVAwUBRiYl2XneknocEKQvAQLHewgAkFpzpcZEExkJ/Eydxog9d6czGX9sPYFY gFVJ32NXO/qNSQR1WQOYMBesjLhd9+DCOEYQ9tkJqBrCCoEQklRcihFMO+ttDHb4 M0Ktqhizi75VJo36IX0060f0GQ4tT184NdferpLicAOuiGGvOkGAqTSgXvEzWPE1 ExLz7vl9BgSqs4P+wddOr1VSK1stxEUE/vwcbTK01o+C0v6peYEG9fplQq4bw48Z lplBH3Fb/7ASmwR9faVfYoi8gXqLDtnRC1kHK+H+/JzWRPGZU9BKAADmiw+0+kql 9i0iv1yoPb7OWLofBHnbjuyxHC7gTdMmUyLAgSaK/67uOtp6sdbQ1Q== =8hj5 -END PGP SIGNATURE-
Re: Importance of HTTP connection keep-alive
Juliusz Chroboczek <[EMAIL PROTECTED]> wrote: > Michael Gersten: > > > getting keep-alive to work will help a lot with web browsing, > > Fabian Keil: > > > Is this an assumption or did you just forget to show your benchmarks > > to back this claim up? > > I've just tested this by running > >wget -p http://www.kde.org/screenshots/ No, you tested wget, which doesn't do parallel requests. The results are certainly interesting and may or may not show the difference between serialised requests that are done with and without keep-alive, but the numbers are worthless to make any assumptions about web browsing. Any modern browser I'm aware of uses multiple parallel connections if keep-alive isn't used, Firefox certainly does. > Please feel free to repeat my tests and report the results on this list. I have no reason to doubt your results, I just don't think they are relevant for web browsing. I just did some tests which I think are more meaningful. I used Firefox instead of wget, used the Fasterfox plug-in to time the requests and tried several proxy combinations. The versions were Tor 0.1.2.9-rc, Firefox 2.0.0.3, Polipo 0.9.99.1 and Privoxy's CVS version with some uncommitted modifications which should be irrelevant for this test. I didn't change my Privoxy configuration, which means there were several actions active, some of which effected the results. http://www.kde.org/screenshots/ contains no ads or tracking pixels, so filtering the page causes a delay without any gain. The test was done on a laptop with FreeBSD's powered(aemon) running. As a result the CPU frequency wasn't constant, but I doubt that it mattered for the end results. I first did five tests for every proxy combination, switching the proxy combination after each request. Requests where started with ctrl+F5 so Firefox didn't use its cache and additionally set the headers "Pragma: no-cache" and "Cache-Control: no-cache". I started Polipo with: polipo diskCacheRoot='' socksParentProxy=10.0.0.2:9050 and restarted it for every test. I kept Tor and Privoxy running all the time. Finally the numbers, the format is: |Proxy combination |results in the order I got them |average all |average without the best and worst result |average without the two worst results With http://www.kde.org/screenshots/: Firefox + Privoxy + Polipo + Tor: 40.950s, 6.100s, 6.294s, 24.290s, 56.680s 26.863s 23.845s 12.228 Firefox + Privoxy + Tor 59.523s, 7.493s, 6.822s, 156.438s, 35.282s 53.112s 34.099s 16.532 Firefox + Polipo + Tor 14.558s, 38.840s, 12.100s, 5.548s, 26.370s 19.483s 17.676s 10.735 I also tested with another website (http://www.spiegel.de/): Firefox + Privoxy + Polipo + Tor: 155.674s, 46.256s, 141.360, 47.120s, 35.967s 85,275s 78,245s 43,117s Firefox + Privoxy + Tor: 110.619s, 78.505s, 20.397s, 36.926s, 73,442s 63.983s 62,956s 43,588s Firefox + Polipo + Tor: 93.979s, 33.102s, 34.242s, 123.365s, 99.740s 76.886s 75.987s 53,774s Privoxy may have had a slight advantage here, because by removing three tracking pixels it had to do three requests less. However I think that it didn't matter much. The speed of the underlying Tor circuits seems to be the most important factor here and five samples probably aren't enough to prove anything. It certainly looks like keep-alive's effects aren't big enough to guarantee faster web browsing through Tor, though. Fabian signature.asc Description: PGP signature
Re: [Fwd: High-traffic Colluding Tor Routers in Washington, D.C. Confirmed]
> Do you think it's a privacy problem to run 3 to 5 servers? All servers > would be non-exit servers because of the current habit of the German > police to collect all exit servers. Of course, I will set the family entry. Please do run as many servers as you can afford. There is absolutely no privacy issue if you set the MyFamily option. Note that you must remember to set it on all the servers for it to work (so I can't just claim 99% of the Tor-network is my family and therefore you should use my 1% remaining evil servers by setting the option in one config file). There is no issue with you running 100 servers as long as you use MyFamily, that would be very good. It's only when you're running 100 servers on different /16's and pretend that you have no involvement with any of them that I would wonder what you're up to..
Re: [Fwd: High-traffic Colluding Tor Routers in Washington, D.C. Confirmed]
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 > What kind of traffic plan to you have with 1blu, and how much do you > pay for it? They offer "1blu-vServer Unlimited" with unlimited traffic volume for 17 euros per month. I don't know if it's the best offering, so I decided to give them a try. Are there other good offerings for (virtual) Linux servers with unlimited traffic? > FWIW, I don't see any problems in running two middleman servers (shrek, > shrek2), > with proper family setting, of course. OK. Does someone else have scruples about it? -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.7 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFGJfBs0M+WPffBEmURAkV0AJ4md2knpz29e0XkXbXd3nWcyL8G6QCfTVNl s5eGtelrtzBi2Z2UpiNc9m0= =lzMy -END PGP SIGNATURE-
Re: [Fwd: High-traffic Colluding Tor Routers in Washington, D.C. Confirmed]
On Wed, Apr 18, 2007 at 11:45:15AM +0200, Karsten Loesing wrote: > I would like to contribute some more Tor servers running at different > providers across Germany (probably not in the same /16 network). My > current server is a virtual server at 1blu that has a bandwidth of 931 What kind of traffic plan to you have with 1blu, and how much do you pay for it? > KB/s which makes it the 71st fastest Tor server in the network. Maybe > other providers are even faster than 1blu. Just as a comparison: the > fastest Tor server at the moment has 4533 KB/s. > > Do you think it's a privacy problem to run 3 to 5 servers? All servers > would be non-exit servers because of the current habit of the German > police to collect all exit servers. Of course, I will set the family entry. FWIW, I don't see any problems in running two middleman servers (shrek, shrek2), with proper family setting, of course. > Just want to ask in advance. -- Eugen* Leitl http://leitl.org";>leitl http://leitl.org __ ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE
Re: [Fwd: High-traffic Colluding Tor Routers in Washington, D.C. Confirmed]
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi, this question is not directly related to the described case. I would like to contribute some more Tor servers running at different providers across Germany (probably not in the same /16 network). My current server is a virtual server at 1blu that has a bandwidth of 931 KB/s which makes it the 71st fastest Tor server in the network. Maybe other providers are even faster than 1blu. Just as a comparison: the fastest Tor server at the moment has 4533 KB/s. Do you think it's a privacy problem to run 3 to 5 servers? All servers would be non-exit servers because of the current habit of the German police to collect all exit servers. Of course, I will set the family entry. Just want to ask in advance. - --Karsten -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.7 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFGJeir0M+WPffBEmURAt8wAKCvxrHh2adEKZwkTkcMuKEzstGTZgCg0Sai 3Q5QfDp6+Nv8JDhffwBUUGs= =ahDa -END PGP SIGNATURE-