Re: Block directory authorities, is it possible?
http://tor.eff.org/svn/trunk/doc/design-paper/blocking.pdf It seems to me that the most difficult things are 1) to ensure that a user in a blocked country always has access to a bridge, and 2) proving that bridges are useful. 1) It seems a user needs to know at least two working bridges in order to not have their connection permanently disrupted (and require re-bootstrapping). If only one bridge is known, if that bridge moves or goes offline, bootstrapping is required. However, if two bridges are known, the first bridge can be used for an active connection, and the status of the second bridge can be maintained (and confirmed with the bridge authority periodically), so if the active bridge moves, the backup bridge can be used to connect to Tor and use the bridge authority to check the status of the now-inactive or moved bridge. Clearly this only protects against bridge moves, since if the first bridge has gone offline, the user is now left with only one. 2) Determining whether a bridge is useful may be impossible without allowing an adversary to enumerate a bridge. Any adversary that blocks a bridge from their jurisdiction can set up a connection through that bridge to make it seem like the bridge is actively being used. There is no easy way for the bridge authority or users to learn that a bridge has been blocked. While users in a given country may know they can't connect to a bridge, they have no easy way to notify the bridge authority. First, the user is not authoritative: we can't trust what a given user says, since that user may be working for the government (for arbitrary values of government) and may be attempting to disable bridges by bad-mouthing (saying they are already blocked). Second, the user needs to have access to the Tor network in the first place to notify the bridge authority that a bridge is blocked. This is perhaps a lesser problem than the first one. I'm not sure this item CAN have a workable solution... Thoughts? Thanks, Eugene -- Eugene Y. Vasserman http://www.cs.umn.edu/~eyv/
Re: Block directory authorities, is it possible?
On Sat, 13 Jan 2007 19:41:57 +0800, Kevin Smith [EMAIL PROTECTED] said: Why hasn't Tor been blocked in China already? Torpark is redirecting Two explanations: 1 - They need it for own use, field agents inside china to field agents in foreign countries. An easy way to not have to go by embassy that probably have other secure ways but more local and also more watched by foreign surveillance authorities. 2 - They have very unusual skilled people, find in their huge population, that have ways of cracking it or intercepted entry connections. When they have cop snapping steel wires by bare fingers and kids smashing concrete slabs with their heads and other almost supernatural features, no big deal if their headhunters find real super nerds. You know movies such the Rainman or the Mercury Rising? People like this may be in use there to crack Tor and then is a easy way to allow Tor to have it all going one way. Just my two cent, nickel or dime... -- http://www.fastmail.fm - IMAP accessible web-mail
Re: Block directory authorities, is it possible?
On 2007-1-15 11:38 CST(UTC+8), Kevin Smith wrote: When a page is blocked it usually looks like it has timed out. I'm not clear as to how the blocking works. It seems that sensitive keywords in a webpage trigger the firewall to send a TCP reset to both the client and the server(1), but I do not know how specific IP addresses are blocked. I guess the routers at the great firewall just stop the client's request from reaching the server at that specific IP address and that the router at the firewall doesn't send any response back to the client so that it looks like a timeout. Someone please correct me if I'm wrong about this. (1) http://www.andrewlih.com/blog/2006/06/27/great-firewall-filtering-revealed/ Kevin S. Probably nobody could clarify this issue, the Great Firewall is operated in the dark, almost all the work is based on reverse engineering, and to everyone's surprise, they even won't dare to admit the existence of the firewall. (http://news.com.com/China+We+dont+censor+the+Internet.+Really/2100-1028_3-6130970.html) Well, also please correct me if I'm wrong. :) Hanru P.S., Kevin, the full paper you mentioned is at: http://www.cl.cam.ac.uk/~rnc1/ignoring.pdf
Re: Block directory authorities, is it possible?
I have never heard that the Tor website http://tor.eff.org/ has been blocked in China, nor any URLs under that website. It is currently not blocked by my ISP in Beijing, nor was it blocked by my ISP in Shandong province when I lived there. I was, however, referring to the Tor service itself, not the website, though I did not make that clear. The psiphon website, on the other hand, http://psiphon.civisec.org/ has been blocked, at least by my ISP in Beijing, but the psiphon service has not been and most likely could not be effectively blocked without blocking all encrypted tunnels since the IP addresses of psiphon servers do not have to be publicly known. Tor on the other hand could be blocked without blocking encrypted tunnels by simply blocking the IP addresses of Tor servers, since the IP addresses of Tor servers are and essentially must be publicly known, and furthermore this is exactly how websites are currently being blocked in China, ie., the IP address of the server they are hosted on is blocked. So from the point of view of the Chinese firewall, there really would be no difference between blocking an IP address serving up a website and blocking an IP address routing Tor requests. I think it is very interesting in and of itself that the main Tor website http://tor.eff.org/ has not been blocked. Perhaps it's the Great Firewall's way of saying, We are knowingly allowing this backdoor. Kevin S. On 1/15/07, John Kimble [EMAIL PROTECTED] wrote: On 1/14/07, Kevin Smith [EMAIL PROTECTED] wrote: Why hasn't Tor been blocked in China already? It depends on what you're referring to - the Tor website, or the Tor service itself. As far as I know, URLs under http://tor.eff.org/ are blocked, just like http://psiphon.civisec.org/ and http://www.torrify.com/ . There may be inter-province or even inter-ISP differences though. If you're referring to the services themselves, neither (Tor or Psiphon) are blocked. If you can get Tor (or Torpark for that matter) to initialise in the first place, or if you already have someone on the outside offering you a Psiphon link, they will just keep running. I guess that's because China is, for now, focusing solely on blocking websites (i.e. readable material served over HTTP). They haven't started worrying about encrypted tunnels yet. - John
Re: Block directory authorities, is it possible?
Kevin Smith wrote: I have never heard that the Tor website http://tor.eff.org/ has been blocked in China, nor any URLs under that website. It is currently not blocked by my ISP in Beijing, nor was it blocked by my ISP in Shandong province when I lived there. I was, however, referring to the Tor service itself, not the website, though I did not make that clear. The psiphon website, on the other hand, http://psiphon.civisec.org/ has been blocked, at least by my ISP in Beijing, but the psiphon service has not been [...] I think it is very interesting in and of itself that the main Tor website http://tor.eff.org/ has not been blocked. Perhaps it's the Great Firewall's way of saying, We are knowingly allowing this backdoor. It's funny. Looking at the codebase for both, it would almost seem this should be the other way around. I wonder if it's just an oversight that tor.eff.org hasn't been blocked in your case? How does the blocking with your ISP work? Do you get a generic reject page telling you the service is blocked? Do you get TCP resets? Regards, Jacob Appelbaum
Re: Block directory authorities, is it possible?
I wonder if it's just an oversight that tor.eff.org hasn't been blocked in your case? I don't think it is an oversight that tor.eff.org has not been blocked in my case. I have never heard of the Tor site being blocked anywhere in China. My friends in Beijing, Shanghai and Shandong province are able to access it and I was able to access it continuously for three years in Shandong when I lived there. How does the blocking with your ISP work? Do you get a generic reject page telling you the service is blocked? Do you get TCP resets? When a page is blocked it usually looks like it has timed out. I'm not clear as to how the blocking works. It seems that sensitive keywords in a webpage trigger the firewall to send a TCP reset to both the client and the server(1), but I do not know how specific IP addresses are blocked. I guess the routers at the great firewall just stop the client's request from reaching the server at that specific IP address and that the router at the firewall doesn't send any response back to the client so that it looks like a timeout. Someone please correct me if I'm wrong about this. (1) http://www.andrewlih.com/blog/2006/06/27/great-firewall-filtering-revealed/ Kevin S.
Re: Block directory authorities, is it possible?
On 2007-1-13 4:44 CST(UTC+8), Mike Perry wrote: I live in China and was/am having difficulties in using Tor, the problem is: it takes quite a long time to build a circuit for the first time I start Tor on my Windows machine. Am I understanding correctly? Are there any actions Tor can take? After all, we cannot simply assume this will not happen in the future. If the problem right now is just IP blocking you can try the tor option HttpProxy which will route your dirserver traffic through an http proxy you specify. Unfortunately, certain areas have begun blocking by the /tor/ url postfix that dirservers use, independent of IP. There is an option in 1.2.x/SVN to tunnel this traffic via other tor nodes (via SSL), but I believe it is prone to exploding at this point in time. Actually, no IP is blocked at this time, it is due to a natural disaster. :( It's interesting to evaluate whether the option you mentioned will defend the attack (that is, blocking all directory authorities), in that setting, there's no living network-status, how to find other tor nodes? Manually importing required files is an idea, but, it's not that elegant and finding up-to-date files is a problem. I'm curious on more details. :) Thanks, Hanru
Re: Block directory authorities, is it possible?
Why hasn't Tor been blocked in China already? Torpark is redirecting to the Google homepage (1). The psiphon homepage has been blocked. The Freegate homepage is blocked. Why not Tor? Could it be that Tor is being used to help identify suspected dissidents? Consider the following: I'm sitting at my home in Beijing using Tor. The Chinese internet police see my computer periodically connecting to a Tor directory server or entry node. They know I am using Tor. Ok. Here's someone using Tor. Who is he? Well, his IP address is linked to Beihang University. A quick check with the Beihang University IT department reveals that he is Kevin Smith in building AB apartment XYZ, his passport number is 123456789, he teaches English and has no record of political activity aside from voting in those despicable American national elections. Not too likely that he is a dissident. Wang Guolu is sitting at home using Tor. The Chinese internet police see his computer periodically connecting to a Tor directory server or entry node. They know he is using Tor. Ok. Here's someone using Tor. Who is he? Well, his IP address is linked to China Netcom in Dalian. A quick check with Dalian China Netcom reveals that he is Wang Guolu who lives in building CD apartment UVW on Renmin Lu. His ID number is 987654321, he has a low paying job at a local factory and is suspected of being a member of the FLG. A relatively low paid factory worker using advanced internet anonymizing software? That just screams dissident. The above situation has been suggested before on the mailing list: http://archives.seul.org/or/talk/Aug-2006/msg00089.html http://archives.seul.org/or/talk/Aug-2006/msg00091.html (1) http://archives.seul.org/or/talk/Dec-2006/msg00076.html Kevin S. On 1/13/07, Pei Hanru [EMAIL PROTECTED] wrote: On 2007-1-13 4:44 CST(UTC+8), Mike Perry wrote: I live in China and was/am having difficulties in using Tor, the problem is: it takes quite a long time to build a circuit for the first time I start Tor on my Windows machine. Am I understanding correctly? Are there any actions Tor can take? After all, we cannot simply assume this will not happen in the future. If the problem right now is just IP blocking you can try the tor option HttpProxy which will route your dirserver traffic through an http proxy you specify. Unfortunately, certain areas have begun blocking by the /tor/ url postfix that dirservers use, independent of IP. There is an option in 1.2.x/SVN to tunnel this traffic via other tor nodes (via SSL), but I believe it is prone to exploding at this point in time. Actually, no IP is blocked at this time, it is due to a natural disaster. :( It's interesting to evaluate whether the option you mentioned will defend the attack (that is, blocking all directory authorities), in that setting, there's no living network-status, how to find other tor nodes? Manually importing required files is an idea, but, it's not that elegant and finding up-to-date files is a problem. I'm curious on more details. :) Thanks, Hanru
Re: Block directory authorities, is it possible?
On Sat, Jan 13, 2007 at 07:41:57PM +0800, Kevin Smith wrote: Why hasn't Tor been blocked in China already? Torpark is redirecting to the Google homepage (1). The psiphon homepage has been blocked. The Freegate homepage is blocked. Why not Tor? My guesses, in order of ease-of-explanation: A) There are perhaps 3 people in China running Tor clients right now, according to my rough estimates. That's roughly zero people, in China. B) The general perception of Tor is that it's a tool for experts. So they don't think they need to block it (yet). C) We haven't publically threatened their control. By emphasizing government/military/law enforcement use, and individuals in free countries who need their civil liberties, we don't force them to take action. D) Other? Could it be that Tor is being used to help identify suspected dissidents? Consider the following: I'm sitting at my home in Beijing using Tor. The Chinese internet police see my computer periodically connecting to a Tor directory [snip] national elections. Not too likely that he is a dissident. Wang Guolu is sitting at home using Tor. The Chinese internet police [snip] of being a member of the FLG. A relatively low paid factory worker using advanced internet anonymizing software? That just screams dissident. As I understand it, social networking attacks are much simpler and more successful. Having an informer at the factory is much more straightforward, and just the *possibility* of it is usually enough to make a lot of people self-censor. In fact, as countries restrict more information at their national firewall, they end up with *more* Tor users -- not because they're all dissidents, but because they want to read the web comics or stock market sites they were able to read last week. The mere fact that you use Tor in these cases is not much evidence on you, as long as there's a sufficient population around you using Tor. So yes, they could do what you describe, but there are many things they *could* do, and from talking to people in China, this probably isn't first in line in terms of worries. But let me know if you disagree. :) --Roger
Re: Block directory authorities, is it possible?
Why hasn't Tor been blocked in China already? My guesses, in order of ease-of-explanation: A) There are perhaps 3 people in China running Tor clients right now, according to my rough estimates. That's roughly zero people, in China. B) The general perception of Tor is that it's a tool for experts. So they don't think they need to block it (yet). C) We haven't publically threatened their control. By emphasizing government/military/law enforcement use, and individuals in free countries who need their civil liberties, we don't force them to take action. D) Other? Could it be that Tor is being used to help identify suspected dissidents? So yes, they could do what you describe, but there are many things they *could* do, and from talking to people in China, this probably isn't first in line in terms of worries. But let me know if you disagree. :) --Roger I agree with you that it is unlikely that monitoring Tor users plays much if any role in identifying dissidents in China given its relative complexity when compared to other methods, however I am still perplexed as to why Tor has not been blocked. If reasons A) and B) are true, then why does the Torpark download reroute to Google's homepage? Torpark users are a subset of Tor users, and I would imagine that Torpark users in general are more experienced computer users as well, ie., wouldn't Torpark also be perceived as a tool for experts? Furthermore, why has the psiphon homepage been blocked? Users of psiphon in China are likely far fewer than users of Tor, and because psiphon essentially requires Chinese users to have a trusted contact running a psiphon server abroad the likelihood of psiphon ever becoming as popular or as useful as Tor is in China is nil. Reason C) seems pretty reasonable, and also provides a reason as to why both Torpark and psiphon have been blocked. From the Torpark Support page: Your donation can help bring democracy to those who have no choice, freedom of speech to those who are silenced, and break down the walls of censorship worldwide. http://torrify.com/support.php From the psiphon homepage: psiphon is a human rights software project ... that allows citizens in uncensored countries to provide unfettered access to the Net through their home computers to friends and family members who live behind firewalls of states that censor. http://psiphon.civisec.org/ On the other hand, the Tor developers have publicly made note of the ability of Tor to circumvent the Chinese firewall, calling China a global active adversary with a lot of manpower and money, and severe penalties to discourage people from trying. http://wiki.noreply.org/noreply/TheOnionRouter/TorFAQ#China Given the fact that access to these smaller projects has been blocked, I think the Tor is small enough to be flying below the radar argument has some strikes against it. I think there must be some other reason(s) in addition to this one as to why Tor has not been blocked. But what is that reason? Kevin S.
Block directory authorities, is it possible?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi all, I live in China and was/am having difficulties in using Tor, the problem is: it takes quite a long time to build a circuit for the first time I start Tor on my Windows machine. I think it is because of the earthquake that destroys the fibers at the seabed near Taiwan at the end of 2006, communications to the US were almost blocked, to the EU were jammed. So it is very difficult to download a new network-status from a directory authority. Excerpt from dir-spec.txt: Clients discard all network-status documents over 24 hours old. [...] When a client has no live network-status documents, it downloads network-status documents from a randomly chosen authority. Well, Tor will finally recover here when the fibers are repaired. But this reminds me of a possible attack against the Tor network, say, if the notorious Great Firewall of China blocks *all* the connections to *all* the directory authorities (currently 5 I believe), then Tor will will become completely useless in China. Considering the number of directory authorities, this doesn't seem to be infeasible. (In fact, I think this is easy to some extent.) Am I understanding correctly? Are there any actions Tor can take? After all, we cannot simply assume this will not happen in the future. Regards, Hanru -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.4 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFFp1fdtHG285r2MGoRAkZnAKDWSHhGeywm1ZzOrzVAFFNuW0sTCwCgxecY /BIbP7ezozl8aiuCnWaSCFM= =ToDN -END PGP SIGNATURE-
Re: Block directory authorities, is it possible?
At 04:41 AM 1/12/2007, Pei Hanru wrote: Well, Tor will finally recover here when the fibers are repaired. But this reminds me of a possible attack against the Tor network, say, if the notorious Great Firewall of China blocks *all* the connections to *all* the directory authorities (currently 5 I believe), then Tor will will become completely useless in China. Considering the number of directory authorities, this doesn't seem to be infeasible. (In fact, I think this is easy to some extent.) Am I understanding correctly? Are there any actions Tor can take? After all, we cannot simply assume this will not happen in the future. You are correct that this is a vulnerability now. We're developing a blocking resistance strategy that should ameliorate this risk. Perhaps one of the developers will comment on this further. Thanks! Shava Nerad Executive Director The Tor Project http://tor.eff.org/ http://blogs.law.harvard.edu/anonymous/ [EMAIL PROTECTED] +1 617-776-2659 +1 617-767-6735 (cell) skype: shava23
Re: Block directory authorities, is it possible?
Thus spake Pei Hanru ([EMAIL PROTECTED]): Hi all, I live in China and was/am having difficulties in using Tor, the problem is: it takes quite a long time to build a circuit for the first time I start Tor on my Windows machine. Am I understanding correctly? Are there any actions Tor can take? After all, we cannot simply assume this will not happen in the future. If the problem right now is just IP blocking you can try the tor option HttpProxy which will route your dirserver traffic through an http proxy you specify. Unfortunately, certain areas have begun blocking by the /tor/ url postfix that dirservers use, independent of IP. There is an option in 1.2.x/SVN to tunnel this traffic via other tor nodes (via SSL), but I believe it is prone to exploding at this point in time. -- Mike Perry Mad Computer Scientist fscked.org evil labs