Re: When can I get TOR for mobile?
and...@torproject.org wrote: On Tue, May 25, 2010 at 12:59:48PM +, tor-ad...@orionjurinform.com wrote 0.8K bytes in 18 lines about: : Does a Tor-version for WM exist? I thought that such tor-version didn't : exist. It doesn't exist in binary form. However, thanks to a volunteer, we just committed some code to support it this week. See, https://gitweb.torproject.org/tor.git/commit/312f4ee410de718aaf20030d22a93f1c258faa37 for an example. I have got the 312f4ee410de718aaf20030d22a93f1c258faa37.tar.gz file and how I could install it to my WM-PPC? It seems me that I can't do it through make make install under my Linux-machine (for WM). Sorry for lamer's qustion but I have never compiled windows-programs from sources. And where can I get OpenSSL and libz for the WM, does they exist? (I have read in the readme.txt file that OpenSSL and libz both compile on MinGW out of the box). *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Re: Re: problem with bridges and a suggestion
dear andrew, thanks a lot for your prompt reply. as to your question: Can you send debug logs to tor-assista...@torproject.org with what happens when your client tries to connect to the bridges? my answer: sorry, I'm not familiar with TOR development, could you kindly tell me which file or files the debug logs are in? as to your comment: This is unlikely. In our experience, they are merely blocking IP:Port combinations. my answer: I know some developers of china's blocking projects, so I know that they have more methods than that. first, the so-called static blocking method include both mere IP mode and IP:port combination mode; second, the so-called dynamic blocking mothod can break tcp connection upon traffic fingerprints. hope I can help. frank 2010-05-26 - 发件人:andrew 发送日期:2010-05-25 19:52:05 收件人:or-talk 抄送: 主题:Re: problem with bridges and a suggestion On Tue, May 25, 2010 at 05:18:44PM +0800, for.tor.bri...@gmail.com wrote 1.3K bytes in 36 lines about: : china is blocking TOR more and more strict, : I can't establish a TOR circuit even I updated bridges in config file : of torrc with info retrieved from https://bridges.torproject.org and : email replies from brid...@torproject.org. Correct. We are aware of this. : this morning, I got some new bridges through a hidden https proxy and : established a TOR circuit, but after some time, I lost the connection : and couldn't establish a TOR circuit any more. Can you send debug logs to tor-assista...@torproject.org with what happens when your client tries to connect to the bridges? : from my knowledge to china's blocking methods, I believe they found my : newly got bridges through network traffic protocol analysis, and : blocked them. This is unlikely. In our experience, they are merely blocking IP:Port combinations. : use a general protocol for TOR clients to interact with bridges, so : that they can't distinguish the traffic between TOR clients and : bridges, : so that they can't find new bridges got through private ways. Tor traffic through bridges vs. public relays is the same. There is not a special bridge connection. See https://www.torproject.org/faq#RelayOrBridge, also that text needs to be updated to reflect China's uniqueness in filtering Tor public relays. : the general protocol could be https which is encryption protected; It is already. What may be unique is we start the connection with a TLS renegotiation. This is probably starting to stand out as unique now that OpenSSL decided to everyone used renegotiation incorrectly and almost all operating systems have erroneously disabled this functionality by default. See https://www.torproject.org/faq#KeyManagement : the general protocol could be plain http, if you can encode its : content dynamically and privately, and don't make it display any : fingerprints. Then someone can read your traffic. Hiding in plain sight sounds good on paper, but doesn't stand up to academic research, so far. See https://trac.torproject.org/projects/tor/wiki/TheOnionRouter/TorFAQ#YoushouldusesteganographytohideTortraffic. -- Andrew Lewman The Tor Project pgp 0x31B0974B Website: https://www.torproject.org/ Blog: https://blog.torproject.org/ Identi.ca: torproject *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Re: Re: Tor Exit Node hosting: torservers.net
屠申完美, the bridges are blocked, try to find some more bridges. sincerely, frank 2010-05-26 - sender: 屠申完美 sending date: 2010-05-26 12:27:14 receiver: or-talk cc: subject: Re: Tor Exit Node hosting: torservers.net Dear all, My tor have a error,this is the message log: [Warning] Problem bootstrapping. Stuck at 10%: Finishing handshake with directory server. (Socket is not connected [WSAENOTCONN ]; NOROUTE; count 4; recommendation warn) I have already set the bridges. pls help me,thanks.
Re: Re: problem with bridges and a suggestion
dear andrew, I tried to reach directory server with the following config: #use a https proxy to reach directory server HttpProxy IP:port but it doesn't work, does not the directory server support https proxy? my suggestion: 1. let the directory server support https proxy, so that tor clients could reach it through a hidden https proxy; 2. the directory server tests the reachability from some relays to the requesting tor clients, then sends back to tor clients a merely enough number of relays reachable by the requesting tor clients; 3. in order to accomplish step 2, you have to set up some mechanics for relays to actively test reachability from them to tor clients. hope I can help. sincerely, frank 2010-05-26 - 发件人:andrew 发送日期:2010-05-25 19:52:05 收件人:or-talk 抄送: 主题:Re: problem with bridges and a suggestion On Tue, May 25, 2010 at 05:18:44PM +0800, for.tor.bri...@gmail.com wrote 1.3K bytes in 36 lines about: : china is blocking TOR more and more strict, : I can't establish a TOR circuit even I updated bridges in config file : of torrc with info retrieved from https://bridges.torproject.org and : email replies from brid...@torproject.org. Correct. We are aware of this. : this morning, I got some new bridges through a hidden https proxy and : established a TOR circuit, but after some time, I lost the connection : and couldn't establish a TOR circuit any more. Can you send debug logs to tor-assista...@torproject.org with what happens when your client tries to connect to the bridges? : from my knowledge to china's blocking methods, I believe they found my : newly got bridges through network traffic protocol analysis, and : blocked them. This is unlikely. In our experience, they are merely blocking IP:Port combinations. : use a general protocol for TOR clients to interact with bridges, so : that they can't distinguish the traffic between TOR clients and : bridges, : so that they can't find new bridges got through private ways. Tor traffic through bridges vs. public relays is the same. There is not a special bridge connection. See https://www.torproject.org/faq#RelayOrBridge, also that text needs to be updated to reflect China's uniqueness in filtering Tor public relays. : the general protocol could be https which is encryption protected; It is already. What may be unique is we start the connection with a TLS renegotiation. This is probably starting to stand out as unique now that OpenSSL decided to everyone used renegotiation incorrectly and almost all operating systems have erroneously disabled this functionality by default. See https://www.torproject.org/faq#KeyManagement : the general protocol could be plain http, if you can encode its : content dynamically and privately, and don't make it display any : fingerprints. Then someone can read your traffic. Hiding in plain sight sounds good on paper, but doesn't stand up to academic research, so far. See https://trac.torproject.org/projects/tor/wiki/TheOnionRouter/TorFAQ#YoushouldusesteganographytohideTortraffic. -- Andrew Lewman The Tor Project pgp 0x31B0974B Website: https://www.torproject.org/ Blog: https://blog.torproject.org/ Identi.ca: torproject *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Re: Re: Tor Exit Node hosting: torservers.net
Frank, Thanks for your help.I get a lot of bridges,today,but all blocked. So i try to install the your-freedom,and set the proxy at tor,now it's work greatly. But i think the your-freedom can't work well always.so how can i get the strong bridge for tor? 2010/5/26 frank for.tor.bri...@gmail.com 屠申完美, the bridges are blocked, try to find some more bridges. sincerely, frank 2010-05-26 - sender: 屠申完美 sending date: 2010-05-26 12:27:14 receiver: or-talk cc: subject: Re: Tor Exit Node hosting: torservers.net Dear all, My tor have a error,this is the message log: [Warning] Problem bootstrapping. Stuck at 10%: Finishing handshake with directory server. (Socket is not connected [WSAENOTCONN ]; NOROUTE; count 4; recommendation warn) I have already set the bridges. pls help me,thanks. -- Dare
gwget and tor?
is there a way to use gwget with tor? most of the times i download a direct link in tor enabled firefox it stops in the middle despite the internet connection is good. thanks. *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Re: Tor Exit Node hosting: torservers.net
On Tue, May 25, 2010 at 11:24:43AM +0200, t...@wiredwings.com wrote 0.9K bytes in 23 lines about: I set up a preliminary homepage at http://www.torservers.net/ Looks good. You have already received plenty of feedback about creating confusion as to who is sponsoring these relays, so I'm not going to address it further. My advice is that if you are trying to attract non-technical people to donate money in order to create more relays, your index page needs to be far less technical. As examples, look at the difference in http://www.charitywater.org/ versus http://www.watercharity.org/. They roughly do the same thing in the eyes of a normal person. The former website is much more successful at public fundraising according to their 990 filings. Also, explain how creating more tor/i2p nodes helps the normal person. Or, who it actually helps. And I suggest having two simple thermometers; total funds raised and number of nodes possible per year. Overall, I'm happy we have people starting to try to create more relays, whether through this model or the Coldboot UK model. Good luck. -- Andrew Lewman The Tor Project pgp 0x31B0974B Website: https://www.torproject.org/ Blog: https://blog.torproject.org/ Identi.ca: torproject *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Re: gwget and tor?
On 5/26/2010 7:39 AM, emigrant wrote: is there a way to use gwget with tor? most of the times i download a direct link in tor enabled firefox it stops in the middle despite the internet connection is good. I don't know about gwget, but plain wget supports http proxies, which you can point at Polipo. If you're only going to need to do this every once in a while, I'd pop open a terminal and do the following: HTTP_PROXY=127.0.0.1:8118 HTTPS_PROXY=127.0.0.1:8118 FTP_PROXY=127.0.0.1:8118 export HTTP_PROXY export HTTPS_PROXY export FTP_PROXY wget your://url.to/download.here If that doesn't work for you, open your Polipo configuration file and see what port it's set up to run on, and change the bit after the colon in the environmental variables. Wget will pick up on the environmental variables and should route your download through Tor. These settings will only last until you either close the shell, or until you log out (I forget which and can't make it to my linux box to check), so if you'll be doing this a lot you can add the following lines to your .wgetrc file to have them executed automatically: proxy = on HTTP_PROXY = 127.0.0.1:8118 HTTPS_PROXY = 127.0.0.1:8118 FTP_PROXY = 127.0.0.1:8118 To resume an interrupted download, just add the -c option, like so: wget -c your://url.to/download.here thanks. Anytime =) ~japlin *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Bridges and China (new thread)
Rather than continue to hijack the old thread, here's a new one about bridges and china. I'm fully aware the GFW seems to have successfully crawled https://bridges.torproject.org and added all of those bridges into their blocking regime. The email distribution method, brid...@torproject.org, may also have been crawled and added to the blocking regime. There are still 3 other pools of bridge addresses, one of which is held in reserve. It seems the other two methods are continuing to work, as a paltry 5000 connections from China still can access Tor daily. This is vastly smaller than the 100,000 or so we used to get. The other methods of obtaining bridges are slower and more viral. They use social networking technologies like twitter and qq to distribute bridge addresses. I've been told if you search on baidu, you can find such bridge addresses. And until now, they still work. We've given some addresses to trusted networks inside China. What they do with the bridges is up to them. I've heard some are bridge addresses are being released by blog posts, BBS posts, qq, and ads on taobao. I'm assuming the admins of the GFW read or-talk in some fashion. They are doing their job and we're doing ours. Conversely, Tor supports 3rd party http/https proxies. Many people use Tor because they want the privacy aspects of it, not just the ability to circumvent a firewall. You can use the 3rd party http/https proxy as the access layer around the blocking system, and then to tor. This is an arms race, we're working on next steps in it. -- Andrew Lewman The Tor Project pgp 0x31B0974B Website: https://www.torproject.org/ Blog: https://blog.torproject.org/ Identi.ca: torproject *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Re: gwget and tor?
On Wed, 26 May 2010 09:40:29 -0400 Aplin, Justin M jmap...@ufl.edu wrote: On 5/26/2010 7:39 AM, emigrant wrote: is there a way to use gwget with tor? most of the times i download a direct link in tor enabled firefox it stops in the middle despite the internet connection is good. I don't know about gwget, but plain wget supports http proxies, which you can point at Polipo. If you're only going to need to do this every once in a while, I'd pop open a terminal and do the following: HTTP_PROXY=127.0.0.1:8118 HTTPS_PROXY=127.0.0.1:8118 FTP_PROXY=127.0.0.1:8118 export HTTP_PROXY export HTTPS_PROXY export FTP_PROXY wget your://url.to/download.here Once again, I strongly recommend that you set the *_proxy environment variables to full URLs rather than to the abbreviated forms you've shown above. See fetch(3) in the man pages for details. If that doesn't work for you, open your Polipo configuration file and see what port it's set up to run on, and change the bit after the colon in the environmental variables. Wget will pick up on the environmental variables and should route your download through Tor. These settings will only last until you either close the shell, or until you log out (I forget which and can't make it to my linux box to check), so if you'll be doing this a lot you can add the following lines to your .wgetrc file to have them executed automatically: proxy = on HTTP_PROXY = 127.0.0.1:8118 HTTPS_PROXY = 127.0.0.1:8118 FTP_PROXY = 127.0.0.1:8118 See note above. To resume an interrupted download, just add the -c option, like so: wget -c your://url.to/download.here Scott Bennett, Comm. ASMELG, CFIAG ** * Internet: bennett at cs.niu.edu * ** * A well regulated and disciplined militia, is at all times a good * * objection to the introduction of that bane of all free governments * * -- a standing army. * *-- Gov. John Hancock, New York Journal, 28 January 1790 * ** *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Re: problem with bridges and a suggestion
On Tue, May 25, 2010 at 7:51 AM, and...@torproject.org wrote: On Tue, May 25, 2010 at 05:18:44PM +0800, for.tor.bri...@gmail.com wrote 1.3K bytes in 36 lines about: : this morning, I got some new bridges through a hidden https proxy and : established a TOR circuit, but after some time, I lost the connection : and couldn't establish a TOR circuit any more. Can you send debug logs to tor-assista...@torproject.org with what happens when your client tries to connect to the bridges? : from my knowledge to china's blocking methods, I believe they found my : newly got bridges through network traffic protocol analysis, and : blocked them. This is unlikely. In our experience, they are merely blocking IP:Port combinations. The question though is... how do they find them? Sure, you can get the directory list, scrape the common bridge lists. However... this pretty quickly is just Whack a Mole. You have to imagine that they are smart enough to figure that a person who was using tor yesterday, is probably looking for a new bridge today. Once you know who, even if its a small subset, is using tor, and smart enough to find bridges as you shut them down, well... it wouldn't be hard to watch them, and identify which connections of theirs are bridges, and then push out new block lists. Even if I can't prove that your connection from port x to port y is a tor connection, I can still connect to the same remote port and negotiate an ssl connection myself and verify if its a bridge. Hell, it could be automated. It may not be 100%, but, it doesn't really need to be. Its not like you need all the users all the time, just enough to raise the bar and cut down the numbers. : use a general protocol for TOR clients to interact with bridges, so : that they can't distinguish the traffic between TOR clients and : bridges, : so that they can't find new bridges got through private ways. Tor traffic through bridges vs. public relays is the same. There is not a special bridge connection. See https://www.torproject.org/faq#RelayOrBridge, also that text needs to be updated to reflect China's uniqueness in filtering Tor public relays. : the general protocol could be https which is encryption protected; It is already. What may be unique is we start the connection with a TLS renegotiation. This is probably starting to stand out as unique now that OpenSSL decided to everyone used renegotiation incorrectly and almost all operating systems have erroneously disabled this functionality by default. See https://www.torproject.org/faq#KeyManagement Perhaps other ways of hiding it are needed. As it is, it would be trivial to connect via ssl and verify if a machine talks onion router. It might be harder if there were multiple protocol paths into it. What if I connect on port 25 and get a normal mail server, then start tls from within protocol and use a command to switch to onion routing. I connect on port 636 and its ldap first. 993 and its IMAP over ssl. Perhaps the secret command to initiate the protocol could be part of the bridge description? -Steve *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Re: Bridges and China (new thread)
On Wed, May 26, 2010 at 4:06 PM, and...@torproject.org wrote: Rather than continue to hijack the old thread, here's a new one about bridges and china. I'm fully aware the GFW seems to have successfully crawled https://bridges.torproject.org and added all of those bridges into their blocking regime. The email distribution method, brid...@torproject.org, may also have been crawled and added to the blocking regime. There are still 3 other pools of bridge addresses, one of which is held in reserve. It seems the other two methods are continuing to work, as a paltry 5000 connections from China still can access Tor daily. This is vastly smaller than the 100,000 or so we used to get. Is it worth adding a captcha to bridges.torproject.org? Incidentally, what happens when adversaries just block access to that site? How about responding to bridge request emails with a captcha style email attachment with the IPs of bridges? That would kill any automated attempt to scrape the bridges? Al *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Re: Bridges and China (new thread)
On Wed, May 26, 2010 at 3:42 PM, Al MailingList alpal.mailingl...@gmail.com wrote: Is it worth adding a captcha to bridges.torproject.org? Incidentally, what happens when adversaries just block access to that site? How about responding to bridge request emails with a captcha style email attachment with the IPs of bridges? That would kill any automated attempt to scrape the bridges? Al I have a project called ObfuscaTOR which reads bridge information and displays it using captcha-style encoding. Its a wordpress plugin, and development is kinda stalled. There have been some downloads, and a Reddit post, but other then that interest seemed kind of low. I even had one guy email me to remove the project as I was helping to destroy the Tor Project. This gets around adversaries blocking access because any one of the millions of bloggers can include the plugin, so you can't block the whole internet(unless you have a country wide firewall of course;) As far as automated scanning, I have heard China doesn't automate the process so much as they have thousands of workers manually scanning for things such as this. I like your email idea though, its a lot easier to track and block email requests from the same domain. It seems like it would be a lot harder to setup lots of fake mail servers. How about incoming email being filtered based on the sender however? Ryan
Re: Bridges and China (new thread)
On Wed, May 26, 2010 at 08:42:12PM +0100, alpal.mailingl...@gmail.com wrote 1.2K bytes in 26 lines about: : Is it worth adding a captcha to bridges.torproject.org? Incidentally, : what happens when adversaries just block access to that site? Is it worth adding, maybe. Most captcha systems assume a program is trying to break it, increasingly, blog spam and such is done by humans paid pennies per hour. : That would kill any automated attempt to scrape the bridges? Assume a human is doing the scraping. -- Andrew Lewman The Tor Project pgp 0x31B0974B Website: https://www.torproject.org/ Blog: https://blog.torproject.org/ Identi.ca: torproject *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
No fingerprint in Notice level log on Windows
This may be borderline nitpicking, but a nice feature I've noticed when configuring my PPC machines is that Vidalia catches a line from the log starting Your Tor server's identity key fingerprint is I've found it's useful to have at a glance in a number of testing and configuring situations. None of my Windows machines seem to show this; both are let at log level Notice. I haven't had time to play with different log levels yet, maybe I'll get to it this weekend. Plus my Windows server has been getting a lot of traffic today, I feel bad restarting it lol. Is anyone else as anal as me about noticing things like this? ~japlin *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Re: Re: problem with bridges and a suggestion
Steve,
thanks a lot, steve, you got my points totally!
I can't express my points very clearly, I'm not a native english speaker. :-(
sincerely,
frank
2010-05-27
-
sender: Stephen Carpenter
sending date: 2010-05-27 00:01:47
receiver: or-talk
cc:
subject: Re: problem with bridges and a suggestion
On Tue, May 25, 2010 at 7:51 AM, and...@torproject.org wrote:
On Tue, May 25, 2010 at 05:18:44PM +0800, for.tor.bri...@gmail.com wrote 1.3K
bytes in 36 lines about:
: this morning, I got some new bridges through a hidden https proxy and
: established a TOR circuit, but after some time, I lost the connection
: and couldn't establish a TOR circuit any more.
Can you send debug logs to tor-assista...@torproject.org with what
happens when your client tries to connect to the bridges?
: from my knowledge to china's blocking methods, I believe they found my
: newly got bridges through network traffic protocol analysis, and
: blocked them.
This is unlikely. In our experience, they are merely blocking IP:Port
combinations.
The question though is... how do they find them? Sure, you can get the
directory list, scrape the common bridge lists. However... this pretty
quickly is just Whack a Mole. You have to imagine that they are
smart enough to figure that a person who was using tor yesterday, is
probably looking for a new bridge today.
Once you know who, even if its a small subset, is using tor, and smart
enough to find bridges as you shut them down, well... it wouldn't be
hard to watch them, and identify which connections of theirs are
bridges, and then push out new block lists. Even if I can't prove that
your connection from port x to port y is a tor connection, I can still
connect to the same remote port and negotiate an ssl connection myself
and verify if its a bridge. Hell, it could be automated.
It may not be 100%, but, it doesn't really need to be. Its not like
you need all the users all the time, just enough to raise the bar and
cut down the numbers.
: use a general protocol for TOR clients to interact with bridges, so
: that they can't distinguish the traffic between TOR clients and
: bridges,
: so that they can't find new bridges got through private ways.
Tor traffic through bridges vs. public relays is the same. There is not
a special bridge connection. See
https://www.torproject.org/faq#RelayOrBridge, also that text needs to be
updated to reflect China's uniqueness in filtering Tor public relays.
: the general protocol could be https which is encryption protected;
It is already. What may be unique is we start the connection with a TLS
renegotiation. This is probably starting to stand out as unique now
that OpenSSL decided to everyone used renegotiation incorrectly and
almost all operating systems have erroneously disabled this
functionality by default. See
https://www.torproject.org/faq#KeyManagement
Perhaps other ways of hiding it are needed. As it is, it would be
trivial to connect via ssl and verify if a machine talks onion router.
It might be harder if there were multiple protocol paths into it. What
if I connect on port 25 and get a normal mail server, then start tls
from within protocol and use a command to switch to onion routing. I
connect on port 636 and its ldap first. 993 and its IMAP over ssl.
Perhaps the secret command to initiate the protocol could be part of
the bridge description?
-Steve
***
To unsubscribe, send an e-mail to majord...@torproject.org with
unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
N§²æìr¸zǧu©Þ¨¥¶Ý¢j-¢ºk¢7¶àÂ+aº{.nÇ+·¨®Ö¥)í
æèw(m¶ÿj·!÷¬±ë¥¢¸?¢¿íjY?
Re: Bridges and China (new thread)
hi, andrew, I've been told if you search on baidu, you can find such bridge addresses. bridge addresses are being released by blog posts, BBS posts, qq, and ads on taobao. then bad guys can get and block them too through baidu searching, and more, qq is totally under control of bad guys, we can't trust qq, believe me, I know the truth. Tor supports 3rd party http/https proxies could you kindly tell me how to use tor above 3rd party https/http proxies? what's the config? sincerely, frank 2010-05-27 - sender: andrew sending date: 2010-05-26 23:07:04 receiver: or-talk cc: subject: Bridges and China (new thread) Rather than continue to hijack the old thread, here's a new one about bridges and china. I'm fully aware the GFW seems to have successfully crawled https://bridges.torproject.org and added all of those bridges into their blocking regime. The email distribution method, brid...@torproject.org, may also have been crawled and added to the blocking regime. There are still 3 other pools of bridge addresses, one of which is held in reserve. It seems the other two methods are continuing to work, as a paltry 5000 connections from China still can access Tor daily. This is vastly smaller than the 100,000 or so we used to get. The other methods of obtaining bridges are slower and more viral. They use social networking technologies like twitter and qq to distribute bridge addresses. I've been told if you search on baidu, you can find such bridge addresses. And until now, they still work. We've given some addresses to trusted networks inside China. What they do with the bridges is up to them. I've heard some are bridge addresses are being released by blog posts, BBS posts, qq, and ads on taobao. I'm assuming the admins of the GFW read or-talk in some fashion. They are doing their job and we're doing ours. Conversely, Tor supports 3rd party http/https proxies. Many people use Tor because they want the privacy aspects of it, not just the ability to circumvent a firewall. You can use the 3rd party http/https proxy as the access layer around the blocking system, and then to tor. This is an arms race, we're working on next steps in it. -- Andrew Lewman The Tor Project pgp 0x31B0974B Website: https://www.torproject.org/ Blog: https://blog.torproject.org/ Identi.ca: torproject *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/ *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Re: Re: problem with bridges and a suggestion
hi steve, Perhaps other ways of hiding it are needed. As it is, it would be trivial to connect via ssl and verify if a machine talks onion router. It might be harder if there were multiple protocol paths into it. What if I connect on port 25 and get a normal mail server, then start tls from within protocol and use a command to switch to onion routing. I connect on port 636 and its ldap first. 993 and its IMAP over ssl. that's it! to use a general protocol even like udp 53 to act as a tunnel for tor negotiation traffic. sincerely, frank 2010-05-27 - sender: Stephen Carpenter sending date: 2010-05-27 00:01:47 receiver: or-talk cc: subject: Re: problem with bridges and a suggestion On Tue, May 25, 2010 at 7:51 AM, and...@torproject.org wrote: On Tue, May 25, 2010 at 05:18:44PM +0800, for.tor.bri...@gmail.com wrote 1.3K bytes in 36 lines about: : this morning, I got some new bridges through a hidden https proxy and : established a TOR circuit, but after some time, I lost the connection : and couldn't establish a TOR circuit any more. Can you send debug logs to tor-assista...@torproject.org with what happens when your client tries to connect to the bridges? : from my knowledge to china's blocking methods, I believe they found my : newly got bridges through network traffic protocol analysis, and : blocked them. This is unlikely. In our experience, they are merely blocking IP:Port combinations. The question though is... how do they find them? Sure, you can get the directory list, scrape the common bridge lists. However... this pretty quickly is just Whack a Mole. You have to imagine that they are smart enough to figure that a person who was using tor yesterday, is probably looking for a new bridge today. Once you know who, even if its a small subset, is using tor, and smart enough to find bridges as you shut them down, well... it wouldn't be hard to watch them, and identify which connections of theirs are bridges, and then push out new block lists. Even if I can't prove that your connection from port x to port y is a tor connection, I can still connect to the same remote port and negotiate an ssl connection myself and verify if its a bridge. Hell, it could be automated. It may not be 100%, but, it doesn't really need to be. Its not like you need all the users all the time, just enough to raise the bar and cut down the numbers. : use a general protocol for TOR clients to interact with bridges, so : that they can't distinguish the traffic between TOR clients and : bridges, : so that they can't find new bridges got through private ways. Tor traffic through bridges vs. public relays is the same. There is not a special bridge connection. See https://www.torproject.org/faq#RelayOrBridge, also that text needs to be updated to reflect China's uniqueness in filtering Tor public relays. : the general protocol could be https which is encryption protected; It is already. What may be unique is we start the connection with a TLS renegotiation. This is probably starting to stand out as unique now that OpenSSL decided to everyone used renegotiation incorrectly and almost all operating systems have erroneously disabled this functionality by default. See https://www.torproject.org/faq#KeyManagement Perhaps other ways of hiding it are needed. As it is, it would be trivial to connect via ssl and verify if a machine talks onion router. It might be harder if there were multiple protocol paths into it. What if I connect on port 25 and get a normal mail server, then start tls from within protocol and use a command to switch to onion routing. I connect on port 636 and its ldap first. 993 and its IMAP over ssl. Perhaps the secret command to initiate the protocol could be part of the bridge description? -Steve *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Re: Bridges and China (new thread)
On Thu, May 27, 2010 at 11:21:50AM +0800, for.tor.bri...@gmail.com wrote 2.7K bytes in 67 lines about: : I've been told if you search on baidu, you can find such bridge addresses. : bridge addresses are being released by blog posts, BBS posts, qq, and ads on taobao. : then bad guys can get and block them too through baidu searching, : and more, qq is totally under control of bad guys, we can't trust qq, believe me, I know the truth. The point of releasing the bridge addresses this way is to see how long it takes to go from public publishing to blocking in the GFW. : Tor supports 3rd party http/https proxies : could you kindly tell me how to use tor above 3rd party https/http proxies? what's the config? There are two ways to do this, through Vidalia or editing your torrc. In Vidalia, go to Settings, Network, and click I use a proxy to access the Internet, then enter your proxy details. In torrc, see https://trac.torproject.org/projects/tor/wiki/TheOnionRouter/TorFAQ#MyInternetconnectionrequiresanHTTPproxy. -- Andrew Lewman The Tor Project pgp 0x31B0974B Website: https://www.torproject.org/ Blog: https://blog.torproject.org/ Identi.ca: torproject *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Re: Re: Bridges and China (new thread)
hi andrew, thanks a lot for your prompt reply. In torrc, see https://trac.torproject.org/projects/tor/wiki/TheOnionRouter/TorFAQ#MyInternetconnectionrequiresanHTTPproxy. ok, got it, I prefer this way, thanks a lot. sincerely, frank 2010-05-27 - sender: andrew sending date: 2010-05-27 11:42:55 receiver: or-talk cc: subject: Re: Bridges and China (new thread) On Thu, May 27, 2010 at 11:21:50AM +0800, for.tor.bri...@gmail.com wrote 2.7K bytes in 67 lines about: : I've been told if you search on baidu, you can find such bridge addresses. : bridge addresses are being released by blog posts, BBS posts, qq, and ads on taobao. : then bad guys can get and block them too through baidu searching, : and more, qq is totally under control of bad guys, we can't trust qq, believe me, I know the truth. The point of releasing the bridge addresses this way is to see how long it takes to go from public publishing to blocking in the GFW. : Tor supports 3rd party http/https proxies : could you kindly tell me how to use tor above 3rd party https/http proxies? what's the config? There are two ways to do this, through Vidalia or editing your torrc. In Vidalia, go to Settings, Network, and click I use a proxy to access the Internet, then enter your proxy details. In torrc, see https://trac.torproject.org/projects/tor/wiki/TheOnionRouter/TorFAQ#MyInternetconnectionrequiresanHTTPproxy. -- Andrew Lewman The Tor Project pgp 0x31B0974B Website: https://www.torproject.org/ Blog: https://blog.torproject.org/ Identi.ca: torproject *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/ *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Re: Re: Bridges and China (new thread)
hi, andrew ##You will need an http proxy for doing GET requests to fetch the Tor directory, ##and you will need an https proxy for doing CONNECT requests to get to Tor relays. ##(It's fine if they're the same proxy.) #HttpProxy IP:port #HttpsProxy IP:port my question: why not put the tor directory server in https mode too? sincerely, frank 2010-05-27 - sender: andrew sending date: 2010-05-27 11:42:55 receiver: or-talk cc: subject: Re: Bridges and China (new thread) On Thu, May 27, 2010 at 11:21:50AM +0800, for.tor.bri...@gmail.com wrote 2.7K bytes in 67 lines about: : I've been told if you search on baidu, you can find such bridge addresses. : bridge addresses are being released by blog posts, BBS posts, qq, and ads on taobao. : then bad guys can get and block them too through baidu searching, : and more, qq is totally under control of bad guys, we can't trust qq, believe me, I know the truth. The point of releasing the bridge addresses this way is to see how long it takes to go from public publishing to blocking in the GFW. : Tor supports 3rd party http/https proxies : could you kindly tell me how to use tor above 3rd party https/http proxies? what's the config? There are two ways to do this, through Vidalia or editing your torrc. In Vidalia, go to Settings, Network, and click I use a proxy to access the Internet, then enter your proxy details. In torrc, see https://trac.torproject.org/projects/tor/wiki/TheOnionRouter/TorFAQ#MyInternetconnectionrequiresanHTTPproxy. -- Andrew Lewman The Tor Project pgp 0x31B0974B Website: https://www.torproject.org/ Blog: https://blog.torproject.org/ Identi.ca: torproject *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/ *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
