Warning TorButton 1.1.7-alfa
I upgraded to 1.1.7-alfa yesterday and saw that it is really a crap :( I used to manage my cookies, javacsript and history, MYSELF. Now trobutton wants to do all by itself, and the result is that: 1- My history isn't cleared when I close Firefox, even when this option is selected in the Firefox options. 2- Some websites that use javascript do not work with Tor. It is possible that I TRUST the CONTENT of a website, including scripts, BUT I want to use TOR to hide my IP. With torbutton this is a real hassle now. Will try to go back to an older version if it is still available online :( Torbutton is a GREAT extension but WHY hell does the author want to care of all together??? Maybe he should also include Firefox in the extension, and why not, Windows or a unix distribution??? really BAD now :
Re: Warning TorButton 1.1.7-alfa
Hi, On Sun, 23 Sep 2007, [EMAIL PROTECTED] wrote: I upgraded to 1.1.7-alfa yesterday and saw that it is really a crap :( maybe you didn't realize that this is release is _alpha_ quality? I used to manage my cookies, javacsript and history, MYSELF. Now trobutton wants to do all by itself, and the result is that: 1- My history isn't cleared when I close Firefox, even when this option is selected in the Firefox options. 2- Some websites that use javascript do not work with Tor. It is possible that I TRUST the CONTENT of a website, including scripts, BUT I want to use TOR to hide my IP. With torbutton this is a real hassle now. Will try to go back to an older version if it is still available online :( Torbutton is a GREAT extension but WHY hell does the author want to care of all together??? Maybe he should also include Firefox in the extension, and why not, Windows or a unix distribution??? really BAD now : So all your above points are against: - websites which use javascript - firefox Are there any On-Topic things so say about Tor? -- Florian Reitmeir
Re: Warning TorButton 1.1.7-alfa
On Sun, 23 Sep 2007 06:47:17 -0400 [EMAIL PROTECTED] wrote: I upgraded to 1.1.7-alfa yesterday and saw that it is really a crap :( I used to manage my cookies, javacsript and history, MYSELF. Now trobutton wants to do all by itself, and the result is that: 1- My history isn't cleared when I close Firefox, even when this option is selected in the Firefox options. 2- Some websites that use javascript do not work with Tor. It is possible that I TRUST the CONTENT of a website, including scripts, BUT I want to use TOR to hide my IP. With torbutton this is a real hassle now. That kind of thing is only one of the reasons I do not use TorButton and most likely never will. Will try to go back to an older version if it is still available online :( Torbutton is a GREAT extension but WHY hell does the author want to care of all together??? Maybe he should also include Firefox in the extension, and why not, Windows or a unix distribution??? really BAD now : (You have a bad case of linewrap there, friend. :-) You could also try FoxyProxy, which I have used in the past, or SwitchProxy, which I prefer use now. (I used FoxyProxy for a while at a time when SwitchProxy stopped working. But then FoxyProxy came out with a version that didn't work, and I was afraid I might have to go with TorButton. But SwitchProxy returned to the rescue with a newer, working version.:-) These two are both more versatile than TorButton in the sense that they allow you to configure as many different proxies as you like and to switch between them at will. Each proxy can, of course, be configured with addresses that bypass proxies entirely, too. Scott Bennett, Comm. ASMELG, CFIAG ** * Internet: bennett at cs.niu.edu * ** * A well regulated and disciplined militia, is at all times a good * * objection to the introduction of that bane of all free governments * * -- a standing army. * *-- Gov. John Hancock, New York Journal, 28 January 1790 * **
Re: Warning TorButton 1.1.7-alfa
On Sun, 23 Sep 2007 13:10:28 +0200 Florian Reitmeir [EMAIL PROTECTED] wrote: On Sun, 23 Sep 2007, [EMAIL PROTECTED] wrote: I upgraded to 1.1.7-alfa yesterday and saw that it is really a crap :( maybe you didn't realize that this is release is _alpha_ quality? I used to manage my cookies, javacsript and history, MYSELF. Now trobutton wants to do all by itself, and the result is that: 1- My history isn't cleared when I close Firefox, even when this option is selected in the Firefox options. 2- Some websites that use javascript do not work with Tor. It is possible that I TRUST the CONTENT of a website, including scripts, BUT I want to use TOR to hide my IP. With torbutton this is a real hassle now. Will try to go back to an older version if it is still available online :( Torbutton is a GREAT extension but WHY hell does the author want to care of all together??? Maybe he should also include Firefox in the extension, and why not, Windows or a unix distribution??? really BAD now : So all your above points are against: - websites which use javascript - firefox Read it again. His complaint, basically, was that TorButton had removed his option to choose the functioning of various aspects of his browser usage. Are there any On-Topic things so say about Tor? Last time I checked (a few hours ago now), TorButton was being distributed as part of a bundle including tor and privoxy, as well, for the Defective OS. Seems to me that discussion of bugs/misfeatures/whatever about software that is distributed with tor from the tor web site is very much on topic for a tor email discussion list. Scott Bennett, Comm. ASMELG, CFIAG ** * Internet: bennett at cs.niu.edu * ** * A well regulated and disciplined militia, is at all times a good * * objection to the introduction of that bane of all free governments * * -- a standing army. * *-- Gov. John Hancock, New York Journal, 28 January 1790 * **
Re: Warning TorButton 1.1.7-alfa
On Sun, Sep 23, 2007 at 06:47:17AM -0400, [EMAIL PROTECTED] wrote 0.8K bytes in 9 lines about: : I used to manage my cookies, javacsript and history, MYSELF. Now trobutton wants to do all by itself, and the result is that: : 1- My history isn't cleared when I close Firefox, even when this option is selected in the Firefox options. : 2- Some websites that use javascript do not work with Tor. It is possible that I TRUST the CONTENT of a website, including scripts, BUT I want to use TOR to hide my IP. With torbutton this is a real hassle now. The options available in the new torbutton are listed here: http://www.freehaven.net/~squires/torbutton/dev/ The goal, I believe, is to try to address many of the exploits Tor users may encounter when browsing the web with Firefox. The older version is still online at https://addons.mozilla.org/firefox/2275/ -- Andrew
Re: time needed to register a serve
On Tue, Sep 18, 2007 at 10:38:14PM -0700, [EMAIL PROTECTED] wrote 1.8K bytes in 53 lines about: I'm trying to find the details, but essentially the named flag isn't as valuable as it was in the past. Perhaps Roger or Nick can weigh in with more info. We do receive all of the emails to tor-ops with your server info sent in via https://tor.eff.org/docs/tor-doc-server.html.en#email. -- Andrew
Re: Load Balancing
Juliusz Chroboczek [EMAIL PROTECTED] wrote: I believe this results in a perceptible performance improvement for general browsing. I think so too, but some people disagree. Since I don't want to get into this discussion again, I refer you to the following friendly flamewar. Additionally there's http://tor.eff.org/volunteer.html.en#Coding: |We need a measurement study of Polipo vs Privoxy. Is Polipo in |fact significantly faster, once you factor in the slow-down from Tor? |Are the results the same on both Linux and Windows? Related, does Polipo |handle more web sites correctly than Privoxy, or vice versa? Are there |stability issues on any common platforms, e.g. Windows? Looks like the first person who comes up with a reproducible benchmark could make three projects happy at the same time. (Note that while the tone was not always as polite as it should have been, Fabian and I live in good friendship and mutual respect.) I second that. Fabian signature.asc Description: PGP signature
Re: About HTTP 1.1 Cache
Most servers treat Last-Modified values as opaque validators -- IIS and Apache -- don't. Interesting -- thanks for the info. Juliusz
Re: time needed to register a serve
Hello, I must add that I have also tried to register kgabertgoldmine2 *twice* since around the end of June, 2007, and seeing that it has not happened I assumed that servers which are trying to be named are not even being looked at. When I registered kgabertgoldmine (which is now offline, and I registered it quite awhile back), I received a response within two days. Kasimir Gabert On 9/23/07, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: On Tue, Sep 18, 2007 at 10:38:14PM -0700, [EMAIL PROTECTED] wrote 1.8K bytes in 53 lines about: I'm trying to find the details, but essentially the named flag isn't as valuable as it was in the past. Perhaps Roger or Nick can weigh in with more info. We do receive all of the emails to tor-ops with your server info sent in via https://tor.eff.org/docs/tor-doc-server.html.en#email. -- Andrew -- Kasimir Gabert
Re: Warning TorButton 1.1.7-alfa
Thus spake [EMAIL PROTECTED] ([EMAIL PROTECTED]): I upgraded to 1.1.7-alfa yesterday and saw that it is really a crap :( Thanks for the bug report. Even though it is a bit immaturely delivered with lots of whining instead of actual helpful content, I will do my best to fix the issues you have encountered. I used to manage my cookies, javacsript and history, MYSELF. Now trobutton wants to do all by itself, and the result is that: 1- My history isn't cleared when I close Firefox, even when this option is selected in the Firefox options. This is a bug. It will be fixed in 1.1.8. Thanks for reporting! In the meantime, the workaround is to go into the Torbutton preferences, go to the Shutdown tab, and click Allow me to manage my own Private Data Settings. 2- Some websites that use javascript do not work with Tor. It is possible that I TRUST the CONTENT of a website, including scripts, BUT I want to use TOR to hide my IP. With torbutton this is a real hassle now. Is it possible for you to give me a list of websites torbutton breaks? or describe how it breaks then? It works for me and I have recieved no reports of breakage so far from others. Will try to go back to an older version if it is still available online :( Torbutton is a GREAT extension but WHY hell does the author want to care of all together??? Maybe he should also include Firefox in the extension, and why not, Windows or a unix distribution??? really BAD now : You can hate on me all day long, but the fact of the matter is that every other Firefox extension combo (including self management up to the point of a Tor-only firewall) leaves you vulnerable to numerous attacks to reveal your IP address and other location infromation. So people can either help me fix Torbutton so it is usable for them, or they can choose to remain vulnerable. You may want to read over http://torbutton.torproject.org/dev/ to see what sort of things you are vulnerable to without torbutton. If that documentation is unclear, again, please notify me. -- Mike Perry Mad Computer Scientist fscked.org evil labs pgpos06cJRbaG.pgp Description: PGP signature
Re: Warning TorButton 1.1.7-alfa
Thus spake Scott Bennett ([EMAIL PROTECTED]): On Sun, 23 Sep 2007 06:47:17 -0400 [EMAIL PROTECTED] wrote: I upgraded to 1.1.7-alfa yesterday and saw that it is really a crap :( I used to manage my cookies, javacsript and history, MYSELF. Now trobutton wants to do all by itself, and the result is that: 1- My history isn't cleared when I close Firefox, even when this option is selected in the Firefox options. 2- Some websites that use javascript do not work with Tor. It is possible that I TRUST the CONTENT of a website, including scripts, BUT I want to use TOR to hide my IP. With torbutton this is a real hassle now. That kind of thing is only one of the reasons I do not use TorButton and most likely never will. Can you give me a list of websites torbutton breaks for you? And how does it break them? Toggling torbutton will kill javascript in websites that are currently open, but you want that, unless you like random javascript timers going off and sending your real IP to website. Will try to go back to an older version if it is still available online :( Torbutton is a GREAT extension but WHY hell does the author want to care of all together??? Maybe he should also include Firefox in the extension, and why not, Windows or a unix distribution??? really BAD now : (You have a bad case of linewrap there, friend. :-) You could also try FoxyProxy, which I have used in the past, or SwitchProxy, which I prefer use now. (I used FoxyProxy for a while at a time when SwitchProxy stopped working. But then FoxyProxy came out with a version that didn't work, and I was afraid I might have to go with TorButton. But SwitchProxy returned to the rescue with a newer, working version.:-) These two are both more versatile than TorButton in the sense that they allow you to configure as many different proxies as you like and to switch between them at will. Each proxy can, of course, be configured with addresses that bypass proxies entirely, too. SwitchProxy should be usable with Torbutton. If you configure your Tor proxy settings as one of the proxies, Torbutton should detect when it is enabled and turn on its security features for you without your needing to actually hit the torbutton itself. If it does not, it is a bug. Please report it. Again, Torbutton protects against numerous web exploits that can reveal your IP address when you use vanilla proxy changers. Please read over http://torbutton.torproject.org/dev/ before you go recommending insecure solutions to people, or simply hate on Torbutton without providing any bug reports to the maintainer as to why. -- Mike Perry Mad Computer Scientist fscked.org evil labs pgpuXyEwrNzwc.pgp Description: PGP signature
Servers and the Named flag (was Re: time needed to register a serve)
On Tue, Sep 18, 2007 at 03:06:53AM -0500, Scott Bennett wrote: Does anyone have a sense of the current processing delay in registering a server? I ask only because I sent off the registration information to [EMAIL PROTECTED] last Thursday evening, 13 Sept., and my server is still showing up in the status documents without the Named flag in them. It's not a big deal; I'm just curious. Processing of flight instructor certificate renewals is now said to take more than six months, and the certificates have to be renewed every 24 months. (Your tax dollars at work, of course. :-) Alas, we've pretty much stopped assigning the Named flag to servers. This is because it's a time-sink to manually go through and make sure the server is actually acting correctly, go put the keys in the right place, etc. There have been some proposals to make it easier, e.g. https://tor.eff.org/svn/trunk/doc/spec/proposals/113-fast-authority-interface.txt and at some point we should do one of them. See also the discussion under http://archives.seul.org/or/dev/Apr-2007/msg00040.html I'm a fan of solution #2 in the above url: there's no reason why a human needs to be in the loop, and if we don't know the operator on the other end, the Named flag doesn't mean what it meant in 2003 when we created it anyway. Once upon a time (2003 era), you needed to be manually approved or you wouldn't be able to join the network. The primary reason was that we needed to verify that your server was reachable, working, etc. Then we got more than a dozen servers, including servers run by people we didn't know, and we automated the process of testing reachability at the directory authorities. Then we started to allow unnamed servers to join the network and play pretty much the same role. The only main difference at this point is from the client perspective: if you manually specify a non-named server in your torrc or using the foo.exit syntax, your Tor will complain to you (well, to your logs) and suggest a hex digest that you should use instead. Now, there is an argument for letting people remember nicknames rather than hex digests. But I would eventually like to see some sort of graphical server picking interface that most users would use, and it would be smart enough to know the hex digest of the picked server. If, that is, we need any sort of server picking to be happening at all -- most users I hear from who need to specify a specific server rather than just let Tor pick for them seem to be doing it to get around crude access controls on websites or other services, and I'm not sure that's an arms race I want to get into. There are other problems that need to be solved from a usability angle. For example, if the nickname Alice picks is already registered, then when she tries to sign up her server, it will print a mysterious message in her logs (there are logs? what's a log?) and her server won't be useful. We need to make that simpler somehow, and the simplest approach for now (by default) is to not have many Named servers. My preferred solution would be to add an Unnamed flag that servers get when they're using a nickname that is already registered -- the server will continue to be a fine server, but it will be invisible from the perspective of referring to servers by nickname. And lastly, one of the crucial reasons for maintaining contact with server operators is so they feel appreciated, and so we have an opportunity to answer their questions, address their concerns and problems, etc. Maintaining communication with the server community helps it to grow and be stable. We are doing a poor job at that currently. A few years ago I realized that I could choose between answering a whole lot more mail (and having the number of good Tor servers keep going up) and getting more development work done on Tor. Since Tor is nowhere close to done, the latter was the clear choice -- as long as there is *some* sort of Tor network, that's good enough for testing the new scalability/anonymity/performance features and bugfixes. Peter Palfrader then stepped up to answer mail for a while, but he soon found it to be a flood too. My fix at the time was to modify https://tor.eff.org/docs/tor-doc-server#email to make it clearer that we may not ever answer the mails. Maybe I should make the statement even stronger, or just erase 'step four' entirely, until somebody sorts out proposal 113 and implements and deploys a good solution. I don't think getting a pile of volunteers to answer the mails is the right answer -- we should instead a) work to take out the artificial bottleneck (help appreciated! :), and b) figure out better ways to build server operator community that don't involve as much manual attention from me (help appreciated! :). Thanks, --Roger
Set up a webproxy to TOR - tor-proxy.net
Hi Folks, I just wanted to let you know, that I have set up a Webproxy to the TOR-Network, for letting people get the advantages of TOR who are not able to install TOR for themselves. For example, if they are using a computer, they do not have full access to, or something else. It is running on the same server my TOR-Server is running (called GrossATuin). You can reach it here: http://www.tor-proxy.net or https://www.tor-proxy.net Let me know what you think about! Greetings, Ricky. signature.asc Description: Dies ist ein digital signierter Nachrichtenteil
Re: Set up a webproxy to TOR - tor-proxy.net
Ricky Fitz schrieb: Hi Folks, I just wanted to let you know, that I have set up a Webproxy to the TOR-Network, for letting people get the advantages of TOR who are not able to install TOR for themselves. [...] Let me know what you think about! Greetings, Ricky. First: Another single-point-of-trust service. Principally a bad idea, because *you* know all the sites the users are surfing to! Why should I (as user) trust you? Second: You are showing your proxy host name to the target web service. This... https://www.tor-proxy.net/cgi-bin/nph-proxy.cgi/00A/http/torcheck.xenobite.eu/ ...leads to following result: Your HTTP-VIA1.1 v31663.1blu.de:8080 (squid/2.6.STABLE1) Like this you are uncovering the the first onion hop (yourself). You should fix that, at least! Greets -- BlueStar88 PGPID: 0x36150C86 PGPFP: E9AE 667C 4A2E 3F46 9B69 9BB2 FC63 8933 3615 0C86 signature.asc Description: OpenPGP digital signature
Re: Set up a webproxy to TOR - tor-proxy.net
Hi Bluestar, First: Another single-point-of-trust service. Principally a bad idea, because *you* know all the sites the users are surfing to! Why should I (as user) trust you? Of course, that is true, and I mention it in the FAQ. But you can ask every anonymizer on the web the same question. Of course it is better to use TOR by yourself, but as I said, it is not made for people who can run their own TOR-Session. Your HTTP-VIA 1.1 v31663.1blu.de:8080 (squid/2.6.STABLE1) Like this you are uncovering the the first onion hop (yourself). You should fix that, at least! Thanks a lot for that hint, should be fixed now. Best regards, Ricky. -- Falls Freiheit überhaupt etwas bedeutet, dann bedeutet sie das Recht darauf, den Leuten das zu sagen, was sie nicht hören wollen. - George Orwell, aus dem Nachwort zu Animal Farm, 1945 - GPG-Fingerprint: 10D6 7B8F 1F7C 7CB1 2C4E 930E AFD2 FDF3 A10B D302 GPG-Key-ID: AFD2FDF3A10BD302 http://www.lawlita.com/pgp-schluessel/ signature.asc Description: Dies ist ein digital signierter Nachrichtenteil
Re: Set up a webproxy to TOR - tor-proxy.net
On Mon, Sep 24, 2007 at 12:42:31AM +0200, Ricky Fitz wrote: It is running on the same server my TOR-Server is running (called GrossATuin). Does your proxy use a separate Tor client, do you exclude your node as as an entry? I was wondering recently about the security implications of such a setup. I was thinking of using a vpn to access my Tor server. From there, all vpn traffic would be proxied through another tor instance running in client mode with no bw limitations. Would that be more secure because a tor server is already running there or less secure because, if in some way, the traffic from the two instances could be differenciated and the vpn connections would make the whole system less secure because they would allow timing and statistical attacks relating vpn traffic to the second tor traffic? If this is insecure then you could expose your users by using a second instance. If it is secure then it is a necessary mesure, I think. Otherwise, you could be offering access to a lesser secure version of Tor for your users by circumventing the three nodes by-design circuits of Tor. pgpXJTOMh7WD2.pgp Description: PGP signature
Re: Set up a webproxy to TOR - tor-proxy.net
Am Sonntag, den 23.09.2007, 20:50 -0400 schrieb [EMAIL PROTECTED]: On Mon, Sep 24, 2007 at 12:42:31AM +0200, Ricky Fitz wrote: It is running on the same server my TOR-Server is running (called GrossATuin). Does your proxy use a separate Tor client, do you exclude your node as as an entry? No, it does not use a seperate Tor-Client. Therefore it doesn't make sense to exklude my node. It uses the Tor-Session which runs as a tor-node. So if you spy on the traffic of the server, you will not be able to see, which traffic is from routing traffic for acting as a server, and which from acting as a client. I think that's safer than using a second client. I was wondering recently about the security implications of such a setup. I was thinking of using a vpn to access my Tor server. From there, all vpn traffic would be proxied through another tor instance running in client mode with no bw limitations. Would that be more secure because a tor server is already running there or less secure because, if in some way, the traffic from the two instances could be differenciated and the vpn connections would make the whole system less secure because they would allow timing and statistical attacks relating vpn traffic to the second tor traffic? I really don't know, if it will be possible to identify the vpn-connection because of the data which is transferred. But it would be possible, to see that there is another service running than tor. Also, what Bluestar is doubled. If we build a VPN from my server to yours, not only me is theoretical able to spy on the traffic, but also you. (Not that I want to say I do not trust you, but it kills the advantages of onion-system. Regards. Ricky. -- Falls Freiheit überhaupt etwas bedeutet, dann bedeutet sie das Recht darauf, den Leuten das zu sagen, was sie nicht hören wollen. - George Orwell, aus dem Nachwort zu Animal Farm, 1945 - GPG-Fingerprint: 10D6 7B8F 1F7C 7CB1 2C4E 930E AFD2 FDF3 A10B D302 GPG-Key-ID: AFD2FDF3A10BD302 http://www.lawlita.com/pgp-schluessel/ signature.asc Description: Dies ist ein digital signierter Nachrichtenteil
Re: Set up a webproxy to TOR - tor-proxy.net
On Mon, Sep 24, 2007 at 12:42:31AM +0200, [EMAIL PROTECTED] wrote 0.9K bytes in 40 lines about: : I just wanted to let you know, that I have set up a Webproxy to the : TOR-Network, for letting people get the advantages of TOR who are not : able to install TOR for themselves. Hi, I have a few concerns about your proxy setup and service. First off, you should disclaim that this site and service isn't an official project of Tor. People may confuse your url with the real Tor and think they are getting the same anonymity properties. Second is a concern over the last bullet point at the bottom of http://tor-proxy.net/impressum.html. It appears to say that you are recording IP address and browser in a log file. Additionally, the log file is purged when 48 hours old. Why log at all? Simply disable all logging in relation to the proxy service on the server. The default Tor log settings should be sufficient. Third, can you publish the source code that runs the proxy site? It appears you are using php and CGI:Proxy code to interface with Tor. Feel free to choose a FSF-approved license, such as the GPL or 3-clause BSD, and publish the source for the site, along with any dependent software and licenses as required by their license terms. Fourth, in order to be more transparent, you should publish the configuration of the proxy. A clear description, whether text or graphical, will help increase the trustworthiness of the service. Fifth, you probably want to publish the fingerprint of your self-signed ssl cert, or look into getting a cert signed by a browser accepted CA. This is weak, but possibly better than nothing. Sixth and final, if you decide to put ads on the site or become a commercial entity, please contact The Tor Project before doing so. We cannot allow a commercial entity to confuse users about Tor. As an open source project, the disclaimer in the first paragraph may be enough to not confuse users. Feel free to bring up any questions/concerns with my six requests. Thanks. -- Andrew
Re: Set up a webproxy to TOR - tor-proxy.net
On Mon, Sep 24, 2007 at 03:22:34AM +0200, Ricky Fitz wrote: Am Sonntag, den 23.09.2007, 20:50 -0400 schrieb [EMAIL PROTECTED]: On Mon, Sep 24, 2007 at 12:42:31AM +0200, Ricky Fitz wrote: It is running on the same server my TOR-Server is running (called GrossATuin). Does your proxy use a separate Tor client, do you exclude your node as as an entry? No, it does not use a seperate Tor-Client. Therefore it doesn't make sense to exklude my node. It uses the Tor-Session which runs as a tor-node. So if you spy on the traffic of the server, you will not be able to see, which traffic is from routing traffic for acting as a server, and which from acting as a client. I think that's safer than using a second client. I was also wondering how this affects your proxy users anonymity. Even if you don't disclose your proxy in the headers, there still is a superior risk due to the fact that an attacker knows that there is a more than average proportion of your users that are using you as first node. This proportion is derivable from your proxy trafic (as you mention there is some risk in having a second, different service that access tor). Adding a fourth node to your server circuits could plug this hole, even make it more secure for some users, I guess, but it would also make it slower, probably for every users (I'm not sure it would affect trafic for which you are not the entry node). I was wondering recently about the security implications of such a setup. I was thinking of using a vpn to access my Tor server. From there, all vpn traffic would be proxied through another tor instance running in client mode with no bw limitations. Would that be more secure because a tor server is already running there or less secure because, if in some way, the traffic from the two instances could be differenciated and the vpn connections would make the whole system less secure because they would allow timing and statistical attacks relating vpn traffic to the second tor traffic? I really don't know, if it will be possible to identify the vpn-connection because of the data which is transferred. But it would be possible, to see that there is another servicei running than tor. Also, what Bluestar is doubled. I already use the vpn for other things local to that network so it's not obvious that the trafic coming in is going out through tor or staying in. At the network level both tor connections look the same (random local port - tor server port). I was mostly asking if at Tor's level there would be some abnormal behavior (like connecting twice to the same node) that could tell an attacker that there is two tor instances generating those connections and, eventually allow him to tell their trafic apart. If we build a VPN from my server to yours, not only me is theoretical able to spy on the traffic, but also you. (Not that I want to say I do not trust you, but it kills the advantages of onion-system. I was talking of a proxied vpn access to tor for tcp protocols. It's a generalisation of your setup and so has the same implications security-wise. I'm not sure what a tunnel between servers could be used for (let alone a vpn ;) Since you bring it up, I'm not sure but I think it could be considered as an extension the family concept for tor servers... Nice work on tor-proxy, anyway. Regards pgp1vlcJdOWlq.pgp Description: PGP signature
