Re: Tor Browser Bundle for Mac OS X released

[intrigeri]

Hi,

MacLemon wrote (15 Sep 2010 15:46:19 GMT) :
 SSL Blacklist:
 Checks for SSL Certificates with weak keys and MD5 signed
 certificates. https://addons.mozilla.org/en-US/firefox/addon/160110/
 IIRC this is DNS based which is likely to be very slow due to high
 DNS latency with tor.

Last time I checked (when trying to get this one into Debian) the
blacklist was available for download under a license that prohibited
redistribution.

Bye,
--
  intrigeri intrig...@boum.org
  | GnuPG key @ https://gaffer.ptitcanardnoir.org/intrigeri/intrigeri.asc
  | OTR fingerprint @ 
https://gaffer.ptitcanardnoir.org/intrigeri/otr-fingerprint.asc
  | The impossible just takes a bit longer.
***
To unsubscribe, send an e-mail to majord...@torproject.org with
unsubscribe or-talkin the body. http://archives.seul.org/or/talk/

Re: The best way to run a hidden service: one or two computers?

[hikki]

Robert Ransom:

 Only if you trust the hardware firewall/router. I wouldn't.

Okay so there aren't that many safe options to run a hidden service really, 
if any at all?
***
To unsubscribe, send an e-mail to majord...@torproject.org with
unsubscribe or-talkin the body. http://archives.seul.org/or/talk/

Re: The best way to run a hidden service: one or two computers?

[Robert Ransom]

On Fri, 17 Sep 2010 16:36:16 -0400
hi...@safe-mail.net wrote:

 Robert Ransom:
 
  Only if you trust the hardware firewall/router. I wouldn't.
 
 Okay so there aren't that many safe options to run a hidden service really, 
 if any at all?

If your hidden service really needs to be annoying to find, run it:

* using only well-written, secure software,
* in a VM with no access to physical network hardware,
* on a (physical) computer with no non-hidden services of any kind
  running on it (so that an attacker can't use Dr. Murdoch's ‘Hot or
  Not’ clock-skew detection attack),
* and over a fast enough Internet connection that the adversary cannot
  easily determine your connection's speed.


The VM is optional *if* and *only if* an attacker cannot possibly get
root on your hidden service.  The physical computer with no non-hidden
services on it, and the fast Internet connection, are optional if you
do not need to keep your service hidden at all.

Using secure software to run your hidden service is absolutely
essential; if an attacker can get a list of files
in /bin, /usr/bin, /usr/local/bin, /sbin, /usr/sbin, /usr/local/sbin,
and /command, and a list of directories in /usr/local and /opt, he
probably knows enough to identify the service's owner, and more
importantly, he knows enough to recognize another service owned by the
same person.  Your preferred Unix distribution, your favorite editors,
your favorite command-line utilities, etc. are not especially easy to
hide.  (For example, if you find a hidden service running Plan 9 or
Inferno, or with 9base or plan9port installed on it, you're going to
look at me first -- I'm on both the Tor mailing lists and
Plan-9-related mailing lists, and I don't think anyone else is at the
moment.)


The above precautions are probably enough, unless a three-letter agency
(or four-letter association) knows about your hidden service and wants
to find and ‘neutralize’ its operator.  In that case, you have to worry
about the near-global passive adversary and other threats that Tor
can't afford to defeat.


Another, safer, option is to keep your hidden service below the radar
entirely -- it's a lot harder for your adversaries to find something if
they don't know it exists.  I assume that's the approach that the US
Navy uses.


Robert Ransom


signature.asc
Description: PGP signature