Re: net/tor - add Flavor

[Pascal Stumpf]

On Sat, 14 Nov 2015 21:37:08 +0100, Uwe Werler wrote:
> On Sat, Nov 14, 2015 at 08:40:40PM +0100, Pascal Stumpf wrote:
> > On Fri, 13 Nov 2015 17:37:12 -0500, Michael McConville wrote:
> > > Uwe Werler wrote:
> > > > Hello list,
> > > > 
> > > > I'd like to add a Flavor to tor which allows Tor2webMode:
> > > 
> > > This seems like a rare enough use-case that it probably isn't worth a
> > > flavor. 
> > 
> > I tend to agree.  A tor2web proxy is an extremely rare configuration
> > compared to the total number of tor nodes.
> 
> I don't think so 'cause it's one possible way e.g. leaking sites may run.

This is exactly one of those scenarios that are extremely dangerous.  An
attacker can trivially expose whistleblowers by inspecting the traffic
at the reverse proxy's end.

I'm glad if we can stop people from making such mistakes by not
providing a tor2web package.

> > I am also opposed to the whole model of making .onion sites available
> > through clearnet.  Where a hidden service is needed, it is mostly for
> > content that both the content provider and the recipient may get into
> > legal trouble (or worse) in their respective jurisdictions. 
> 
> Yeah, maybe. I live in a country where some years ago You could be
> hung for listening BBC or radio London. There are countries in the
> world where it's illegal to read foreign newspapers or to be gay...
> 
> I think it's not our businness to decide which sites people want to
> look for or not.
> 
> > While
> > tor2web preserves the content provider's anonymity, it exposes the
> > (often naive) end user to uncertain risks.
> 
> I tend to forbit knives 'cause naive people my cut their fingers off.

I tend to not give machetes to kids, yes.

But still, I'm not stopping anyone from compiling their own tor2web and
deploying it.  Hell, it's not even that hard to keep a local patch for
the port.

Just don't expect any support from me.

> Or we should remove the -d switch from pfctl too.
> 
> > 
> > It is protected by no more than simple SSL/TLS, which makes correlation
> > attacks even easier, especially considering the very limited number of
> > .onion sites out there.  An attacker can plausibly deduce the site
> > you're looking at just by inspecting the encrypted traffic.
> 
> It's not to keep the user itself anonymously or a proxy e.g.

Exactly.  And thereby it goes against the fundamental idea of hidden
services, namely to keep both the client and the server anonymous.

> > Frankly, I don't think it's ethical to provide people with this
> > particular gun to shoot themselves in the foot (i.e. ruin their life).
> 
> It's not ethical to pay taxes for governments to shoot innocent people
> in other countries. Isn't it? Or should government protect us for
> ourself?

Irrelevant.  This is about OpenBSD ports.

> I think it's not the right place here to decide what other people
> should or shouldn't do.

See above.  Not stopping anyone from rolling their own.

> > It is a convenience mechanism to access .onion content on the clearnet
> > that is on .onion in the first place *for a darn good reason*.
> 
> This is only *one* possible scenario. I told two others which imho
> makes more sense than simply making hidden content public available.

2. is just as dangerous; I don't understand why you need tor2web for 3.

> > > It also runs the risk that people will think "Tor2web" is what
> > > they need (plausible, based on the name) and thereby deanonymize
> > > themselves.
> > > 
> 
> 

Re: net/tor - add Flavor

[Jiri B]

IMO the potential risk is high and if I read correctly
we haven't seen any numbers how many users need this flavor,
just Uwe? :)

j.

Re: net/tor - add Flavor

[Uwe Werler]

On Sun, Nov 15, 2015 at 07:29:23AM -0500, Jiri B wrote:
> IMO the potential risk is high and if I read correctly
> we haven't seen any numbers how many users need this flavor,
> just Uwe? :)
> 
> j.
> 


Maybe most people don't see a real scenario for this mode. Ok.

The potential risk to die is very high if You drive a car too fast or drunken.
I think cars shouldn't be selled anymore to people.

-- 

Re: net/tor - add Flavor

[Uwe Werler]

On Sun, Nov 15, 2015 at 01:15:03PM +0100, Pascal Stumpf wrote:
> On Sat, 14 Nov 2015 21:37:08 +0100, Uwe Werler wrote:
> > On Sat, Nov 14, 2015 at 08:40:40PM +0100, Pascal Stumpf wrote:
> > > On Fri, 13 Nov 2015 17:37:12 -0500, Michael McConville wrote:
> > > > Uwe Werler wrote:
> > > > > Hello list,
> > > > > 
> > > > > I'd like to add a Flavor to tor which allows Tor2webMode:
> > > > 
> > > > This seems like a rare enough use-case that it probably isn't worth a
> > > > flavor. 
> > > 
> > > I tend to agree.  A tor2web proxy is an extremely rare configuration
> > > compared to the total number of tor nodes.
> > 
> > I don't think so 'cause it's one possible way e.g. leaking sites may run.
> 
> This is exactly one of those scenarios that are extremely dangerous.  An
> attacker can trivially expose whistleblowers by inspecting the traffic
> at the reverse proxy's end.

If it's so *trivial* then the whole tor concept is trivial.

The hidden service remains hidden and anonymously. If You are right the same
is true for any tor entry or exit node.

> 
> I'm glad if we can stop people from making such mistakes by not
> providing a tor2web package.

I think You are wrong. But's Your opinion.

> > > I am also opposed to the whole model of making .onion sites available
> > > through clearnet.  Where a hidden service is needed, it is mostly for
> > > content that both the content provider and the recipient may get into
> > > legal trouble (or worse) in their respective jurisdictions. 
> > 
> > Yeah, maybe. I live in a country where some years ago You could be
> > hung for listening BBC or radio London. There are countries in the
> > world where it's illegal to read foreign newspapers or to be gay...
> > 
> > I think it's not our businness to decide which sites people want to
> > look for or not.
> > 
> > > While
> > > tor2web preserves the content provider's anonymity, it exposes the
> > > (often naive) end user to uncertain risks.
> > 
> > I tend to forbit knives 'cause naive people my cut their fingers off.
> 
> I tend to not give machetes to kids, yes.

I agree. But I think we have a dissence about which people kids are.

> But still, I'm not stopping anyone from compiling their own tor2web and
> deploying it.  Hell, it's not even that hard to keep a local patch for
> the port.

That's true.

> 
> Just don't expect any support from me.
> 

Ok. You are the maintainer, it's Your decision.

> > Or we should remove the -d switch from pfctl too.
> > 
> > > 
> > > It is protected by no more than simple SSL/TLS, which makes correlation
> > > attacks even easier, especially considering the very limited number of
> > > .onion sites out there.  An attacker can plausibly deduce the site
> > > you're looking at just by inspecting the encrypted traffic.
> > 
> > It's not to keep the user itself anonymously or a proxy e.g.
> 
> Exactly.  And thereby it goes against the fundamental idea of hidden
> services, namely to keep both the client and the server anonymous.

No. The idea of hidden services is to keep the service hidden. The idea of tor
as a client is to hide the client. Even it's the same bin it's not
automatically the same.

The people of tor project developed this mode not without reason. And yes,
it's dangerous for *naive* people and that's why it's not compiled in by
default and there's no possibility to use it outside tor.

> 
> > > Frankly, I don't think it's ethical to provide people with this
> > > particular gun to shoot themselves in the foot (i.e. ruin their life).
> > 
> > It's not ethical to pay taxes for governments to shoot innocent people
> > in other countries. Isn't it? Or should government protect us for
> > ourself?
> 
> Irrelevant.  This is about OpenBSD ports.

Exactly this I meant. You argued "ethical".

> > I think it's not the right place here to decide what other people
> > should or shouldn't do.
> 
> See above.  Not stopping anyone from rolling their own.

As You already mentioned above.

> > > It is a convenience mechanism to access .onion content on the clearnet
> > > that is on .onion in the first place *for a darn good reason*.
> > 
> > This is only *one* possible scenario. I told two others which imho
> > makes more sense than simply making hidden content public available.
> 
> 2. is just as dangerous; I don't understand why you need tor2web for 3.

It's my secred ;).

It's possible to build a totally anonymous network on top of tor. This is the
basic idea behind that. And access to ressources within this network is only
possible through proxies within this private network.

> > > > It also runs the risk that people will think "Tor2web" is what
> > > > they need (plausible, based on the name) and thereby deanonymize
> > > > themselves.
> > > > 
> > 
> > 
> 

-- 

Re: net/tor - add Flavor

[Uwe Werler]

On Sun, Nov 15, 2015 at 07:29:23AM -0500, Jiri B wrote:
> IMO the potential risk is high and if I read correctly
> we haven't seen any numbers how many users need this flavor,
> just Uwe? :)
> 
> j.
> 

And now my last five ct.

OpenBSD ships with *sane defaults*.

Possible dangerous features You have to enable Yourself. You should know what
You're doing.

Tor ships with *sane defaults*:

1. You explicitely have to enable this feature and 2. You can't leave the the 
tor
net.

Find the difference.



Pascal decided not to support this - it's ok.

-- 

Re: net/tor - add Flavor

[George Rosamond]

Stefan Sperling:
> On Sun, Nov 15, 2015 at 01:32:25PM -0500, Raul Miller wrote:
>> But treating this as "extremely dangerous" without offering a path
>> forward means that people need to "roll their own" approaches when
>> faced with related needs.
> 
> The way forward is use tor properly to access hidden services.

Yes, that is the default method of accessing Tor hidden services.

> 
> tor2web was conceived in 2008 to make it easier for whistleblowers
> to use tor instead of nothing. Unfortunately in 2015 whistleblowers
> have very good reasons to use something better than tor2web.
> 

Not from my understanding exactly.  It's not whistleblowers using
Tor2Web, but rather those accessing their hidden web site.

Tor2Web is mostly a method for non-Tor users to access hidden web sites.

There are contexts in which the destination needs to be hidden, but
user/source access isn't.  Imagine a case in which disclosures are made,
and a wide audience is encouraged, such as the media, yet the
destination's location needs to be hidden.

This discussion has started off with the wrong premise.  Yes, Tor2Web
doesn't hide the source IP/user.  It's not meant to.  It's a bridge
*into* the Tor network, in most cases a hidden web site, without any
illusion of giving the source IP/user anonymity.  It's a clear and
conscious design decision, not a mistake or something overlooked.

Regardless of Pascal's decision on this, Tor2Web is a legitimate tool
from the Tor Project with specific goals, somewhat distinct from the
usual premises of Tor.

Let's get beyond talking about the problems with it versus using Tor
Browser and recognize what it's meant for.  It's a *server* service that
can be employed by a Tor relay.  It should be an option for those who
want to use a Tor relay for that explicit purpose.

g

Re: net/tor - add Flavor

[Uwe Werler]

On Sun, Nov 15, 2015 at 08:15:57PM +0100, Stefan Sperling wrote:
> On Sun, Nov 15, 2015 at 01:32:25PM -0500, Raul Miller wrote:
> > But treating this as "extremely dangerous" without offering a path
> > forward means that people need to "roll their own" approaches when
> > faced with related needs.
> 
> The way forward is use tor properly to access hidden services.
> 
> tor2web was conceived in 2008 to make it easier for whistleblowers
> to use tor instead of nothing. Unfortunately in 2015 whistleblowers
> have very good reasons to use something better than tor2web.
> 

Hello Stefan,

what do You mean with "use something better"? I'm really interested in Your
suggestion.

Regards Uwe

-- 

Re: net/tor - add Flavor

[Michael McConville]

Uwe Werler wrote:
> On Sun, Nov 15, 2015 at 08:15:57PM +0100, Stefan Sperling wrote:
> > On Sun, Nov 15, 2015 at 01:32:25PM -0500, Raul Miller wrote:
> > > But treating this as "extremely dangerous" without offering a path
> > > forward means that people need to "roll their own" approaches when
> > > faced with related needs.
> > 
> > The way forward is use tor properly to access hidden services.
> > 
> > tor2web was conceived in 2008 to make it easier for whistleblowers
> > to use tor instead of nothing. Unfortunately in 2015 whistleblowers
> > have very good reasons to use something better than tor2web.
> 
> what do You mean with "use something better"? I'm really interested in
> Your suggestion.

I think this discussion is getting outside the scope of this mailing
list. tor-t...@lists.torproject.org is probably a better place for it.

Re: net/tor - add Flavor

[Stefan Sperling]

On Sun, Nov 15, 2015 at 09:42:23PM +0100, Uwe Werler wrote:
> On Sun, Nov 15, 2015 at 08:15:57PM +0100, Stefan Sperling wrote:
> > On Sun, Nov 15, 2015 at 01:32:25PM -0500, Raul Miller wrote:
> > > But treating this as "extremely dangerous" without offering a path
> > > forward means that people need to "roll their own" approaches when
> > > faced with related needs.
> > 
> > The way forward is use tor properly to access hidden services.
> > 
> > tor2web was conceived in 2008 to make it easier for whistleblowers
> > to use tor instead of nothing. Unfortunately in 2015 whistleblowers
> > have very good reasons to use something better than tor2web.
> > 
> 
> Hello Stefan,
> 
> what do You mean with "use something better"? I'm really interested in Your
> suggestion.

It depends.

As discussed, if tor2web is used to set up a site which receives leaks,
IPs making submissions can be de-anonymized so tor2web should not be
used in this case. So "something better" might be tor or something else.

In the reverse scenario, where a site sends leaks obtained from who
knows where out to the open internet from a hidden service location,
tor2web may make sense. Or it may not. I'm not quite sure. Tor has
so many edge cases as is even if both sides run Tor. I won't believe
random stranger's from the internet opinions about any of this.

If Pascal is not willing to put effort into maintaining a port
flavour for this feature, I won't mind that in the slightest.

Re: net/tor - add Flavor

[Raul Miller]

On Sun, Nov 15, 2015 at 7:15 AM, Pascal Stumpf  wrote:
> This is exactly one of those scenarios that are extremely dangerous.  An
> attacker can trivially expose whistleblowers by inspecting the traffic
> at the reverse proxy's end.

The danger here is that browsers send information related to messages
sent in other contexts if the user has used that browser in other
contexts. Browsers are deliberately security compromised to support
various popular revenue models. There are some analogous issues having
to do with setting up a web server and the leaky nature of development
platforms.

But treating this as "extremely dangerous" without offering a path
forward means that people need to "roll their own" approaches when
faced with related needs. (For example: write one's own web server
from scratch, use a tor browser on a discardable and short lived
machine which isn't used for anything else and which has no non-tor
internetworking capability.)

Is that what you are suggesting here?

Thanks,

-- 
Raul

Re: net/tor - add Flavor

[Stefan Sperling]

On Sun, Nov 15, 2015 at 01:32:25PM -0500, Raul Miller wrote:
> But treating this as "extremely dangerous" without offering a path
> forward means that people need to "roll their own" approaches when
> faced with related needs.

The way forward is use tor properly to access hidden services.

tor2web was conceived in 2008 to make it easier for whistleblowers
to use tor instead of nothing. Unfortunately in 2015 whistleblowers
have very good reasons to use something better than tor2web.

Re: net/tor - add Flavor

[Stuart Henderson]

On 2015/11/14 00:50, Uwe Werler wrote:
> On Sat, Nov 14, 2015 at 12:35:32AM +0100, Stefan Sperling wrote:
> > On Sat, Nov 14, 2015 at 01:05:12AM +0100, Rafael Sadowski wrote:
> > > I prefer to enable by default:
> > 
> > " Using Tor2web trades off security for convenience and usability."
> > https://tor2web.org/
> > 
> > Please don't.
> > 
> From man:
> 
>Tor2webMode 0|1
>When this option is set, Tor connects to hidden services
>non-anonymously. This option also disables client connections to
>non-hidden-service hostnames through Tor. It must only be used when
>running a tor2web Hidden Service web proxy. To enable this option
>the compile time flag --enable-tor2webmode must be specified.
>(Default: 0)
> 
> I think it shouldn't be turned on per default - even if it's not enabled per 
> default in config.
> 
> There are three scenarios therefore this mode is usefull:
> 
> 1. You want to provide a http proxy which is able to connect to tor HS for 
> clients (resolving onion domains).
> 2. You want to connect a reverse proxy to a HS.
> 3. You want to inter connect two (or more) machines within the tor network in 
> client-server-mode.
> 
> Regards Uwe
> 
> -- 
> 

So we have to balance the possibility of users shooting themselves in
the foot by enabling the config option by mistake, with the possibility
that someone will build their own "--enable-tor2webmode" package and
either not update to a newer version when a security fix comes out
because packages aren't available, or that will accidentally update
to a version without this config option.

So from what I've seen, I think that probably having this in a non-
default FLAVOR with a good but concise explanation in DESCR of what
it actually does is probably going to be the best idea. But the final
decision should rest with the maintainer.

Re: net/tor - add Flavor

[Uwe Werler]

On Sat, Nov 14, 2015 at 12:53:23PM +, Stuart Henderson wrote:
> On 2015/11/14 00:50, Uwe Werler wrote:
> > On Sat, Nov 14, 2015 at 12:35:32AM +0100, Stefan Sperling wrote:
> > > On Sat, Nov 14, 2015 at 01:05:12AM +0100, Rafael Sadowski wrote:
> > > > I prefer to enable by default:
> > > 
> > > " Using Tor2web trades off security for convenience and usability."
> > > https://tor2web.org/
> > > 
> > > Please don't.
> > > 
> > From man:
> > 
> >Tor2webMode 0|1
> >When this option is set, Tor connects to hidden services
> >non-anonymously. This option also disables client connections to
> >non-hidden-service hostnames through Tor. It must only be used 
> > when
> >running a tor2web Hidden Service web proxy. To enable this option
> >the compile time flag --enable-tor2webmode must be specified.
> >(Default: 0)
> > 
> > I think it shouldn't be turned on per default - even if it's not enabled 
> > per default in config.
> > 
> > There are three scenarios therefore this mode is usefull:
> > 
> > 1. You want to provide a http proxy which is able to connect to tor HS for 
> > clients (resolving onion domains).
> > 2. You want to connect a reverse proxy to a HS.
> > 3. You want to inter connect two (or more) machines within the tor network 
> > in client-server-mode.
> > 
> > Regards Uwe
> > 
> > -- 
> > 
> 

Stuart, I fully agree - and thanks for the explanation.

The last days I intensively tested tinc on top of tor in different
scenarios (yeah - layer 2 via tor). With this mode enabled on the
"client" machine one get's more throughput - increased by probably
40-50%. I measured rates up to 9,6 Mbps instead of max. 5 Mbps.

> So we have to balance the possibility of users shooting themselves in
> the foot by enabling the config option by mistake, with the possibility
> that someone will build their own "--enable-tor2webmode" package and
> either not update to a newer version when a security fix comes out
> because packages aren't available, or that will accidentally update
> to a version without this config option.
> 
> So from what I've seen, I think that probably having this in a non-
> default FLAVOR with a good but concise explanation in DESCR of what
> it actually does is probably going to be the best idea. But the final
> decision should rest with the maintainer.
> 

-- 

Re: net/tor - add Flavor

[Uwe Werler]

On Sat, Nov 14, 2015 at 08:40:40PM +0100, Pascal Stumpf wrote:
> On Fri, 13 Nov 2015 17:37:12 -0500, Michael McConville wrote:
> > Uwe Werler wrote:
> > > Hello list,
> > > 
> > > I'd like to add a Flavor to tor which allows Tor2webMode:
> > 
> > This seems like a rare enough use-case that it probably isn't worth a
> > flavor. 
> 
> I tend to agree.  A tor2web proxy is an extremely rare configuration
> compared to the total number of tor nodes.

I don't think so 'cause it's one possible way e.g. leaking sites may run.

> I am also opposed to the whole model of making .onion sites available
> through clearnet.  Where a hidden service is needed, it is mostly for
> content that both the content provider and the recipient may get into
> legal trouble (or worse) in their respective jurisdictions. 

Yeah, maybe. I live in a country where some years ago You could be
hung for listening BBC or radio London. There are countries in the
world where it's illegal to read foreign newspapers or to be gay...

I think it's not our businness to decide which sites people want to
look for or not.

> While
> tor2web preserves the content provider's anonymity, it exposes the
> (often naive) end user to uncertain risks.

I tend to forbit knives 'cause naive people my cut their fingers off.
Or we should remove the -d switch from pfctl too.

> 
> It is protected by no more than simple SSL/TLS, which makes correlation
> attacks even easier, especially considering the very limited number of
> .onion sites out there.  An attacker can plausibly deduce the site
> you're looking at just by inspecting the encrypted traffic.

It's not to keep the user itself anonymously or a proxy e.g.

> Frankly, I don't think it's ethical to provide people with this
> particular gun to shoot themselves in the foot (i.e. ruin their life).

It's not ethical to pay taxes for governments to shoot innocent people
in other countries. Isn't it? Or should government protect us for
ourself?

I think it's not the right place here to decide what other people
should or shouldn't do.

> It is a convenience mechanism to access .onion content on the clearnet
> that is on .onion in the first place *for a darn good reason*.

This is only *one* possible scenario. I told two others which imho
makes more sense than simply making hidden content public available.

> 
> > It also runs the risk that people will think "Tor2web" is what
> > they need (plausible, based on the name) and thereby deanonymize
> > themselves.
> > 

Re: net/tor - add Flavor

[Pascal Stumpf]

On Fri, 13 Nov 2015 17:37:12 -0500, Michael McConville wrote:
> Uwe Werler wrote:
> > Hello list,
> > 
> > I'd like to add a Flavor to tor which allows Tor2webMode:
> 
> This seems like a rare enough use-case that it probably isn't worth a
> flavor. 

I tend to agree.  A tor2web proxy is an extremely rare configuration
compared to the total number of tor nodes.

I am also opposed to the whole model of making .onion sites available
through clearnet.  Where a hidden service is needed, it is mostly for
content that both the content provider and the recipient may get into
legal trouble (or worse) in their respective jurisdictions.  While
tor2web preserves the content provider's anonymity, it exposes the
(often naive) end user to uncertain risks.

It is protected by no more than simple SSL/TLS, which makes correlation
attacks even easier, especially considering the very limited number of
.onion sites out there.  An attacker can plausibly deduce the site
you're looking at just by inspecting the encrypted traffic.

Frankly, I don't think it's ethical to provide people with this
particular gun to shoot themselves in the foot (i.e. ruin their life).
It is a convenience mechanism to access .onion content on the clearnet
that is on .onion in the first place *for a darn good reason*.


> It also runs the risk that people will think "Tor2web" is what
> they need (plausible, based on the name) and thereby deanonymize
> themselves.
> 
> > --- net/tor/Makefile.orig   Fri Nov 13 05:25:33 2015
> > +++ net/tor/MakefileFri Nov 13 04:26:09 2015
> > @@ -12,6 +12,9 @@
> >  # BSD
> >  PERMIT_PACKAGE_CDROM=  Yes
> >  
> > +PSEUDO_FLAVORS = tor2web
> > +FLAVOR ?=
> > +
> >  WANTLIB += c crypto event m pthread ssl z
> >  
> >  MASTER_SITES=  https://www.torproject.org/dist/
> > @@ -22,6 +25,11 @@
> >  # anyway on FRAME_GROWS_DOWN archs.
> >  CONFIGURE_ARGS=--with-ssl-dir=/usr \
> > --disable-gcc-hardening
> > +
> > +.if ${FLAVOR:L:Mtor2web}
> > +CONFIGURE_ARGS += --enable-tor2web-mode
> > +.endif
> > +
> >  CONFIGURE_ENV+=ac_cv_member_struct_ssl_method_st_get_cipher_by_char=no
> >  
> >  DB_DIR=/var/tor
> > 
> > ##
> > 
> > --- net/tor/pkg/DESCR.orig  Fri Nov 13 05:16:53 2015
> > +++ net/tor/pkg/DESCR   Fri Nov 13 05:22:06 2015
> > @@ -1,2 +1,6 @@
> >  Tor is a connection-based low-latency anonymous communication system that
> >  protects TCP streams: web browsing, instant messaging, irc, ssh, etc.
> > +
> > +In Tor2webMode Tor connects to hidden services non-anonymously but faster.
> > +It's useful only when running a tor2web Hidden Service web proxy or to 
> > connect
> > +directly to a Hidden Service without the need of client anonymity.
> > 
> > ##
> > 
> > Regards Uwe
> > 
> > -- 
> > 
> 
> 

Re: net/tor - add Flavor

[Michael McConville]

Uwe Werler wrote:
> On Fri, Nov 13, 2015 at 05:37:12PM -0500, Michael McConville wrote:
> > Uwe Werler wrote:
> > > Hello list,
> > > 
> > > I'd like to add a Flavor to tor which allows Tor2webMode:
> > 
> > This seems like a rare enough use-case that it probably isn't worth a
> > flavor. It also runs the risk that people will think "Tor2web" is what
> > they need (plausible, based on the name) and thereby deanonymize
> > themselves.
> 
> Mmh, 1. it's not enabled per default and 2. only connections to hidden
> services are allowed so You can't exit from within the tor network.

Will people be prompted with the choice when they install tor with
pkg_add? That's what I'm concerned about.

Also, bsd.port.mk(5) says of PSEUDO_FLAVORS:

> Its only use should be for disabling part of a multi-packages build

Am I misunderstanding, or should it be replaced with FLAVORS here?

Re: net/tor - add Flavor

[Rafael Sadowski]

On Fri Nov 13, 2015 at 05:59:23PM -0500, Michael McConville wrote:
> Uwe Werler wrote:
> > On Fri, Nov 13, 2015 at 05:37:12PM -0500, Michael McConville wrote:
> > > Uwe Werler wrote:
> > > > Hello list,
> > > > 
> > > > I'd like to add a Flavor to tor which allows Tor2webMode:
> > > 
> > > This seems like a rare enough use-case that it probably isn't worth a
> > > flavor. It also runs the risk that people will think "Tor2web" is what
> > > they need (plausible, based on the name) and thereby deanonymize
> > > themselves.
> > 
> > Mmh, 1. it's not enabled per default and 2. only connections to hidden
> > services are allowed so You can't exit from within the tor network.
> 
> Will people be prompted with the choice when they install tor with
> pkg_add? That's what I'm concerned about.
> 
> Also, bsd.port.mk(5) says of PSEUDO_FLAVORS:
> 
> > Its only use should be for disabling part of a multi-packages build
> 
> Am I misunderstanding, or should it be replaced with FLAVORS here?

I prefer to enable by default:


Index: Makefile
===
RCS file: /cvs/ports/net/tor/Makefile,v
retrieving revision 1.86
diff -u -p -u -p -r1.86 Makefile
--- Makefile20 Jul 2015 19:55:58 -  1.86
+++ Makefile13 Nov 2015 23:04:46 -
@@ -5,23 +5,25 @@ COMMENT=  anonymity service using onion r
 DISTNAME=  tor-0.2.6.10
 CATEGORIES=net
 HOMEPAGE=  https://www.torproject.org/
-REVISION=  1
+REVISION=  2
 
 MAINTAINER=Pascal Stumpf 
 
 # BSD
 PERMIT_PACKAGE_CDROM=  Yes
 
-WANTLIB += c crypto event m pthread ssl z
+WANTLIB+= c crypto event m pthread ssl z
 
 MASTER_SITES=  https://www.torproject.org/dist/
 
 CONFIGURE_STYLE=gnu
-AUTOCONF_VERSION = 2.69
+AUTOCONF_VERSION= 2.69
 # PIE is already taken care of on a per-arch basis, and we have stack 
protection
 # anyway on FRAME_GROWS_DOWN archs.
 CONFIGURE_ARGS=--with-ssl-dir=/usr \
+   --enable-tor2web-mode \
--disable-gcc-hardening
+
 CONFIGURE_ENV+=ac_cv_member_struct_ssl_method_st_get_cipher_by_char=no
 
 DB_DIR=/var/tor
Index: pkg/DESCR
===
RCS file: /cvs/ports/net/tor/pkg/DESCR,v
retrieving revision 1.1.1.1
diff -u -p -u -p -r1.1.1.1 DESCR
--- pkg/DESCR   26 Sep 2004 10:06:29 -  1.1.1.1
+++ pkg/DESCR   13 Nov 2015 23:04:46 -
@@ -1,2 +1,6 @@
 Tor is a connection-based low-latency anonymous communication system that
 protects TCP streams: web browsing, instant messaging, irc, ssh, etc.
+
+In Tor2webMode Tor connects to hidden services non-anonymously but faster.
+It's useful only when running a tor2web Hidden Service web proxy or to connect
+directly to a Hidden Service without the need of client anonymity.

Re: net/tor - add Flavor

[Uwe Werler]

On Fri, Nov 13, 2015 at 05:37:12PM -0500, Michael McConville wrote:
> Uwe Werler wrote:
> > Hello list,
> > 
> > I'd like to add a Flavor to tor which allows Tor2webMode:
> 
> This seems like a rare enough use-case that it probably isn't worth a
> flavor. It also runs the risk that people will think "Tor2web" is what
> they need (plausible, based on the name) and thereby deanonymize
> themselves.

Mmh, 1. it's not enabled per default and 2. only connections to hidden
services are allowed so You can't exit from within the tor network.

> 
> > --- net/tor/Makefile.orig   Fri Nov 13 05:25:33 2015
> > +++ net/tor/MakefileFri Nov 13 04:26:09 2015
> > @@ -12,6 +12,9 @@
> >  # BSD
> >  PERMIT_PACKAGE_CDROM=  Yes
> >  
> > +PSEUDO_FLAVORS = tor2web
> > +FLAVOR ?=
> > +
> >  WANTLIB += c crypto event m pthread ssl z
> >  
> >  MASTER_SITES=  https://www.torproject.org/dist/
> > @@ -22,6 +25,11 @@
> >  # anyway on FRAME_GROWS_DOWN archs.
> >  CONFIGURE_ARGS=--with-ssl-dir=/usr \
> > --disable-gcc-hardening
> > +
> > +.if ${FLAVOR:L:Mtor2web}
> > +CONFIGURE_ARGS += --enable-tor2web-mode
> > +.endif
> > +
> >  CONFIGURE_ENV+=ac_cv_member_struct_ssl_method_st_get_cipher_by_char=no
> >  
> >  DB_DIR=/var/tor
> > 
> > ##
> > 
> > --- net/tor/pkg/DESCR.orig  Fri Nov 13 05:16:53 2015
> > +++ net/tor/pkg/DESCR   Fri Nov 13 05:22:06 2015
> > @@ -1,2 +1,6 @@
> >  Tor is a connection-based low-latency anonymous communication system that
> >  protects TCP streams: web browsing, instant messaging, irc, ssh, etc.
> > +
> > +In Tor2webMode Tor connects to hidden services non-anonymously but faster.
> > +It's useful only when running a tor2web Hidden Service web proxy or to 
> > connect
> > +directly to a Hidden Service without the need of client anonymity.
> > 
> > ##
> > 
> > Regards Uwe
> > 
> > -- 
> > 

-- 

Re: net/tor - add Flavor

[Michael McConville]

Uwe Werler wrote:
> Hello list,
> 
> I'd like to add a Flavor to tor which allows Tor2webMode:

This seems like a rare enough use-case that it probably isn't worth a
flavor. It also runs the risk that people will think "Tor2web" is what
they need (plausible, based on the name) and thereby deanonymize
themselves.

> --- net/tor/Makefile.orig   Fri Nov 13 05:25:33 2015
> +++ net/tor/MakefileFri Nov 13 04:26:09 2015
> @@ -12,6 +12,9 @@
>  # BSD
>  PERMIT_PACKAGE_CDROM=  Yes
>  
> +PSEUDO_FLAVORS = tor2web
> +FLAVOR ?=
> +
>  WANTLIB += c crypto event m pthread ssl z
>  
>  MASTER_SITES=  https://www.torproject.org/dist/
> @@ -22,6 +25,11 @@
>  # anyway on FRAME_GROWS_DOWN archs.
>  CONFIGURE_ARGS=--with-ssl-dir=/usr \
> --disable-gcc-hardening
> +
> +.if ${FLAVOR:L:Mtor2web}
> +CONFIGURE_ARGS += --enable-tor2web-mode
> +.endif
> +
>  CONFIGURE_ENV+=ac_cv_member_struct_ssl_method_st_get_cipher_by_char=no
>  
>  DB_DIR=/var/tor
> 
> ##
> 
> --- net/tor/pkg/DESCR.orig  Fri Nov 13 05:16:53 2015
> +++ net/tor/pkg/DESCR   Fri Nov 13 05:22:06 2015
> @@ -1,2 +1,6 @@
>  Tor is a connection-based low-latency anonymous communication system that
>  protects TCP streams: web browsing, instant messaging, irc, ssh, etc.
> +
> +In Tor2webMode Tor connects to hidden services non-anonymously but faster.
> +It's useful only when running a tor2web Hidden Service web proxy or to 
> connect
> +directly to a Hidden Service without the need of client anonymity.
> 
> ##
> 
> Regards Uwe
> 
> -- 
> 

net/tor - add Flavor

[Uwe Werler]

Hello list,

I'd like to add a Flavor to tor which allows Tor2webMode:

##

--- net/tor/Makefile.orig   Fri Nov 13 05:25:33 2015
+++ net/tor/MakefileFri Nov 13 04:26:09 2015
@@ -12,6 +12,9 @@
 # BSD
 PERMIT_PACKAGE_CDROM=  Yes
 
+PSEUDO_FLAVORS = tor2web
+FLAVOR ?=
+
 WANTLIB += c crypto event m pthread ssl z
 
 MASTER_SITES=  https://www.torproject.org/dist/
@@ -22,6 +25,11 @@
 # anyway on FRAME_GROWS_DOWN archs.
 CONFIGURE_ARGS=--with-ssl-dir=/usr \
--disable-gcc-hardening
+
+.if ${FLAVOR:L:Mtor2web}
+CONFIGURE_ARGS += --enable-tor2web-mode
+.endif
+
 CONFIGURE_ENV+=ac_cv_member_struct_ssl_method_st_get_cipher_by_char=no
 
 DB_DIR=/var/tor

##

--- net/tor/pkg/DESCR.orig  Fri Nov 13 05:16:53 2015
+++ net/tor/pkg/DESCR   Fri Nov 13 05:22:06 2015
@@ -1,2 +1,6 @@
 Tor is a connection-based low-latency anonymous communication system that
 protects TCP streams: web browsing, instant messaging, irc, ssh, etc.
+
+In Tor2webMode Tor connects to hidden services non-anonymously but faster.
+It's useful only when running a tor2web Hidden Service web proxy or to connect
+directly to a Hidden Service without the need of client anonymity.

##

Regards Uwe

-- 

Re: net/tor - add Flavor

[George Rosamond]

Stefan Sperling:
> On Sat, Nov 14, 2015 at 01:05:12AM +0100, Rafael Sadowski wrote:
>> I prefer to enable by default:
> 
> " Using Tor2web trades off security for convenience and usability."
> https://tor2web.org/
> 
> Please don't.
> 

I think there's some confusion on this.

Tor2Web is a tool to run *as a server for others* that allows people not
using Tor (ie, Tor Browser) to access services with the .onion TLD
(which looks like it now is in motion with the IETF).

It's about providing a service, and is a configure option (off) on the
FreeBSD port, so that your Tor server can provide Tor2Web services to
other users.

Yes, the source IP does not gain anonymity, but that's the point of it.
 The destination site, residing on the Tor network, does ostensibly
retain anonymity.  It's for those *without* Tor to access .onion TLDs
through a Tor2Web enabled service.

It is not a broken by default service in its function.  The above-quoted
web site description is deceptive and misses the point completely.

g

Re: net/tor - add Flavor

[Uwe Werler]

On Sat, Nov 14, 2015 at 12:35:32AM +0100, Stefan Sperling wrote:
> On Sat, Nov 14, 2015 at 01:05:12AM +0100, Rafael Sadowski wrote:
> > I prefer to enable by default:
> 
> " Using Tor2web trades off security for convenience and usability."
> https://tor2web.org/
> 
> Please don't.
> 
>From man:

   Tor2webMode 0|1
   When this option is set, Tor connects to hidden services
   non-anonymously. This option also disables client connections to
   non-hidden-service hostnames through Tor. It must only be used when
   running a tor2web Hidden Service web proxy. To enable this option
   the compile time flag --enable-tor2webmode must be specified.
   (Default: 0)

I think it shouldn't be turned on per default - even if it's not enabled per 
default in config.

There are three scenarios therefore this mode is usefull:

1. You want to provide a http proxy which is able to connect to tor HS for 
clients (resolving onion domains).
2. You want to connect a reverse proxy to a HS.
3. You want to inter connect two (or more) machines within the tor network in 
client-server-mode.

Regards Uwe

-- 

Re: net/tor - add Flavor

[Rafael Sadowski]

On Sat Nov 14, 2015 at 12:35:32AM +0100, Stefan Sperling wrote:
> On Sat, Nov 14, 2015 at 01:05:12AM +0100, Rafael Sadowski wrote:
> > I prefer to enable by default:
> 
> " Using Tor2web trades off security for convenience and usability."
> https://tor2web.org/
> 
> Please don't.

We are talking here about the support in our tor port:

 --enable-tor2web-mode   support tor2web non-anonymous mode

But I understand your borne in mind. Maybe a FALVOR is not the worst idea.

Re: net/tor - add Flavor

[Stefan Sperling]

On Sat, Nov 14, 2015 at 01:05:12AM +0100, Rafael Sadowski wrote:
> I prefer to enable by default:

" Using Tor2web trades off security for convenience and usability."
https://tor2web.org/

Please don't.

Re: net/tor - add Flavor

[Stuart Henderson]

On 2015/11/13 17:59, Michael McConville wrote:
> Uwe Werler wrote:
> > On Fri, Nov 13, 2015 at 05:37:12PM -0500, Michael McConville wrote:
> > > Uwe Werler wrote:
> > > > Hello list,
> > > > 
> > > > I'd like to add a Flavor to tor which allows Tor2webMode:
> > > 
> > > This seems like a rare enough use-case that it probably isn't worth a
> > > flavor. It also runs the risk that people will think "Tor2web" is what
> > > they need (plausible, based on the name) and thereby deanonymize
> > > themselves.
> > 
> > Mmh, 1. it's not enabled per default and 2. only connections to hidden
> > services are allowed so You can't exit from within the tor network.
> 
> Will people be prompted with the choice when they install tor with
> pkg_add? That's what I'm concerned about.

If it's done as a FLAVOR, assuming it is actually hooked into the build
(which it should be), then they will be offered a choice.

1. Is this "configure option allows the user to enable the feature", or
is it "configure option turns the feature on"?

2. What do packagers on other OS do?

> Also, bsd.port.mk(5) says of PSEUDO_FLAVORS:
> 
> > Its only use should be for disabling part of a multi-packages build
> 
> Am I misunderstanding, or should it be replaced with FLAVORS here?

It should be a FLAVOR not a PSEUDO_FLAVOR.