Re: Yahoo Mail and Tor
On Wed, 15 Jul 2009 09:18:04 -0400 Andrew Lewman wrote: >On 07/15/2009 02:35 AM, Scott Bennett wrote: > > Then you're remembering it from somewhere else because neither that >> thread nor the first of the two it refers to say anything about it. (The >> second reference is apparently no longer available at the link given.) > >It's entirely possible I've crossed private and public communications in >my memory banks. The second link in the email has an extra space in the I know the problem well. :-( >link, it should be: > >http://pseudo-flaw.net/content/tor/vidalia-insecure-privoxy-configuration/ > Thanks. Yes, I see it says at greater length basically what the other one said: if you enable those options, then privoxy will be vulnerable. Making sure they are disabled seems (to me, at least) to eliminate the problem. However, running a version of privoxy that has been obsolete for well over two years, maybe over three years, presents its own risks, as well as the irritations of inferior filtering. Scott Bennett, Comm. ASMELG, CFIAG ** * Internet: bennett at cs.niu.edu * ** * "A well regulated and disciplined militia, is at all times a good * * objection to the introduction of that bane of all free governments * * -- a standing army." * *-- Gov. John Hancock, New York Journal, 28 January 1790 * **
Re: Yahoo Mail and Tor
On 07/15/2009 02:35 AM, Scott Bennett wrote: > Then you're remembering it from somewhere else because neither that > thread nor the first of the two it refers to say anything about it. (The > second reference is apparently no longer available at the link given.) It's entirely possible I've crossed private and public communications in my memory banks. The second link in the email has an extra space in the link, it should be: http://pseudo-flaw.net/content/tor/vidalia-insecure-privoxy-configuration/ -- Andrew Lewman The Tor Project pgp 0x31B0974B Website: https://torproject.org/ Blog: https://blog.torproject.org/ Identica/Twitter: torproject
Re: Yahoo Mail and Tor
> >>> enable-remote-toggle 0 > >>> enable-remote-http-toggle 0 > >>> enable-edit-actions 0 > >>> allow-cgi-request-crunching 0 Folks, the default install of the current release of privoxy sets all of these to 0. That means the named features can't be changed via config.privoxy.org. You'd need to edit the config file and set them to 1 to allow that. The referrer stuff only applies if these options are set to 1, as was the case in the vulnerability report. Compile, add the forward-socks5 line, run :)
Re: Yahoo Mail and Tor
On Wed, 15 Jul 2009 00:50:23 -0400 : Andrew Lewman wrote: >On 07/09/2009 01:36 PM, Lee wrote: > enable-remote-toggle 0 enable-remote-http-toggle 0 enable-edit-actions 0 allow-cgi-request-crunching 0 >>> I'm trying to find the email thread, but until then, even with these >>> set, it was demonstrated someone can manipulate your privoxy config by >>> making your tor client pass strings from localhost. > >The best thread I can find on this topic is >http://archives.seul.org/or/talk/Nov-2007/msg00323.html > >My memory of the details recalls that even with everything set to 0, >there was something that could enable the admin interface by referrer >spoofing, and then you've lost. Then you're remembering it from somewhere else because neither that thread nor the first of the two it refers to say anything about it. (The second reference is apparently no longer available at the link given.) > >However, I can't find the details so, perhaps it's time to check out the >current versions of privoxy and re-evaluate. I'd love to stop shipping >a powerpc-only privoxy with the osx bundles, at a minimum. > privoxy 3.0.12, IIRC, comes with better files for filtering out junk and other problems than the long obsolete 3.0.6 did. Scott Bennett, Comm. ASMELG, CFIAG ** * Internet: bennett at cs.niu.edu * ** * "A well regulated and disciplined militia, is at all times a good * * objection to the introduction of that bane of all free governments * * -- a standing army." * *-- Gov. John Hancock, New York Journal, 28 January 1790 * **
Re: Yahoo Mail and Tor
On 07/09/2009 01:36 PM, Lee wrote: >>> enable-remote-toggle 0 >>> enable-remote-http-toggle 0 >>> enable-edit-actions 0 >>> allow-cgi-request-crunching 0 >> I'm trying to find the email thread, but until then, even with these >> set, it was demonstrated someone can manipulate your privoxy config by >> making your tor client pass strings from localhost. The best thread I can find on this topic is http://archives.seul.org/or/talk/Nov-2007/msg00323.html My memory of the details recalls that even with everything set to 0, there was something that could enable the admin interface by referrer spoofing, and then you've lost. However, I can't find the details so, perhaps it's time to check out the current versions of privoxy and re-evaluate. I'd love to stop shipping a powerpc-only privoxy with the osx bundles, at a minimum. -- Andrew Lewman The Tor Project pgp 0x31B0974B Website: https://torproject.org/ Blog: https://blog.torproject.org/ Identica/Twitter: torproject
Re: Yahoo Mail and Tor
Andrew Lewman wrote: > A) The Privoxies after 3.06 have a local "web control interface" > which we believe is a security risk. We think that remote websites can > probably reconfigure your privoxy via that interface, maybe even without > your noticing. If newer versions have the ability to disable this > interface, we can consider testing and subsequently including those with > our packages. Can you provide a link to what you are talking about? I just searched on the terms/phrase "web control interface" with "privoxy" and only had a few matches, none of which seemed relevant. I also checked privoxy's online manual ( http://www.privoxy.org/user-manual/index.html , v 1.60 2009/03/21 12:58:53) and I didn't see anything about changing configuration that had substantively changed since I started using privoxy 3+ years ago. At *least* since that time there there has been the ability to edit action files via browser (web interface) if allowed in the configuration file. The configuration file itself had to be manually edited, and, at least in *nix, the config file could be owned by root and set to be not writeable by privoxy (assuming privoxy was running w/o privilege). You could also toggle "enable/disable" through privoxy's web interface if allowed in the config file. It should be noted that "disabling" merely turns off the application of the rules -- it does *not* affect packet routing. So if something was sent via Tor with privoxy "enabled," it is still sent through Tor with privoxy "disabled." I have specifically verified that using http://torcheck.xenobite.eu . So could you point me to what has changed since 3.0.6 that causes security concerns? Thanks. P.S. Oops, I just noticed others have requested a link. Did not mean to repeat. I believe the rest of what I said is relevant.
Re: .exit handling (was Yahoo Mail and Tor)
downie - wrote: > > > Date: Fri, 10 Jul 2009 11:15:25 -0400 > > From: eril...@gmail.com > > To: or-talk@freehaven.net > > Subject: Re: Yahoo Mail and Tor > > > If I'm proxying through Tor and I type this into my browser: > > > > www.google.com.example.exit > > > > My browser asks the proxy for a connection to > "www.google.com.example.exit" > > > > Once my browser receives the connection, it then sends this down it: > > > > GET / HTTP/1.1\r\n > > Host: www.google.com.example.exit\r\n > > \r\n > > > > The problem is that some web servers have multiple websites on the > same IP > > and they decide which website to serve by looking at the HTTP Host > header. > > So you need privoxy/polipo to strip the "example.exit" from the HTTP > Host > > header before forwarding on the actual HTTP request, so it sends > this > > instead: > > > > GET / HTTP/1.1\r\n > > Host: www.google.com\r\n > > \r\n > > > > -- > > Erilenz > > So far so good. A possible problem then arises when the served page > contains absolute URLs for resources, links etc which no longer use > the .exit notation, and so could be fetched from a different exit. How > often that would happen is open to question. > Another Privoxy rule could be written to rewrite those page URLs I > guess, but how would you pass the name of the required exit to the > rule? Should the tor exit be removing the .exit notation from the header instead of privoxy? Or perhaps the tor client, which selects the route? (I mistakenly thought one of those did it now. It has been a long time since I've used .exit ...)
.exit handling (was Yahoo Mail and Tor)
> Date: Fri, 10 Jul 2009 11:15:25 -0400 > From: eril...@gmail.com > To: or-talk@freehaven.net > Subject: Re: Yahoo Mail and Tor > If I'm proxying through Tor and I type this into my browser: > > www.google.com.example.exit > > My browser asks the proxy for a connection to "www.google.com.example.exit" > > Once my browser receives the connection, it then sends this down it: > > GET / HTTP/1.1\r\n > Host: www.google.com.example.exit\r\n > \r\n > > The problem is that some web servers have multiple websites on the same IP > and they decide which website to serve by looking at the HTTP Host header. > So you need privoxy/polipo to strip the "example.exit" from the HTTP Host > header before forwarding on the actual HTTP request, so it sends this > instead: > > GET / HTTP/1.1\r\n > Host: www.google.com\r\n > \r\n > > -- > Erilenz So far so good. A possible problem then arises when the served page contains absolute URLs for resources, links etc which no longer use the .exit notation, and so could be fetched from a different exit. How often that would happen is open to question. Another Privoxy rule could be written to rewrite those page URLs I guess, but how would you pass the name of the required exit to the rule? GD _ Lauren found her dream laptop. Find the PC that’s right for you. http://www.microsoft.com/windows/choosepc/?ocid=ftp_val_wl_290
Re: Yahoo Mail and Tor
* on the Fri, Jul 10, 2009 at 01:44:22AM -0500, Scott Bennett wrote: >> A long time ago I think there was a problem with the .exit... in the URL >> being passed along to the website in the GET (or other) requests, which >> sometimes caused problems. Somebody correct me if I am wrong, but I >> believe now something in the tor chain of software (client, relays, >> exit) filters that out. > I should think that such a bug would have had to have been inside tor, > not privoxy, if it indeed existed. Consider the process of privoxy making > a connection via a tor circuit to a destination IP address and then requesting > a page. An unproxied browser will first resolve a name to an IP address and > then connect to that IP address. When proxied through privoxy, privoxy passes > the entire hostname.domainname.Nickname.exit to tor instead of an IP address > when requesting an exit connection to the destination system. The exit node > itself then does the name-to-address resolution and establishes the connection > to the resulting IP address. Next, privoxy sends an HTTP GET request, which > contains no hostname, domainname, Nickname.exit, nor IP address through the > connection to the web server at the other end. The web server reads (or has > cached) the page contents from the filesystem path given in the GET relative > to the base of the server's directory tree (i.e., everything *starting* with > the third slash in the URL and continuing to the end of the URL) and then > sends > the file contents back through the connection toward the requesting system. > Of course, some parts of that "path" may actually be other kinds of arguments > that will be processed by the web server, that fact has no bearing on the > process described here. That doesn't sound completely accurate to me. Specifically the sentence "Next, privoxy sends an HTTP GET request, which contains no hostname, domainname, Nickname.exit, nor IP address through the connection to the web server at the other end." If I'm proxying through Tor and I type this into my browser: www.google.com.example.exit My browser asks the proxy for a connection to "www.google.com.example.exit" Once my browser receives the connection, it then sends this down it: GET / HTTP/1.1\r\n Host: www.google.com.example.exit\r\n \r\n The problem is that some web servers have multiple websites on the same IP and they decide which website to serve by looking at the HTTP Host header. So you need privoxy/polipo to strip the "example.exit" from the HTTP Host header before forwarding on the actual HTTP request, so it sends this instead: GET / HTTP/1.1\r\n Host: www.google.com\r\n \r\n -- Erilenz
Re: Yahoo Mail and Tor
On Fri, 10 Jul 2009 00:15:18 -0600 Jim McClanahan wrote: >Scott Bennett wrote: >> >> On Thu, 9 Jul 2009 20:37:38 -0400 downie - >> wrote: >> >Will Polipo be able to filter out .exit notation? >> > >> Why would you want it to do that? The .exit notation has to be passed >> along to tor for it to work. If it were filtered out, then the user would >> see a connection failure of some kind. > >I believe you are correct that you don't want to filter it out at the >privoxy level. But I don't think it would result in a connection >failure, but rather that the exit node specification would not be >honored (other than by accident). > >A long time ago I think there was a problem with the .exit... in the URL >being passed along to the website in the GET (or other) requests, which >sometimes caused problems. Somebody correct me if I am wrong, but I >believe now something in the tor chain of software (client, relays, >exit) filters that out. > I should think that such a bug would have had to have been inside tor, not privoxy, if it indeed existed. Consider the process of privoxy making a connection via a tor circuit to a destination IP address and then requesting a page. An unproxied browser will first resolve a name to an IP address and then connect to that IP address. When proxied through privoxy, privoxy passes the entire hostname.domainname.Nickname.exit to tor instead of an IP address when requesting an exit connection to the destination system. The exit node itself then does the name-to-address resolution and establishes the connection to the resulting IP address. Next, privoxy sends an HTTP GET request, which contains no hostname, domainname, Nickname.exit, nor IP address through the connection to the web server at the other end. The web server reads (or has cached) the page contents from the filesystem path given in the GET relative to the base of the server's directory tree (i.e., everything *starting* with the third slash in the URL and continuing to the end of the URL) and then sends the file contents back through the connection toward the requesting system. Of course, some parts of that "path" may actually be other kinds of arguments that will be processed by the web server, that fact has no bearing on the process described here. Scott Bennett, Comm. ASMELG, CFIAG ** * Internet: bennett at cs.niu.edu * ** * "A well regulated and disciplined militia, is at all times a good * * objection to the introduction of that bane of all free governments * * -- a standing army." * *-- Gov. John Hancock, New York Journal, 28 January 1790 * **
Re: Yahoo Mail and Tor
Scott Bennett wrote: > > On Thu, 9 Jul 2009 20:37:38 -0400 downie - > wrote: > >Will Polipo be able to filter out .exit notation? > > > Why would you want it to do that? The .exit notation has to be passed > along to tor for it to work. If it were filtered out, then the user would > see a connection failure of some kind. I believe you are correct that you don't want to filter it out at the privoxy level. But I don't think it would result in a connection failure, but rather that the exit node specification would not be honored (other than by accident). A long time ago I think there was a problem with the .exit... in the URL being passed along to the website in the GET (or other) requests, which sometimes caused problems. Somebody correct me if I am wrong, but I believe now something in the tor chain of software (client, relays, exit) filters that out.
RE: Yahoo Mail and Tor
On Thu, 9 Jul 2009 20:37:38 -0400 downie - wrote: >> Date: Thu=2C 9 Jul 2009 12:11:06 -0400 >> From: and...@torproject.org >> To: or-talk@freehaven.net >> Subject: Re: Yahoo Mail and Tor >>=20 >> On 07/09/2009 11:25 AM=2C Scott Bennett wrote: >> > Does polipo do all the other good things that privoxy does=2C incl= >uding >> > ad blocking and clickjack blocking? >>=20 >> No=2C and this is the point. Polipo is a simple caching http proxy. >> Polipo does include the ability to filter traffic by regex=2C but this is >> disabled in our bundles.=20 > >Will Polipo be able to filter out .exit notation? > Why would you want it to do that? The .exit notation has to be passed along to tor for it to work. If it were filtered out, then the user would see a connection failure of some kind. Scott Bennett, Comm. ASMELG, CFIAG ** * Internet: bennett at cs.niu.edu * ** * "A well regulated and disciplined militia, is at all times a good * * objection to the introduction of that bane of all free governments * * -- a standing army." * *-- Gov. John Hancock, New York Journal, 28 January 1790 * **
RE: Yahoo Mail and Tor
> Date: Thu, 9 Jul 2009 12:11:06 -0400 > From: and...@torproject.org > To: or-talk@freehaven.net > Subject: Re: Yahoo Mail and Tor > > On 07/09/2009 11:25 AM, Scott Bennett wrote: > > Does polipo do all the other good things that privoxy does, including > > ad blocking and clickjack blocking? > > No, and this is the point. Polipo is a simple caching http proxy. > Polipo does include the ability to filter traffic by regex, but this is > disabled in our bundles. Will Polipo be able to filter out .exit notation? GD _ Lauren found her dream laptop. Find the PC that’s right for you. http://www.microsoft.com/windows/choosepc/?ocid=ftp_val_wl_290
Re: Yahoo Mail and Tor
On 7/9/09, Andrew Lewman wrote: > On 07/09/2009 11:25 AM, Scott Bennett wrote: > >> enable-remote-toggle 0 >> enable-remote-http-toggle 0 >> enable-edit-actions 0 >> allow-cgi-request-crunching 0 > > I'm trying to find the email thread, but until then, even with these > set, it was demonstrated someone can manipulate your privoxy config by > making your tor client pass strings from localhost. Please post the link when you do find that thread. The only things I could find were related to an insecure configuration of Privoxy - eg. http://archives.seul.org/or/talk/Oct-2007/msg00295.html http://osvdb.org/show/osvdb/48694 http://osvdb.org/show/osvdb/25875 Thanks, Lee
Re: Yahoo Mail and Tor
On 07/09/2009 11:25 AM, Scott Bennett wrote: > enable-remote-toggle 0 > enable-remote-http-toggle 0 > enable-edit-actions 0 > allow-cgi-request-crunching 0 I'm trying to find the email thread, but until then, even with these set, it was demonstrated someone can manipulate your privoxy config by making your tor client pass strings from localhost. Again, perhaps this issue is resolved in current privoxy versions, but I haven't looked. > Does polipo do all the other good things that privoxy does, including > ad blocking and clickjack blocking? No, and this is the point. Polipo is a simple caching http proxy. Polipo does include the ability to filter traffic by regex, but this is disabled in our bundles. If Mozilla would fix at least one bug in the SOCKS layer, we wouldn't need to ship an http proxy with our bundles at all. The bug being, https://bugzilla.mozilla.org/show_bug.cgi?id=280661 Our goal is not to filter the Internet, but provide anonymity. Tor users are free to setup their own solutions if they want ad blocking, clickjacking protection, etc. Most people do this in the browser now with plugins. If you want to use privoxy, by all means, keep doing so. -- Andrew Lewman The Tor Project pgp 0x31B0974B Website: https://torproject.org/ Blog: https://blog.torproject.org/ Identica/Twitter: torproject
Re: Yahoo Mail and Tor
On Thu, 09 Jul 2009 10:46:05 -0400 Andrew Lewman wrote: >On 07/09/2009 02:20 AM, bao song wrote: >> The standard Tor bundle download for non-Windows still >> includes Privoxy 3.0.6, which mangles Yahoo mail. Any chance of >> either an update to a later version of Privoxy or an alternative >> privacy package in the standard Tor download for non-Windows OSs? > >There are two reasons why we still ship old Privoxy versions: > >A) The Privoxies after 3.06 have a local "web control interface" >which we believe is a security risk. We think that remote websites can >probably reconfigure your privoxy via that interface, maybe even without >your noticing. If newer versions have the ability to disable this >interface, we can consider testing and subsequently including those with >our packages. enable-remote-toggle 0 enable-remote-http-toggle 0 enable-edit-actions 0 allow-cgi-request-crunching 0 > >B) We're in the process of switching over to Polipo rather than Privoxy, >since it's smaller, simpler, and it does pipelining better. You'll >notice that the Tor Browser Bundle we ship already includes Polipo. Does polipo do all the other good things that privoxy does, including ad blocking and clickjack blocking? > >Those two reasons combined mean we're leaving the Privoxy that we ship >on the old version. Scott Bennett, Comm. ASMELG, CFIAG ** * Internet: bennett at cs.niu.edu * ** * "A well regulated and disciplined militia, is at all times a good * * objection to the introduction of that bane of all free governments * * -- a standing army." * *-- Gov. John Hancock, New York Journal, 28 January 1790 * **
Re: Yahoo Mail and Tor
On 07/09/2009 02:20 AM, bao song wrote: > The standard Tor bundle download for non-Windows still > includes Privoxy 3.0.6, which mangles Yahoo mail. Any chance of > either an update to a later version of Privoxy or an alternative > privacy package in the standard Tor download for non-Windows OSs? There are two reasons why we still ship old Privoxy versions: A) The Privoxies after 3.06 have a local "web control interface" which we believe is a security risk. We think that remote websites can probably reconfigure your privoxy via that interface, maybe even without your noticing. If newer versions have the ability to disable this interface, we can consider testing and subsequently including those with our packages. B) We're in the process of switching over to Polipo rather than Privoxy, since it's smaller, simpler, and it does pipelining better. You'll notice that the Tor Browser Bundle we ship already includes Polipo. Those two reasons combined mean we're leaving the Privoxy that we ship on the old version. -- Andrew Lewman The Tor Project pgp 0x31B0974B Website: https://torproject.org/ Blog: https://blog.torproject.org/ Identica/Twitter: torproject
Re: Yahoo Mail and Tor
On Thu, 9 Jul 2009 16:14:06 +0200 Hannah Schroeter wrote: >On Thu, Jul 09, 2009 at 01:47:39AM -0500, Scott Bennett wrote: >>[...] > >> If you're running NetBSD or OpenBSD, you may be able to do something >>similar, but I'm not familiar with their methods. (Perhaps Hannah could >>give an OpenBSD example here, please?) > >For OpenBSD, the recommended way is using the pre-built packages. If you >are on a release, use the release packages from CD or the release >directories on the ftp mirrors. If you are on -current (snapshots or own >build, usually after starting from a snapshot), you use packages from >the associated package snapshot directory. > >The packages can be built from the ports collection. You get the ports >collection from CD (for release) or from ftp (for release) or via any of >the cvs-related access methods (for release/stable, or for -current). >Match the ports "branch" to what you run as base system, of course. >release/stable ports for a release/stable base system, -current ports >for a snapshot/-current base system. > >For ports, you build the package by entering the appropriate directory >(e.g. /usr/ports/net/tor) and saying make package. The package is built >in /usr/ports/packages//all/tor-.tgz. >You can also say "make install", which is make package + pkg_add for the >package so generated. Dito for polipo or privoxy (both of which are >provided as package and port). The ports infrastructure might need >ftp/http access to retrieve the source distributions of the original >software, but you may retrieve the appropriate files manually and put >them into /usr/ports/distfiles/ if automatic fetching fails. (Try make >fetch-list in /usr/ports/... to get the list of files the port would try >to fetch). > Thanks, Hannah. It appears to be basically identical to the way it works in FreeBSD, although I don't think the FreeBSD ports team normally makes specific recommendations favoring a particular package over its port or vice-versa with the possible exception of OpenOffice.org. :-) If there's a NetBSD person on the list, perhaps he/she could chime in here with directions for installing privoxy. Likewise for a Solaris person or HP-UX person. (The last time I used HP-UX, there was no standard procedure other than to download source, compile, and so on.) Scott Bennett, Comm. ASMELG, CFIAG ** * Internet: bennett at cs.niu.edu * ** * "A well regulated and disciplined militia, is at all times a good * * objection to the introduction of that bane of all free governments * * -- a standing army." * *-- Gov. John Hancock, New York Journal, 28 January 1790 * **
Re: Yahoo Mail and Tor
Hi! On Thu, Jul 09, 2009 at 01:47:39AM -0500, Scott Bennett wrote: >[...] > If you're running NetBSD or OpenBSD, you may be able to do something >similar, but I'm not familiar with their methods. (Perhaps Hannah could >give an OpenBSD example here, please?) For OpenBSD, the recommended way is using the pre-built packages. If you are on a release, use the release packages from CD or the release directories on the ftp mirrors. If you are on -current (snapshots or own build, usually after starting from a snapshot), you use packages from the associated package snapshot directory. The packages can be built from the ports collection. You get the ports collection from CD (for release) or from ftp (for release) or via any of the cvs-related access methods (for release/stable, or for -current). Match the ports "branch" to what you run as base system, of course. release/stable ports for a release/stable base system, -current ports for a snapshot/-current base system. For ports, you build the package by entering the appropriate directory (e.g. /usr/ports/net/tor) and saying make package. The package is built in /usr/ports/packages//all/tor-.tgz. You can also say "make install", which is make package + pkg_add for the package so generated. Dito for polipo or privoxy (both of which are provided as package and port). The ports infrastructure might need ftp/http access to retrieve the source distributions of the original software, but you may retrieve the appropriate files manually and put them into /usr/ports/distfiles/ if automatic fetching fails. (Try make fetch-list in /usr/ports/... to get the list of files the port would try to fetch). Kind regards, Hannah.
Re: Yahoo Mail and Tor
bao song wrote: > The standard Tor bundle download for non-Windows still includes > Privoxy 3.0.6, which mangles Yahoo mail. I am running privoxy 3.0.6. If you want to email me off-list I will be happy to send you my user.action file which seems to more or less work adequately for Yahoo mail. (Sometimes there is some weirdness with scroll bars, but it is usuable. And the page *after* logging out is somewhat mangeled, but who cares about that?) You will have to sort the relevant yahoo rules from the rest for yourself. You can also simply "disable" privoxy (via its menu -- it still forwards to tor appropriately) while using Yahoo mail. If you email me, I would appreciate text (not html) email.
Re: Yahoo Mail and Tor
On Wed, 8 Jul 2009 23:20:08 -0700 (PDT) bao song wrote: >What about those of us who consider Windows to be the Abomination of Desola= >tion (1010011010) and refuse to run that operating system? >Privoxy provides pre-compiled Windows versions, but I was unable to downloa= >d the source for Privoxy 3.0.12 via Tor and Privoxy, and it's blocked by my= > country's firewall, so I can't download without using Tor, either. >The standard Tor bundle download for non-Windows still includes Privoxy 3.0= >.6, which mangles Yahoo mail. >Any chance of either an update to a later version of Privoxy or an alternat= >ive privacy package in the standard Tor download for non-Windows OSs? You didn't mention which operating system you do use. If you happen to use FreeBSD or its specially packaged form known as PC-BSD, you may be able to install privoxy 3.0.12 from the ports tree. (PC-BSD may also have it available as a PBI.) Very often the ports and packages are actually downloaded from sites not directly associated with the web sites of the projects in question. Further, PC-BSD's PBI files are unique to PC-BSD, so I suspect that they get downloaded from www.pcbsd.org or its mirrors. Next, do something like # portinstall -v privoxy or # portinstall -v privoxy+ipv6 to build it from the port, or else # portinstall -vP privoxy or # portinstall -vP privoxy+ipv6 to install it from a package if available, otherwise falling back to install from the port. If you're running NetBSD or OpenBSD, you may be able to do something similar, but I'm not familiar with their methods. (Perhaps Hannah could give an OpenBSD example here, please?) If you're running LINUX, there is undoubtedly an implementation of available. Just install it by whatever is the standard method for the LINUX distribution you use. Once you have *some* version of privoxy, or perhaps polipo, installed, you might find it useful to install proxychains or to install 3proxy and configure it to make it easier for you to use tor upgrade to newer versions in the future. Scott Bennett, Comm. ASMELG, CFIAG ** * Internet: bennett at cs.niu.edu * ** * "A well regulated and disciplined militia, is at all times a good * * objection to the introduction of that bane of all free governments * * -- a standing army." * *-- Gov. John Hancock, New York Journal, 28 January 1790 * **
Re: Yahoo Mail and Tor
What about those of us who consider Windows to be the Abomination of Desolation (1010011010) and refuse to run that operating system? Privoxy provides pre-compiled Windows versions, but I was unable to download the source for Privoxy 3.0.12 via Tor and Privoxy, and it's blocked by my country's firewall, so I can't download without using Tor, either. The standard Tor bundle download for non-Windows still includes Privoxy 3.0.6, which mangles Yahoo mail. Any chance of either an update to a later version of Privoxy or an alternative privacy package in the standard Tor download for non-Windows OSs? Yours, Michael --- On Mon, 6/7/09, Roger Dingledine wrote: From: Roger Dingledine Subject: Re: Yahoo Mail and Tor To: or-talk@freehaven.net Received: Monday, 6 July, 2009, 11:06 AM On Mon, Jul 06, 2009 at 10:51:03AM +0400, James Brown wrote: > > Are you by any chance using the Vidalia bundle which unfortunately > > contains a Privoxy version that is several years out of date? > > > > As far as I know, the Yahoo-related problems have been fixed > > quite some time ago and if you still notice any problems with > > Privoxy 3.0.12 or later, feel free to report them so we can > > fix them. > > I have installed the latest stable verison for Windows but nothing changed. > Now I use Vidalia 0.1.14, Tor 0.2.0.35, Privoxy 3.0.6 > Do I need use testing or unstable version? > P.S. Under Linux Debian I have such problem too, but some little than > under Windows. There I use standart packages for Debian Lenny AMD64. You should try the Tor Browser Bundle for Windows, and compare how that goes. It uses Polipo rather than Privoxy, so should have different application-level behavior. --Roger Access Yahoo!7 Mail on your mobile. Anytime. Anywhere. Show me how: http://au.mobile.yahoo.com/mail
Re: Yahoo Mail and Tor
On Mon, Jul 06, 2009 at 10:51:03AM +0400, James Brown wrote: > > Are you by any chance using the Vidalia bundle which unfortunately > > contains a Privoxy version that is several years out of date? > > > > As far as I know, the Yahoo-related problems have been fixed > > quite some time ago and if you still notice any problems with > > Privoxy 3.0.12 or later, feel free to report them so we can > > fix them. > > I have installed the latest stable verison for Windows but nothing changed. > Now I use Vidalia 0.1.14, Tor 0.2.0.35, Privoxy 3.0.6 > Do I need use testing or unstable version? > P.S. Under Linux Debian I have such problem too, but some little than > under Windows. There I use standart packages for Debian Lenny AMD64. You should try the Tor Browser Bundle for Windows, and compare how that goes. It uses Polipo rather than Privoxy, so should have different application-level behavior. --Roger
Re: Yahoo Mail and Tor
Fabian Keil пишет: > bao song wrote: > > >> Two months??? I have had trouble with Yahoo Mail via Privoxy for more >> than four years. >> > > I'm sorry to hear that. > > Are you by any chance using the Vidalia bundle which unfortunately > contains a Privoxy version that is several years out of date? > > >> At first, I was given some config file modifications >> for Privoxy so it would allow me to use Yahoo Mail, but this disabled a >> lot of the stuff Privoxy did, and I wanted that stuff for other sites. >> Also, I was still unable to log out of Yahoo Mail even with the >> modifications someone had posted. So I now disable all of Privoxy when >> signing out of Yahoo Mail. Here, behind a Middle Eastern firewall, the >> Yahoo Mail signout is often blocked by the firewall, as well as by >> Privoxy for reasons that escape me. Sometimes, I can sign out if I don't >> use Tor at all. Other times, I can only sign out if I use Tor without >> Privoxy. Yahoo mail is accessible through Privoxy, but all style sheets >> are disabled, so the display is rather annoying. Annoying or not, I use >> Privoxy until I need to sign out, disable Privoxy, sign out of Yahoo >> Mail, then turn Privoxy back on in default mode. I'm still not sure what >> it is about Yahoo Signout that Privoxy (and the local firewall) see the >> need to block. >> > > That sounds like a lot more work than simply upgrading > your Privoxy version or even back porting the action file > changes manually. > > As far as I know, the Yahoo-related problems have been fixed > quite some time ago and if you still notice any problems with > Privoxy 3.0.12 or later, feel free to report them so we can > fix them. > > Fabian > I have installed the latest stable verison for Windows but nothing changed. Now I use Vidalia 0.1.14, Tor 0.2.0.35, Privoxy 3.0.6 Do I need use testing or unstable version? P.S. Under Linux Debian I have such problem too, but some little than under Windows. There I use standart packages for Debian Lenny AMD64.
Re: Yahoo Mail and Tor
bao song wrote: > Two months??? I have had trouble with Yahoo Mail via Privoxy for more > than four years. I'm sorry to hear that. Are you by any chance using the Vidalia bundle which unfortunately contains a Privoxy version that is several years out of date? > At first, I was given some config file modifications > for Privoxy so it would allow me to use Yahoo Mail, but this disabled a > lot of the stuff Privoxy did, and I wanted that stuff for other sites. > Also, I was still unable to log out of Yahoo Mail even with the > modifications someone had posted. So I now disable all of Privoxy when > signing out of Yahoo Mail. Here, behind a Middle Eastern firewall, the > Yahoo Mail signout is often blocked by the firewall, as well as by > Privoxy for reasons that escape me. Sometimes, I can sign out if I don't > use Tor at all. Other times, I can only sign out if I use Tor without > Privoxy. Yahoo mail is accessible through Privoxy, but all style sheets > are disabled, so the display is rather annoying. Annoying or not, I use > Privoxy until I need to sign out, disable Privoxy, sign out of Yahoo > Mail, then turn Privoxy back on in default mode. I'm still not sure what > it is about Yahoo Signout that Privoxy (and the local firewall) see the > need to block. That sounds like a lot more work than simply upgrading your Privoxy version or even back porting the action file changes manually. As far as I know, the Yahoo-related problems have been fixed quite some time ago and if you still notice any problems with Privoxy 3.0.12 or later, feel free to report them so we can fix them. Fabian signature.asc Description: PGP signature
Re: Yahoo Mail and Tor
Two months??? I have had trouble with Yahoo Mail via Privoxy for more than four years. At first, I was given some config file modifications for Privoxy so it would allow me to use Yahoo Mail, but this disabled a lot of the stuff Privoxy did, and I wanted that stuff for other sites. Also, I was still unable to log out of Yahoo Mail even with the modifications someone had posted. So I now disable all of Privoxy when signing out of Yahoo Mail. Here, behind a Middle Eastern firewall, the Yahoo Mail signout is often blocked by the firewall, as well as by Privoxy for reasons that escape me. Sometimes, I can sign out if I don't use Tor at all. Other times, I can only sign out if I use Tor without Privoxy. Yahoo mail is accessible through Privoxy, but all style sheets are disabled, so the display is rather annoying. Annoying or not, I use Privoxy until I need to sign out, disable Privoxy, sign out of Yahoo Mail, then turn Privoxy back on in default mode. I'm still not sure what it is about Yahoo Signout that Privoxy (and the local firewall) see the need to block. Michael --- On Sat, 4/7/09, James Brown wrote: I use the gmail within Tor very easy but I have some problems sometimes with other services of Google. But about last two monthes there is problems with using the Yahoo mail through Tor. Access Yahoo!7 Mail on your mobile. Anytime. Anywhere. Show me how: http://au.mobile.yahoo.com/mail