[tor-dev] obfsproxy getting scramblesuit password from file in unmanaged mode
Hey all, when running obfsproxy with scramblesuit in unmanaged mode (e.g. to obfuscate non-Tor traffic) the UniformDH password is passed in command line like this: obfsproxy scramblesuit --password=W3ECD5GOYU5AAW4G35GSH5QXIHSRBU2X The problem with this is that the password is visible in the system's process list. Do you think it would make sense to add an argument like --password-file, so as scramblesuit can fetch the password from a file? Any caveats? Although this is not related to the Tor ecosystem, i think it would be useful. Cheers, Alex signature.asc Description: OpenPGP digital signature ___ tor-dev mailing list tor-dev@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev
[tor-dev] Reminder: tor development meetings every Wednesday, 1900UTC
Hi, all! Here's your regular reminder for the weekly IRC meeting for people working on the program tor. (This won't cover all the other programs developed under the Tor umbrella.) The next meeting time will be: Wednesday May 21, 19:00 UTC. (That's 3pm EDT and 12:00 noon PDT.) As usual, we'll do it on the #tor-dev IRC channel, unless the meeting turns out to be too disruptive for the rest of the channel or vice versa. I've seen a drop-off in the number of people coming since I stopped sending these out weekly, so I think now's a fine time to start doing them weekly again. cheers, -- Nick ___ tor-dev mailing list tor-dev@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev
Re: [tor-dev] obfsproxy getting scramblesuit password from file in unmanaged mode
On Tue, 20 May 2014 18:25:46 +0300 irregula...@riseup.net wrote: Hey all, when running obfsproxy with scramblesuit in unmanaged mode (e.g. to obfuscate non-Tor traffic) the UniformDH password is passed in command line like this: obfsproxy scramblesuit --password=W3ECD5GOYU5AAW4G35GSH5QXIHSRBU2X The problem with this is that the password is visible in the system's process list. Do you think it would make sense to add an argument like --password-file, so as scramblesuit can fetch the password from a file? Any caveats? Although this is not related to the Tor ecosystem, i think it would be useful. Indeed, we have a bug open for this. https://trac.torproject.org/projects/tor/ticket/8040 I think using `setproctitle` to modify what appears on the system process list may be a better general solution (and it would let us do things like showing `obfsproxy: obfs3,scramblesuit` in the managed use case as well which I think is cute, if not massively useful. As an added bonus it is a general solution that's more futureproof. Regards, -- Yawning Angel signature.asc Description: PGP signature ___ tor-dev mailing list tor-dev@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev
[tor-dev] A Child's Garden of Pluggable Transports
Have you ever wondered what makes the Tor protocol fingerprintable, and makes pluggable transports necessary? Have you wondered how obfs3 obscures byte patterns in Tor? What a flash proxy WebSocket connection actually looks like, and why it defeats IP blocking but not DPI? Then I have the wiki page for you: https://trac.torproject.org/projects/tor/wiki/doc/AChildsGardenOfPluggableTransports It's a visualization of different pluggable transports, meant to be an aid to understanding. At the top is an ordinary Tor handshake, with some fingerprintable data fields highlighted. The following sections, one for each transport, show how those fields are hidden--or not. I tried to demonstrate aspects of different transports that I think are hard to intuit, such as what flash proxy rendezvous looks like, and how transports look under the encrypted layer that is visible to a censor. There are sections for obfs3, ScrambleSuit, FTE, flash proxy, meek, and Bananaphone. The page is missing a few more from https://www.torproject.org/docs/pluggable-transports. If you know how to run any of those transports, and you know an effective way to visualize it, please add it to the page. David Fifield ___ tor-dev mailing list tor-dev@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev
[tor-dev] Question to Java developers: what are good frameworks for Tor's server-side Java applications
Hello devs, I'm seeking advice from people with experience in writing server-side Java applications. Let me give you some background about this request: for the past five years, I have been developing server-side Java applications which all process large amounts of Tor directory data and provide their output via a web interface. Examples: - The metrics data processor (metrics-db) fetches Tor descriptors from the Tor directory authorities, the bridge authority, etc., performs some sanity-checks, and provides descriptors by type as tarballs. We're talking about roughly 7 GiB new bzip2-compressed data per month. - The metrics website (metrics-web) uses the output from the metrics data processor, stuffs everything into a database, computes aggregates, and presents results in graphs and .csv files. - The Onionoo service processes the same data from the metrics data processor, but provides statistics per Tor relay, not for the Tor network as a whole. The processing is done every two hours and may take 30 minutes to 1.5 hours, depending on how overloaded the server is. - The ExoneraTor service, again, uses the same data and puts it in a database to answer whether a certain IP address has been a Tor relay at some point in the past. That's what is done. And here's how it's done under the surface: - There's one or more cronjobs, each of which starts an ant task to process data. Some of these tasks import data into the database, others store results in the file system. - Each application uses a web application deployed in Tomcat to provide results to web users. Most things are written in servlets, some use JSPs. My problem is that this approach is rather fragile and difficult to setup for new volunteers. I'm aware of that, and I'd like to improve it. My question is: what Java frameworks should I be looking at for the applications described above? Bonus points if something is in Debian stable. Note that switch to $some_other_programming_language is not a very useful answer to me, at least not for the larger applications. There's just too much existing code and not enough developer time to port it. Thanks in advance! All the best, Karsten ___ tor-dev mailing list tor-dev@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev
Re: [tor-dev] Question to Java developers: what are good frameworks for Tor's server-side Java applications
You could try Spring. It seems to be a common framework for Server Side Java. http://projects.spring.io/spring-framework/ Noah Rahman wrote: Hi Karsten, A lot of people I respect seem to use Dropwizard for this sort of thing. https://dropwizard.github.io/dropwizard/ As for deployment on Debian (dunno if it's in the standard Debian universe) https://groups.google.com/d/msg/dropwizard-user/gv4TDQbcHBc/LGJz0egMNWQJ Hope that helps Best Noah On Tue, May 20, 2014 at 12:54 PM, Karsten Loesing kars...@torproject.org mailto:kars...@torproject.org wrote: Hello devs, I'm seeking advice from people with experience in writing server-side Java applications. Let me give you some background about this request: for the past five years, I have been developing server-side Java applications which all process large amounts of Tor directory data and provide their output via a web interface. Examples: - The metrics data processor (metrics-db) fetches Tor descriptors from the Tor directory authorities, the bridge authority, etc., performs some sanity-checks, and provides descriptors by type as tarballs. We're talking about roughly 7 GiB new bzip2-compressed data per month. - The metrics website (metrics-web) uses the output from the metrics data processor, stuffs everything into a database, computes aggregates, and presents results in graphs and .csv files. - The Onionoo service processes the same data from the metrics data processor, but provides statistics per Tor relay, not for the Tor network as a whole. The processing is done every two hours and may take 30 minutes to 1.5 hours, depending on how overloaded the server is. - The ExoneraTor service, again, uses the same data and puts it in a database to answer whether a certain IP address has been a Tor relay at some point in the past. That's what is done. And here's how it's done under the surface: - There's one or more cronjobs, each of which starts an ant task to process data. Some of these tasks import data into the database, others store results in the file system. - Each application uses a web application deployed in Tomcat to provide results to web users. Most things are written in servlets, some use JSPs. My problem is that this approach is rather fragile and difficult to setup for new volunteers. I'm aware of that, and I'd like to improve it. My question is: what Java frameworks should I be looking at for the applications described above? Bonus points if something is in Debian stable. Note that switch to $some_other_programming_language is not a very useful answer to me, at least not for the larger applications. There's just too much existing code and not enough developer time to port it. Thanks in advance! All the best, Karsten ___ tor-dev mailing list tor-dev@lists.torproject.org mailto:tor-dev@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev ___ tor-dev mailing list tor-dev@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev ___ tor-dev mailing list tor-dev@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev
[tor-dev] How to distribute Tor with other software
I just wrote a little program called OnionShare, that makes it simple to share a file securely using a password-protected Tor hidden service: https://github.com/micahflee/onionshare Right now it only runs in Tails. I'd like to make a versin that runs in OSX and Windows, too. How can I make software for OSX and Windows that relies on Tor like this, but without having to bundle Tor with it? I would really like to not be in the business of distributing Tor myself. When you run onionshare.py, it modifies /etc/tor/torrc and reloads the Tor config, and when it's done it restores the original torrc and reloads again. I could require people to open Tor Browser and have it just use the Tor that comes with that, except the fact that it needs to modify torrc makes that complicated. -- Micah Lee signature.asc Description: OpenPGP digital signature ___ tor-dev mailing list tor-dev@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev
Re: [tor-dev] How to distribute Tor with other software
Micah Lee mi...@micahflee.com writes: When you run onionshare.py, it modifies /etc/tor/torrc and reloads the Tor config, and when it's done it restores the original torrc and reloads again. You could use one of the controller libraries (stem if you want synchronous, txtorcon if async/Twisted) to do this; they don't have to modify the torrc directly, just manipulate configuration via GETCONF and SETCONF. For Tails, this probably won't work unless you're root until #11291 is fixed + merged. Even better, with some work that David Stainton has been pushing forward in txtorcon [1] for use with Tahoe-LAFS, very soon making whatever stuff happen so you can cause a new hidden service to appear will be one line (serverFromString is a pluggable Twisted endpoint API): d = serverFromString(onion:80).listen(...) or, if you already have keys: d = serverFromString(onion:80:hiddenServiceDir=/foo/bar).listen(...) The stuff will depend, but will be a newly launched tor worst-case or a suitable local tor best-case. I realize this doesn't help you right away ;) but there are APIs to make this pretty straightforward with txtorcon right now; see these lines for an example: https://github.com/meejah/txtorcon/blob/master/examples/launch_tor_with_hiddenservice.py#L64-68 In the above save() will write to a file if you want, or to a currently-connecting running Tor. txtorcon concentrates on configuring running Tor instances; there may be better torrc-manipulation things in Stem but I don't know off the top of my head. (For the other way, David has a pull-request into txsocksx so that things like clientFromString('tor:blarg.onion') will work via SOCKS to 9050 or 9150). [1] -- gruesome details of his latest branch here, and there are some relevant ones in my repository as well: https://github.com/david415/txtorcon/compare/meejah:master...endpoint_parser_plugin-rewrite4 -- meejah ___ tor-dev mailing list tor-dev@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev