dir-spec.txt and directory-signature entries
The final entries in a consensus document are a number of directory- signature entries. dir-spec.txt says: cite directory-signature SP identity SP signing-key-digest NL Signature This is a signature of the status document, with the initial item network-status-version, and the signature item directory-signature, using the signing key. (In this case, we take the hash through the _space_ after directory-signature, not the newline: this ensures that all authorities sign the same thing.) identity is the hex-encoded digest of the authority identity key of the signing authority, and signing-key-digest is the hex-encoded digest of the current authority signing key of the signing authority. /cite Does that mean The hash from the network-status-version entry to the *first* directory-signature entry including a SP? Or something else? The wording in dir-spec.txt is ambigous to me. Any help appreciated. Cheers /Jocke *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Re: Practical web-site-specific traffic analyses
On Fri, Jul 30, 2010 at 12:32:43PM -0700, Seth David Schoen wrote: The simplest threat scenario for Tor users would be when an attacker in a position to observe a particular user's traffic, but not any exit node traffic, hypothesizes that the user is likely to visit a particular site and builds up a profile of what web browsing traffic to that site will look like. The attacker could then try to confirm the hypothesis that the user is using that site and also try to infer some details of what the user is doing. This is quite different from traffic confirmation because the attacker only has to be present at one end. Yes, this has been a known risk with all currently deployed low-latency anonymity systems. One recent paper which looked at the problem was discussed here: http://conspicuouschatter.wordpress.com/2009/11/13/in-real-time-from-ccsw09-more-website-fingerprinting/ and the full paper is here: http://www-sec.uni-r.de/website-fingerprinting/ccsw09_website-fingerprinting.pdf What they found is that single-hop proxies were easily broken (95% accuracy), but multi-hop systems were more of a challenge. The attack against JonDo was about 20% accurate and against Tor it was only 3% accurate. This doesn't mean that multi-hop systems are safe though, because the attack assumed that the anonymity system didn't add any extra traffic. In fact, Tor and JonDo do add quite a bit of extra traffic, and it was probably this which confused the attack. Much of this traffic can be identified and if it were removed before the traffic analysis was performed, the accuracy would likely go up by quite a bit. To fix this attack, systems can add dummy traffic (padding), delay packets, and/or drop packets. Tor adds a bit of padding, but unlikely enough to make a difference. Tor doesn't (intentionally) drop or delay traffic. More research is needed before we will know how to best to use and combine these traffic analysis resistance techniques. I co-authored a paper on some aspects of this problem, but while the combination of delaying and padding is promising, more needs to be done before this can be deployed in a production system: http://www.cl.cam.ac.uk/~sjm217/papers/pets10topology.pdf Steven -- http://www.cl.cam.ac.uk/users/sjm217/ *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Re: unsubscribeā€¸
unsubscribe
Re: unsubscribe
Re: Gsoc Idea: Lunux Tor/Firefox Bundle
On Wed, Mar 25, 2009 at 02:24:28PM -0400, Ringo Kamens wrote: This sounds like it could be a cool project. You might look into running it all inside a virtual machine with Qemu or VMWare. Damn Small Linux or Knoppix would probably be a good distro to run in the virtual machine. One constraint of the Linux bundle is that it shouldn't require root access. This might cause a problem for running a virtual machine. Steven. -- w: http://www.cl.cam.ac.uk/users/sjm217/
Re: tor-browser bundle on XP
On Sat, Jan 17, 2009 at 09:28:20PM +, mikel.ander...@juno.com wrote: I understand and agree about getting too close to the bleeding-edge. I look forward to TBB w/FF3, with anticipation. Thank you for all your hard work. Tor Browser Bundle 1.1.8 now includes Firefox 3 (3.0.5 to be precise). It can be downloaded from the usual place: https://www.torproject.org/torbrowser/ Steven. -- w: http://www.cl.cam.ac.uk/users/sjm217/
Re: How I Learned to Stop Ph34ring NSA and Love the Base Rate Fallacy
On Sun, Sep 28, 2008 at 12:27:11PM +, The23rd Raccoon wrote: This post performs some basic analysis of the utility of timing correlation attacks against a moderately used anonymous network, specifically with respect to the Base Rate Fallacy[1] of Bayesian statistics. Via that same analysis, it also for the first time begins to quantify the utility that additional users bring to a low latency anonymous network in terms of resistance to timing attacks. George Danezis has discussed this post on his blog: http://conspicuouschatter.wordpress.com/2008/09/30/the-base-rate-fallacy-and-the-traffic-analysis-of-tor/ Steven. -- w: http://www.cl.cam.ac.uk/users/sjm217/
Re: IRC problems with Tor
The idea is that you then configure your IRC client to use 10.40.40.40 (or whatever IP you chose) as the server's IP address. From your description, I couldn't tell if you had also done that or not. If not, that's probably the reason it's not working. David Grozdan wrote: I then went to the freenode site and looked up information on how to make freenode work with Tor. In the documentation, it said to add the below line to my torrc file - http://freenode.net/irc_servers.shtml#tor mapaddress 10.40.40.40 mejokbp2brhw4omd.onion and then to restart Tor, which I did. But I keep getting the same response from freenode and it doesn't allow me to connect at all.
Re: Geode: some more headaches for TorButton? :-P
thanks to you guys who helped me unsubscribe. however, note that actually my (yahoo) address has full headers and I dont see any way to unsubscribe, apart from how you guys said to do it. I checked the headers and there is nothing about it, even under word search. I think these headers only arrive to certain people, maybe using mail clients etc, yahoo doesn't deliver them or they get stripped out some how Whoever is responsible for this list might wanna add an attachment to all emails on how to unsubscribe as none of the emails I ever got showed how to do so in headers or anywhere else. thanks good luck. --- On Thu, 10/9/08, Tom Hek [EMAIL PROTECTED] wrote: From: Tom Hek [EMAIL PROTECTED] Subject: Re: Geode: some more headaches for TorButton? :-P To: or-talk@freehaven.net Date: Thursday, October 9, 2008, 4:11 AM It's really scary when a random website can request your physical location imo.. I really hope you can disable that shit in the new version of Firefox when they include it.. Tom Marco Bonetti wrote: Link bounced from /.: http://labs.mozilla.com/2008/10/introducing-geode/ Looks like the upcoming versions of firefox will ship the support for W3C geolocation specification: what's better for a tor attacker to ask directly to the browser where its user lives? ;-) I'm quite confident there'll be a way to (easily?) disable this feature but it's scaring stuff nevertheless. ciao
Re: same first hops
someone tell me how to get off this list i dont see any instructions included in any emails on how to leave the emails are way way too much --- On Wed, 10/8/08, F. Fox [EMAIL PROTECTED] wrote: From: F. Fox [EMAIL PROTECTED] Subject: Re: same first hops To: or-talk@freehaven.net Date: Wednesday, October 8, 2008, 2:15 PM -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 M wrote: Is there any reason i get the same first hope for a number of days? Even when i form a new identity in vidalia, i still get the same first hops. i dont feel comfortable with that. The first hop is an entry guard, which stays the same in order to prevent a well-known type of attack which could reveal your idenitity. You needn't worry - the first hop has no way of knowing what you're doing, or even who the last hop in your circuits are. =:o) - -- F. Fox Owner of Tor node kitsune http://fenrisfox.livejournal.com -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQIcBAEBCAAGBQJI7SL+AAoJECxKjnsrYHNHf6IP/RohJowRZjASFarQK+FxbrNF bnOsKeoDQV1ZU2l9NYgiSR6LWGGLvGzAYIBwQyhLUL6aIhSEY+0EGlFQ5sYUEJYF IMIzGl2IxC5lwwXrW+RwGS33e/U0y4aC8Aslgg06JqOhWAC5NIEDeA4NUbjPpV1g B46GRzaHoBUDgXPfIRyMfCtHJAmZEJI94GqlPtNg2qHX+NkshY4y7wJKa5KTXKmA m2aWUTLlvT51aW04qqmXefKCqybd9et1daYjr+JIg8Xxt6cjLzR/5185q+9BQnOb V/R6KqmTiJgJ2Xq0N2AoiOoalKo6OrtgBDyLbqzeYpaL/q6Z6LXAzEMmeuEKI4CI 7x4JGTcl4U4Lh3drgaPIfTOonezbhRzOlp6rAMEBCGGl1kjvQyqYD7T2Qzqeyp7C kj2Rs6+9HbQlx5xnr4hFgi546oDYe/9RhxB+6y6C3s9kj6yvUQrNYTi5BuX4SUYa 0h5+ttm3Zbkfsy4j+3KpQQgwcuaqTKBwQbAdd3dF63TX6Als0bno25aPkmpgGmQy SfdQGnQZQAXG5Mb9Oy43z+CNKrpOfxYOIrZEDeklBa3Yg7C/pEhaGC799gJrwKwM 3IKqMbk3hnpXrv01/gPl7kh4XdUc1kpeJokz86KRkt5RttZ3JJbb9NWPqmX36ZWE ZaLi4+XwCq9ZpSfIJ87W =oyk9 -END PGP SIGNATURE-
Re: how much does opera leak?
does anyone know how i can unsubscribe from this site these emails are getting way too many? thanks --- On Sun, 10/5/08, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: From: [EMAIL PROTECTED] [EMAIL PROTECTED] Subject: Re: how much does opera leak? To: or-talk@freehaven.net Date: Sunday, October 5, 2008, 5:56 AM On Sun, Oct 05, 2008 at 05:47:39AM -0700, [EMAIL PROTECTED] wrote 2.4K bytes in 81 lines about: : Maybe I need to set a particular filter on wireshark to see leaked dns requests from Opera via Tor, or should these show up in brilliant blue anyway? Or maybe the version of Opera you are using doesn't leak dns requests anymore. -- Andrew
Re: More GSoC Ideas
Jonathan Addington wrote: 2. On *nix systems, make it easy for snort to filter out tor traffic on a protocol level. I realize there are plenty of legal uses for BitTorrent, Gnutella, etc., but most of them do not require anonymity in a strong sense. That is, they can get the same content through http (most of the time) anyway, and downloading a Linux distribution (or whatever) won't be flagged by most governments/agencies/whatever. It's my bandwidth, I have the right to let *others'* use it as I see fit. You probably don't need a whole project for this. There are already some Snort rules to detect Tor usage, and if you can detect it, you're 98% of the way to asking Snort to ignore it. For example, Emerging Threats has a set of snort rules in their policy section that detect Tor. Here's one: alert tcp $HOME_NET any - $EXTERNAL_NET any (msg:ET POLICY TOR 1.0\ Server Key Retrieval; flow:established,to_server; \ content:|47 45 54 20 2f 74 6f 72 2f 73 65 72 76 65 72 2f|;\ threshold:type limit, track by_src, count 1, seconds 60;\ classtype:policy-violation; reference:url,tor.eff.org; \ sid:2002950; rev:4;) Now, you can easily cause this rule to set a flowbit when it fires. Flow bits are pretty much just what they sound like: a user-definable status bit that you can turn on or off for specific network flows (sessions). In this case, we can add a flowbit call is_tor: alert tcp $HOME_NET any - $EXTERNAL_NET any (msg:ET POLICY TOR 1.0\ Server Key Retrieval; flow:established,to_server; \ content:|47 45 54 20 2f 74 6f 72 2f 73 65 72 76 65 72 2f|;\ threshold:type limit, track by_src, count 1, seconds 60;\ flowbits:set,is_tor; flowbits:noalert; \ classtype:policy-violation; reference:url,tor.eff.org; \ sid:2002950; rev:4;) Notice the extra flowbits:set,is_tor; flowbits:noalert; line there. that takes care of both setting the bit and of making sure that this rule itself doesn't cause an alert to be generated. For the second part, we can set up a pass rule that will tell snort to avoid processing that traffic through the rules engine, but only if the flowbit is_tor is set: pass tcp any any - any any (msg:PASS Tor traffic;\ flowbits:isset,is_tor; sid:100; rev:1;) Granted, that first rule may not be the only way to detect Tor traffic, or even the best way anymore (I'm not sure of the current status of the Tor protocol). Also, as written, the ET rule is specifically looking for clients on your network talking to Tor servers on the Internet, but the general technique should still hold. If Snort can detect the Tor traffic, it can also easily be made to ignore the traffic without having to write custom code. David
Re: New Tor distribution for testing: Tor Browser Bundle
On Sun, Feb 03, 2008 at 02:36:10AM -0500, Silivrenion wrote: I did notice torbrowser was in the directory format that is friendly with PortableApps format applications, so props on that. Interesting take, taking what Portable Tor http://portabletor.sf.net has done and bringing it to an all inclusive bundle. Yes, I did look at how Portable Tor worked when I started, and it was very helpful to see that it could be done, though I've taken a bit of a different approach, based on my guess at user requirements. The main architectural change, is that Vidalia controls most of the process. The major advantage is that Vidalia receives and understands status messages from Tor and can act accordingly. It's also easy to extend without needed extra build components. I added new configuration options to handle starting Polipo and Firefox: - BrowserExecutable: location of the web browser to be started when Tor successfully builds a circuit. When the browser exits, Vidalia will shut down too - ProxyExecutable: location of the proxy server, started when Vidalia does and will be killed as Vidalia exits. These changes are now in the mainline Vidalia source tree, so might be useful for other bundles of Tor too. The Tor Browser Bundle is still in development so assuming we stick to this architecture there might be some more. Steven. -- w: http://www.cl.cam.ac.uk/users/sjm217/
Re: New Tor distribution for testing: Tor Browser Bundle
On Sun, Feb 03, 2008 at 10:19:54PM +0100, Michael Schmidt wrote: Steven, i suggest to make it hardcoded default and a Must, that each user, using this browser, is as well running an tor **exit** node, tit for tat. like emule partials: upload is a MUST. I don't think this is likely in the near future. One of the important target classes of users is people who are at risk of persecution by their government and want to keep a low profile. Many of these users are also not fully computer literate and there may not be fully translated Tor documentation in their language. The goals of the bundle include being easy to set up and to leave limited traces (both are still being worked on). In this scenario, to broadcast the fact that someone is using Tor is in my opinion an unacceptable risk. There would need to be some way to protect these users before mandatory server operation is the standard. Steven. -- w: http://www.cl.cam.ac.uk/users/sjm217/
New Tor distribution for testing: Tor Browser Bundle
Recently I have been working on creating a distribution of Tor which includes a pre-configured browser -- the Tor Browser Bundle. It is intended for being run off an USB flash drive, but will probably also be helpful to users who want an easy-to-setup packaging of Tor. More information and download links can be found here: http://torbrowser.torproject.org/ The bundle contains Firefox, Tor, Vidalia, Polipo and Torbutton. No installation is needed (just unpack the contents). All the components are automatically started by one double-click. The bundle is new, and contains development versions of Tor, Vidalia and Torbutton, so should be considered a testing release. I do hope it will be useful, and I'd appreciate comments, suggestions, and bug reports. Thanks, Steven. -- w: http://www.cl.cam.ac.uk/users/sjm217/
Re: New attack-vector via covert and side channel
On Tue, Dec 11, 2007 at 03:59:59PM +0100, kazaam wrote: I dunno how public it is but I found today this dissertation by Steven Murdoch about attacking the tor-network via covert- and sidechannels: http://www.cl.cam.ac.uk/techreports/UCAM-CL-TR-706.pdf This results discussed aren't actually that new. Chapters 4 and 5, which are on Tor, are based on papers published in May 2005 and October 2006 respectively. http://www.cl.cam.ac.uk/~sjm217/papers/oakland05torta.pdf http://www.cl.cam.ac.uk/~sjm217/papers/ccs06hotornot.pdf I've now published the thesis version of these papers, which have more diagrams and other improvements, but the underlying data and conclusions are the same. To quote from my previous message: To avoid any misunderstanding, I should add that there is no reason to panic. Primarily the paper is designed to feed into the future design of Tor rather than suggest any short term fixes. There are already known attacks on Tor which will probably work better than this, but the proposed defences to these will not fix the problem I discuss in the paper. Also, in the paper, I say that for clarity the results in the paper are mainly from a private Tor network and running it in reality will be more messy. However, as the performace of the Tor network improves, the attack will be more effective, so is worth bearing in mind for the future. -- http://archives.seul.org/or/talk/Sep-2006/msg00080.html Steven. -- w: http://www.cl.cam.ac.uk/users/sjm217/
Re: Unsubscribe
Unsubscribe
Re: List of NODES in IP form
I wrote a little script a while ago that may be useful to you: http://infosecpotpourri.blogspot.com/2006/08/listing-active-tor-servers.html Whenever you run it, the script queries one of the authoritative directory servers and dumps that server's list of known nodes. A quick-and-dirty hack, to be sure, but maybe useful to you, even if just as a starting point for your own code. David Mr. Blue wrote: Hello, this is my first post here. So, client(user) obtains a list of Tor nodes from a directory server. Now I'm developing web-apps in PHP 5 and I would like someone to tell me, how to get all IPs of those Tor nodes and put them in a .txt file. (each IP of a node on a new line in .txt file) When that .txt file is created my PHP script can start utilizing it. Thanks for a help in advance Oh, one more question... When I use tor and check my IP with some web service, it is actualy showing IP of a last node. Is that correct? ...or not? Thx...! __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
Re[4]: TorPark mentioned on BoingBoing
On Wed, 10 May 2006, Arrakistor wrote: Date: Wed, 10 May 2006 12:59:20 +0100 From: Arrakistor [EMAIL PROTECTED] Reply-To: or-talk@freehaven.net To: Jake Appelbaum or-talk@freehaven.net Subject: Re[4]: TorPark mentioned on BoingBoing Jake, et al It appears that the CORALized mirrors had not updated the version of the source tar it was distributing. Your server needs to provide proper Cache-Control (i.e., expires) headers when using CoralCDN if you'd like it to actually update your site regularly, following HTTP caching conventions. Otherwise, CoralCDN's default expiry period is 24 hours. Thanks, Mike Freedman CoralCDN Project Lead
