[tor-talk] Tor Browser bookmarks

[Dave Warren]

Hey...

I'm running Tor Browser 10.5.2 on Windows, and I can't edit bookmarks. 
Is this just me or do I have something misconfigured?


If I edit the properties of an existing bookmark the Save button is 
greyed out even after changing the name or location, the Star button in 
the URL bar doesn't respond at all, and dragging the current URL to the 
bookmark bar is ignored.


Worked fine at some point in the past, not sure when it last worked or 
when it broke, I was just trying to update some bookmarks to version 3 
onion services rather than relying on redirects.


--
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] trackers in OONI Probe Mobile App / was: NEW RiseupVPN test in OONI Probe Mobile App

[Dave Warren]

I’m not sure I see the point.

If we assume we are building a probe with a client and server component, can 
the client not just connect to the server using a pinned certificate (or 
otherwise validate this connection via any of the well established public key 
mechanisms) and then each side connect to the target, retrieve the certificate, 
calculate the fingerprint and compare?

Of course this also assumes that you get the same fingerprint from everywhere, 
something that is absolutely not guaranteed in the general case, although many 
specific targets will use one certificate universally. 

Admittedly the quoted protocol proposal might have some advantages if you 
(operating the client) don’t trust the server, or want a cryptographic 
guarantee, but at least for the use-cases of OONI Probe Mobile that I see 
(detecting whether my current connection is being censored, relying on a 
centralized platform to provide censorship test data) it seems to be overkill. 



> On Feb 16, 2021, at 04:33, Aymeric Vitte  wrote:
> 
> Resending ccing directly the participants since apparently it's not going to 
> make it to the list

> 
> 
>  Message transféré  
> Sujet :
> Re: [tor-talk] trackers in OONI Probe Mobile App / was: NEW RiseupVPN test in 
> OONI Probe Mobile App
> Date :
> Wed, 10 Feb 2021 17:21:20 +0100
> De :
> Aymeric Vitte 
> Pour :
> tor-talk@lists.torproject.org
> 
> 
> You might consider adding to OONI features the "Interception Detector",
see http://ianonym.peersm.com/intercept.html

This is from 2012 but still actual, the basic principles are that you
are intercepting yourself with the help of a remote server (ie an OONI
node here), by "browser" below we could mean the OONI app

Indeed, one browser page is acting as a server page connected to a
remote server via websockets, once the user enters the domain to check
(for example abcd.google.com) it generates a self-signed TLS certificate
and a link (https://abcd.google.com), clicking on the link opens a
client page in the browser which produces a https request with the
target server name (google.com) that is proxied to the server, then a
TLS handshake is initiated between the browser client page and the
browser server page since the messages are intercepted by the server
that relays messages between both

Then the user can check that the signature/fingerprint of the
certificate in the handshake match the ones indicated on the server
page, if not it means that someone in the path between the browser and
the server did intercept the TLS connection

In fact, we can summarize this today (because browsers do not really
give the possibility any longer to accept self signed certificates) as:
if the browser does not raise a security exception then you are for sure
intercepted

Of course a positive result does not say that you are not intercepted
(because the interceptor might have missed the server name honeypot or
just not be interested by it), that's where OONI network becomes
interesting since you can multiply the tests via various destinations/nodes

This is not a "week-end" project as some "experts" think since it
requires to implement TLS in js inside the browser, some other experts
here might question/destroy the concepts, please do

It would have defeated the logjam attack if deployed at that time

It's not open source for now but can be with some little funding

For the other concerns in this thread you should develop things by
yourself instead of adding dubious third party sw, 1.3 MUSD (at least)
of funding since years should allow this, no?


Le 10/02/2021 à 10:28, Maria Xynou a écrit :
> On 09/02/21 19:39, Dave Warren wrote:
>>> It should give results for middle boxes , DNS/TLS hijacking ...etc
>>> something useful/worth to run OONI for. 
>> These would be great things to consider adding too. 
> Thanks for the feedback (and support!).
>
> Current OONI Probe tests are available here:
> https://github.com/ooni/probe-engine/tree/master/experiment
>
> We are working towards shipping new tests (such as that for measuring
> SNI based filtering) as part of the OONI Probe apps.
>
> Code review and feedback is greatly appreciated, and we also encourage
> community members to contribute their own tests.
>
> For example, the recent RiseupVPN test (shipped in the latest OONI Probe
> mobile release) was contributed by community members.
>
> Cheers,
>
> Maria.
>

-- 
Sophia-Antipolis, France
LinkedIn: https://fr.linkedin.com/in/aymeric-vitte-05855b26
Move your coins by yourself (browser version): https://peersm.com/wallet
Bitcoin transactions made simple: https://github.com/Ayms/bitcoin-transactions
Zcash wallets made simple: https://github.com/Ayms/zcash-wallets
Bitcoin wallets made simple: https://github.com/Ayms/bitcoin-wallets
Get the torrent dynamic blocklist: h

Re: [tor-talk] trackers in OONI Probe Mobile App / was: NEW RiseupVPN test in OONI Probe Mobile App

[Dave Warren]

On 2021-02-06 01:11, bo0od wrote:
Actually OONI tests is absolute useless to find anything bad, All the 
tests being done can be known trivially by using the internet e.g:


- check for websites blockage
- check for Tor blockage
- check for Internet speed
..etc

Which one of that need magic/effort to be known? child using the 
internet in that area can give you all the results without the need to 
run this OONI app


The app gives me a one-click "Is this network censored, and what sort of 
censorship might apply" without manually maintaining such a list myself, 
and inspecting each site manually.


For my own part, I'm a lot more comfortable explaining why I am using a 
censorship diagnostics tool than I am opening offensive sites in a 
public location.


And while we're on the topic, you might well want to spend your time 
checking 25-1463 of the sites on the global list manually, and if this 
is how you spend your free time, all power to you! I would rather a tool 
do the work and give me a summary report which I can inspect.


And if you do go through this process manually, regularly, on different 
networks, I trust you collect the results and tabulate the results in a 
meaningful and collaborative way to provide public information on 
censorship across a wide range of networks and countries?


I have no affiliation with the app developers, except as a satisfied 
user who does find value in the current app.


Could there be more functionality added? Sure!

It should give results for middle boxes , DNS/TLS hijacking ...etc something useful/worth to run OONI for. 


These would be great things to consider adding too.
--
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Private Exits

[Dave Warren]

On Sun, Jun 28, 2020, at 23:49, mpan wrote:
> > The Tor network with Private Exits:
> > Alice uses Tor Browser to connect to myexit.onion.
> > Tor Browser connects to a guard note, then a middle node, then to
> > myexit.onion. myexit.onion provides a portal to the internet via a web
> > interface similar to a VNC session. myexit.onion is not recognized as a
> > Tor exit node and Alice can then go to mywebsite.com without any extra
> > harassment. […]
>  (If I understand that correctly)
> 
> 
>  If the “private exit node” belongs to Alice, then it is no longer
> anonymizing her. 

Correct. This is not the only reason to use tor.


> It’s no different than Alice running a VPN service for
> herself, except it’s very convolutd and wastes resources on hopping
> through Tor for no gain. Similar story with multi-user tor relay from
> some company: the user are not anonymous to the provider, so any
> anonymization layer between them and the final relay is useless.

There actually are some benefits. And of course, some costs/risks.

If I subscribe to a commercial VPN what are the odds that any other customer of 
that same VPN are using the same last-mile connectivity/wifi as myself? The 
situation gets worse if I connect to my corporate VPN service, or run my own 
VPN endpoint.

Unless there are any other users of the same VPN service, I can be tracked as I 
move between networks, even if I randomize my MAC address or use burner 
hardware.

Even if there are other users of that same VPN server, are they configured 
identically? Does the VPN protocol exchange credentials or certificates 
securely? Is there any other uniqueness in the initial VPN handshake? Has the 
VPN service modified their defaults over time, meaning that the date I 
downloaded my configuration file from the provider dictates my settings 
providing a further fingerprint? Is my VPN client version unique?

By routing the first hop through tor, I am not consistently connecting to one 
single endpoint, and I blend into the background with other tor users.


>  This idea is also usable right now without any changes to Tor. Alice
> may setup her own proxy and connect to it through Tor. But it offers no
> protection. 

If it were me, I think I would set up a tor hidden service and run a proxy on 
the .onion to complete the final connection to the internet, either as a proxy 
or a VPN endpoint.

-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] "Tor Circuit" list in TBB displaying incorrect exit node and IP address

[Dave Warren]

On Sun, Dec 23, 2018, at 14:05, Roger Dingledine wrote:
> Assuming the difference is "cloudflare vs not cloudflare", check out
> https://trac.torproject.org/27590


One of the comments on this bug is severely wrong: 

"Why the hell doesn't it inform about using plain text .onion connections on 
https sites?!!! (No questions for https .onion alternate routes.) Example of cf 
alt-svc: cflarexljc3rw355ysrkrzwapozws6nre6xsy3n4yrj7taye3uiby3ad.onion:443 
(plain text (http)!!!)"

This is not correct, alt-svc over port 443 not only uses https, but it uses the 
certificate of the original site (not the cflarex...onion) address displayed, 
ensuring that the alt-svc is valid and able to serve traffic for the original 
site's URL using a valid certificate.

I can't be arsed to register just to post one comment and correcting people who 
are severely confused about Cloudflare (and/or alt-svc) would easily be more 
than a single full time job, but it might be worth noting in this case to 
reduce confusion.

-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Why do you use Tor?

[Dave Warren]

On 2018-12-10 10:05, Nathaniel Suchy wrote:

Hi,

I'm curious to learn the reasons that various people on the lists, for those 
who are comfortable sharing, why they use Tor. I'm also curious as to whether 
users on this list only use Tor or if there are times they use a normal browser 
(if so what tasks).


For my own part, I use tor when I want to access a .onion site, as a 
"even more private" browser, but also just to access my own 
sites/services from outside my network.


Sometimes I use it for no particular reason at all, under the theory 
that more legitimate traffic helps those who are using tor for 
legitimate (non-malicious) reasons where their safety and security is a 
factor.

--
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] alt-svc supported by TBB

[Dave Warren]

On 2018-09-18 21:17, TNT BOM BOM wrote:

thats nice, but doesnt look akward that the company who blocked Tor and
had that arguements (back then) , went all of a sudden to help Tor? do i
expect the holy ghost democraciz their brains and get the demon of
blocking free internet out from them? i dunno but its for sure
suspecious. but on the same time if they really want to help Tor users
then thats a good sign. (ofcourse that doesnt mean cloudflare dns safe ,
nor im supporting to register any website in their services. just saying
its a good step if they are as they are saying).


I don't really think Cloudflare was ever intentionally actively hostile 
to Tor users, but rather it was an unintended consequence of how they 
attempted to separate legitimate vs malicious traffic. The reality is 
that Tor exits emit both legitimate and malicious traffic, and TBB users 
are (by design) indistinguishable from each other by typical browser 
fingerprinting techniques, so Cloudflare had no obvious way to separate 
malicious vs legitimate requests.


For some time Cloudflare has made it easy for site operators to 
whitelist Tor exits (noting that this means site operators absorb the 
abuse rather than Cloudflare blocking it, and also noting that only a 
tiny fraction of site operations actually do this), they also put effort 
into Privacy Pass (a way to reduce the negative impact without giving up 
privacy).


Could they have done more, better, or sooner? Maybe. But alt-svc wasn't 
supported by TBB until 8.0, and Cloudflare was quick to take advantage 
of it for the benefit of Tor users, that's worth noting.


More importantly though, even if your belief is that Cloudflare was 
previously actively hostile toward Tor, isn't a corporation changing 
their stance a good thing? Isn't a pivot toward being accepting of users 
who want more privacy than usual a good thing for both regular users and 
Tor users?

--
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] alt-svc supported by TBB

[Dave Warren]

On 2018-09-18 14:33, Dave Warren wrote:

On 2018-09-18 13:33, nusenu wrote:



Dave Warren:

Can anyone confirm if the current release of TBB supports alt-svc?

I'm testing the Cloudflare alt-svc .onion beta project and I do see
the alt-svc header, but I'm trying to determine whether TBB is
actually using it or not. It seems like not, given that the website
can see a tor exit IP in the Cloudflare headers (I wouldn't expect
this since subsequent requests should be delivered over a .onion
address).




TorBrowser is supposed to support alt-svc since version 8 but
we have had mixed results when testing it
https://twitter.com/arthuredelstein/status/1037559553380966400


Using the test page at https://perfectoid.space/test.php I get either 
red or yellow exclusively, no amount of refreshing and/or changing 
circuits seems to get green which confirms my own testing on a site I 
operate that is participating in the beta.


I've been monkeying around a bit, and I can sometimes get this to work, 
but very infrequently. It feels like if I open a tunnel to each of their 
.onion addresses first then it increases the odds although I'm not sure 
if this makes sense since a new hostname (the test site vs their .onion 
addresses) should result in a new tunnel anyway.


And maybe this is just a limitation of the test site (although I don't 
think so), but it seems that Cloudflare fails to notice many IPv6 exits, 
whereas IPv4 exits usually get the country "T1" (meaning Cloudflare 
knows this is a Tor exit and adds the Alt-Svc header).


Unfortunately the reliability doesn't seem to be here enough to try and 
achieve Cloudflare's stated goals, but hopefully this is just an early 
attempt and not the end of the road. On the flip side, maybe it is 
working a little more than it appears since I'm not seeing CAPTCHAs when 
using TBB 8, but I am from a second machine running TBB 7.


One final note: Are there any other Cloudflare users on the Free or Pro 
plans? If so, could you go check if Onion Routing was enabled for you? 
Their blog says it is enabled by default, but it is disabled on two of 
my three sites -- Maybe this is due to being part of the beta though, I 
did manually enable it on that third site and maybe that precluded it 
from being enabled on my other two?

--
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] alt-svc supported by TBB

[Dave Warren]

On 2018-09-18 13:33, nusenu wrote:



Dave Warren:

Can anyone confirm if the current release of TBB supports alt-svc?

I'm testing the Cloudflare alt-svc .onion beta project and I do see
the alt-svc header, but I'm trying to determine whether TBB is
actually using it or not. It seems like not, given that the website
can see a tor exit IP in the Cloudflare headers (I wouldn't expect
this since subsequent requests should be delivered over a .onion
address).




TorBrowser is supposed to support alt-svc since version 8 but
we have had mixed results when testing it
https://twitter.com/arthuredelstein/status/1037559553380966400


Using the test page at https://perfectoid.space/test.php I get either 
red or yellow exclusively, no amount of refreshing and/or changing 
circuits seems to get green which confirms my own testing on a site I 
operate that is participating in the beta.



--
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] alt-svc supported by TBB

[Dave Warren]

On 2018-09-18 13:59, TNT BOM BOM wrote:

whythe hell would anyone use anything from Cloudflare with Tor???


Primarily to reduce the load on exits, but Cloudflare putting resources 
into being more usable (and less annoying) for Tor users can only be a 
good thing for those who use Tor to access the internet.


--
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

[tor-talk] alt-svc supported by TBB

[Dave Warren]

Can anyone confirm if the current release of TBB supports alt-svc?

I'm testing the Cloudflare alt-svc .onion beta project and I do see the 
alt-svc header, but I'm trying to determine whether TBB is actually 
using it or not. It seems like not, given that the website can see a tor 
exit IP in the Cloudflare headers (I wouldn't expect this since 
subsequent requests should be delivered over a .onion address).


--
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] How do tor users get past the recapacha and it's super short 2min exemption

[Dave Warren]

On 2018-07-17 17:30, grarpamp wrote:

On Mon, Jul 16, 2018 at 3:08 PM, Dave Warren  wrote:

The whole point of tor is that you are anonymous just like everybody else.

Privacy Pass attempts to allow you to bypass CAPTCHAs by providing you with 
tokens that anonymously prove you have solved CAPTCHAs recently.
https://support.cloudflare.com/hc/en-us/articles/115001992652-Privacy-Pass


Presumably those tokens get passed to all participating sites,
so all your sessions across them all are easily linkable
by cloudflare, the sites, their backend databrokers, etc.
"Privacy Pass"... lol.


Interestingly no, you cannot be tracked across sites. They put a lot of 
effort into this aspect of the design specifically to ensure that the 
signing happens only against the blinded version of passes so when the 
passes are redeemed they can be verified as valid, but not linked to the 
original generator of the passes.


If you're interested in how this works, they have an overview and links 
to the actual papers and protocol: https://privacypass.github.io/ -- You 
don't need to take my or their word for it, the cryptography is public 
and you can write your own implementation if you desire or review the 
source for their extensions should you have the appropriate skill sets 
(I do not).




they do make it easy for site operators to approve tor
traffic in a more general way (by treating tor as a separate country in
their whitelisting system).


So what are the default settings provided to new cloudflare /
recaptcha subscribers?


There are no default settings at the individual customer or site level 
to handle tor exit IP addresses differently than any other IP address.


If you can think of a way to differentiate good traffic vs abusive 
traffic without JavaScript (to verify that the connection is from a 
human driven browser) and/or cookies (to identify one user from another) 
and/or a extension such as privacy pass I would encourage you to write a 
paper and publish it.

--
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] How do tor users get past the recapacha and it's super short 2min exemption

[Dave Warren]

> On Jul. 14, 2018, at 09:39, David Niklas  wrote:
> 
> On Wed, 11 Jul 2018 18:50:48 -0700
> Dave Warren  wrote:
>> However there is a larger than average amount of abuse from tor exits,
>> and this abuse returns intermittently the longer an exit has been
>> around so their automation does learn to treat tor IPs with suspicion.
>> It also means using non-standard browsers (Such as an iOS project) are
>> more likely to fail the "Is this a browser" test resulting in a full
>> CAPTCHA.
> 
> Perhaps you could tell them (or tell me how to tell them), that I am
> legit. I get the full Captcha every time.

The whole point of tor is that you are anonymous just like everybody else.

Privacy Pass attempts to allow you to bypass CAPTCHAs by providing you with 
tokens that anonymously prove you have solved CAPTCHAs recently. 
https://support.cloudflare.com/hc/en-us/articles/115001992652-Privacy-Pass


> They *really* need to increase the timeout.

I have to say, I don’t see this myself on a regular basis. Perhaps you are not 
keeping cookies such that they can identify the you that passed a CAPTCHA is 
the same you that is browsing now? Without cookies or other local storage being 
available, every request is new/unique from Cloudflare’s perspective and 
therefore they don’t know that you passed a challenge.

It could also be that site owners have set the timeout very low, I can go as 
low as 5 minutes on the free tier. I believe the default is a week although I’m 
not certain. I set mine to much longer (but I also whitelist Tor across the 
board). This is something website operators can control:

https://support.cloudflare.com/hc/en-us/articles/200170136-What-will-changing-the-Challenge-Passage-TTL-do-


> 
>> To their credit, they do make it easy for site operators to approve tor
>> traffic in a more general way (by treating tor as a separate country in
>> their whitelisting system). 
> 
> That is useful, is there an instruction that I can point authors to?
> 

https://support.cloudflare.com/hc/en-us/articles/203306930-Does-CloudFlare-block-Tor-


-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] How do tor users get past the recapacha and it's super short 2min exemption

[Dave Warren]

On Wed, Jul 11, 2018, at 09:32, Lara wrote:
> On Wed, 11 Jul 2018, at 16:01, Nathaniel Suchy wrote:
> > I hate Cloudflare and what they’re doing to Tor users.
> 
> Luckily Cloudflare, Google, Facebook do not hate you or the other Tor 
> Users. Talking about being unfair.

Several Cloudflare staff members have commented that they do support tor and 
have taken steps to enable tor users to have better experiences than would 
naturally happen as a result of their automated abuse prevention systems were 
left to score tor users based entirely on behaviour alone. One such example is 
that their "Is this a browser or a bot?" JavaScript takes the tor browser 
bundle's behaviour into account and doesn't penalize the browser for lacking 
any features which are normally disabled.

However there is a larger than average amount of abuse from tor exits, and this 
abuse returns intermittently the longer an exit has been around so their 
automation does learn to treat tor IPs with suspicion. It also means using 
non-standard browsers (Such as an iOS project) are more likely to fail the "Is 
this a browser" test resulting in a full CAPTCHA.

To their credit, they do make it easy for site operators to approve tor traffic 
in a more general way (by treating tor as a separate country in their 
whitelisting system). 

I'm not suggesting that Cloudflare couldn't do more/better, but they could also 
outright blacklist tor trivially or intentionally make the experience much more 
negative, but based on their statements they have made minor changes to try and 
improve the user experience without causing their customers grief. And based on 
their results (the Onion browser on iOS suddenly went from a "always blocked" 
to "Only occasionally blocked" shortly after I bought up the topic and provided 
them with a link to it). 

It is an imperfect world. This is part of why I use TBB for random legitimate 
things, specifically to increase the amount of "This is just a regular 'ol 
user, doing regular 'ol normal web things on Tor".



-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] CloudFlare captchas disappeared?

[Dave Warren]

That might be part of it, but I just fired up a fresh Tor browser, 
opened half a dozen sites that used to always require a CAPTCHA and none 
did. I haven't used Tor in a couple weeks, so I'm not really sure when 
this started.


But they did discuss trying to reduce the impact some months ago, and a 
few weeks ago there was a regression which they were working on 
addressing. It seems that they actually have improved the situation.



On 2018-03-08 10:38, Watson Ladd wrote:

Blinded tokens finally shipped. As a result they can remember that you
solved the captcha.

On Thu, Mar 8, 2018 at 5:15 AM,   wrote:

Recently I've realized that I'm not seeing the CloudFlare capchas anymore in
TBB, or seeing them far less often.

Is it just me, or they have really changed something about their captchas?
--
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk






--
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] does that cat clip play for you in TorBrowser?

[Dave Warren]

On 2018-02-09 10:24, nusenu wrote:


https://twitter.com/torproject/status/961964200477233152

According to Steph it plays in TorBrowser, does it play for you as well?


It does play here.


--
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] some websites are blocking me now

[Dave Warren]

On 2018-01-08 16:29, Roger Dingledine wrote:

On Mon, Jan 08, 2018 at 03:25:09PM -0800, jbclem wrote:

Since I started using Tor browser I can't reach certain websites.  www.craigslist.org is 
a good example.  I get an error message that "this ip has been automatically 
blocked".

I wonder if using Tor is causing this, or if I've been assigned an ip address 
that is unacceptable to these websites?  And how can I get Tor to change the ip 
address so I can test with a different one...any thoughts on this problem?


Check out this blog post for a good start to the issue:

https://blog.torproject.org/call-arms-helping-internet-services-accept-anonymous-users

Craigslist's business model is basically to have a proprietary data set
that its users can interact with but that its competitors can't get. So
they're stuck being scared of the Internet and blocking connections from
anyplace that yelp, tripadvisor, etc might use to fetch their secrets.


I don't think that that is why Craigslist blocks Tor, rather, I think 
it's more about geo-locating IPs to help negate a wide range of scams 
which don't require a local presence, and also, to make it easier to 
detect and track abuse when it does happen.


Craigslist relies heavily on a shadow-ban system, such that when you 
violate rules and get flagged, your future posts may appear to succeed 
without ever being published publicly (they show up to you, and possibly 
other shadow-banned users). This system relies upon being able to 
identify users and for better or for worse, blocking Tor, proxies, and 
similar increases the difficulty of signing up multiple accounts in an 
attempt to keep them unique.


While Craigslist does take steps to avoid being scraped, I believe 
blocking Tor is more about scam and spam prevention. I could be wrong.




As for getting Tor to switch circuits, Tor Browser has a "New Tor
Circuit for this Site" option (click the little green onion). But
for sites like Craiglist, moving to a new circuit will rarely help.


Indeed, switching circuits won't make any difference at all when 
accessing a service designed to restrict/block Tor.


--
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Motivations for certificate issues for onion services

[Dave Warren]

On 2017-08-09 16:53, Seth David Schoen wrote:


Notably, it doesn't apply to certificate authorities that only issue DV 
certificates, because nobody at the time found a consensus about how to 
validate control over these domain names.


I don't completely understand this, since outside the Tor world it's 
possible to acquire DV certificates using verification performed on 
unencrypted (HTTP) channels.


Wouldn't the same be possible for a .onion, simply requiring that the 
verification service act as a Tor client? This would be at least as 
good, given that Tor adds a bit of encryption.


--
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Tor E-mail gateway - how to transfer messages from the Tor Network ?

[Dave Warren]

On Thu, Jul 27, 2017, at 22:36, Random User wrote:
> > On 07/24/2017 11:07 PM, Random User wrote:
> 
> > > My impression was that all of the major free email providers required a
> > > valid phone number in order to sign-up. I would find it quite
> > > interesting if Yandex does not.
> 
> On Tue, Jul 25, 2017, at 07:35 PM, Mirimir wrote:
>  
> > Neither VFEmail.net nor Cock.li require phone numbers.
> 
> Thanks, I appreciate that info. and I'm sure that it can be useful to
> others as well.
> 
> I think you would agree, though, that as much as those two email
> providers may have to offer in their own right, neither could be
> considered "major".  One consideration, I believe, with lesser-known
> email providers is that mail sent from them and/or mail from addresses
> with their domain are more likely than mail sent from one of the "Big
> Guys" to get  caught in spam filters.

Would you consider Outlook.com to be a major provider? It was possible,
at least as of a year ago, to set up an Outlook.com account without a
phone number. You could not forward or enable certain other features
until you validated a phone number, but each of the phone number
requests could be skipped or ignored.

-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] A Pluggable Transport based on i2p?

[Dave Warren]

On Thu, Mar 16, 2017, at 17:19, Kevin wrote:
> I disagree.  In today's climate, speed matters.

Maybe for some use cases. If you're having a real time text
conversation, you need as many B/s as you can type (most likely 1-2
digits) and a multiple second latency is fine. 

I first connected out to the world from my computer on a 2400bps modem
and got along just fine and had an absolutely amazing time. 33.6K was a
godsend and was more than functional for small documents. It doesn't fit
all modern use cases of the internet, but there are many things that are
more than sufficient on a very minimal connection.


-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Question about less frequently used function of Tor Browser

[Dave Warren]

> ？ I think no one will use "Sign in to Sync" in Tor Browser, and it
> doesn't work because most of use have adjusted security settings and
> don't want to enable JavaScript.

Personally, I would use Sync if it worked. I also use bookmarks. 

-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Tor and Google error / CAPTCHAs.

[Dave Warren]

On 2017-02-09 23:40, grarpamp wrote:

On Wed, Oct 5, 2016 at 8:11 AM, Alec Muffett  wrote:

a) I like the idea of Google giving you "one free search" and from that
trying to determine whether you are an "asshole" after which it lightens up
with the oppression

That's fine, if implemented well, because the 'one free' is the
same as 'account creation', everyone gets a chance, then
there's other metrics applied after you're in to continually
evaluate further addition / subtraction of oppression.


I like the idea in theory, but in practice in the case of Tor where all 
users are intentionally identical and any user can become a new user any 
time, the difference between "one free" and "all free" is clicking the 
"new identity" button (or more likely, just dumping cookies).


From an abuse handling standpoint, it becomes nearly impossible to 
identify whether user is on their first "free" shot or not. Worse, this 
is a feature, not a bug.


The only real fix is to apply a cost to making the first-free, be it an 
account creation/login, captcha, or similar, which I think takes us full 
circle and defeats the point?




--
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] TAILS people

[Dave Warren]

On Tue, Jan 24, 2017, at 16:00, I wrote:
> 
> > Probably because you don't want the release candidate.
> 
> > --Roger
> 
> Isn't the idea to seed the prospective version for testing, hence the
> button to get it?
> The button leads to the dud link.

Right now there isn't a prospective version, said version has been
released.

-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Cameras

[Dave Warren]

On Wed, Nov 23, 2016, at 22:41, Jon Tullett wrote:
> On 22 November 2016 at 10:55, Ben Tasker  wrote:
> > The problem with blocking the camera in software is that it can then be
> > unblocked in software (and still potentially without your permission).
> 
> And not just
> cameras...https://www.wired.com/2016/11/great-now-even-headphones-can-spy/
> 
> Software control is always risky. I dislike laptops without hardware
> switches for wireless adapters for much the same reason.

I'm amazed that this is considered news, this has seemed perfectly
obvious since ports started being able to handle connections from
multiple types of devices. But hey, I guess good for the rest of the
world for figuring basics out?

-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Quote Line Prefixes in Linux Text Editors

[Dave Warren]

It might be a bit more complicated than that, as that approach won't
wrap properly and may generate the Outlook Express-like situation where
quoted lines wrap before 80 characters, resulting in alternating lines
being quoted and having a single unquoted word. 

Unfortunately wrapping while maintaining quoting is really more of a
science itself, and you probably won't get format=flowed right when
doing it outside your client anyway, so it's always going to look a
little janky.

On the other hand, maybe that's better than risking unencrypted text
leaking, it depends on your situation :)

On Sat, Oct 15, 2016, at 20:30, ban...@openmailbox.org wrote:
> Found answer for my own question:
> 
> sed 's/^/> /' original > reply
> -- 
> tor-talk mailing list - tor-talk@lists.torproject.org
> To unsubscribe or change other settings go to
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] getting Tor to be default browser

[Dave Warren]

On Sun, Sep 4, 2016, at 23:51, No Spam wrote:
> On 16-09-04 14:50:23, Dave Warren wrote:
> > <...>
> If this is the Setting, I THINK Whonix has their VM build with TBB as
> Standard Browser

Probably, but in my (limited) experience, it's either painfully slow or
a memory hog, or both. The overhead for a Windows 10 VM is surprisingly
small, and it's snappy and responsive.

Attacks to identify me and/or correlate my physical location or "real"
identity vs my tor identity aren't a threat model that worry me in my
circumstances, so this configuration is Good Enough for my purposes.

> > I also feel that adding legitimate traffic to Tor is a net positive to
> > the network (since capacity is not currently an issue), if only to
> > prevent the perception that all of Tor is evil bad people doing evil bad
> > things.
> Yes but the biggest Problem are Malicious Gateways that may try to
> steal Credentials or put Malware in you Downloads

This is why god invented HTTPS and HTTPS Everywhere. I wish TBB didn't
block 1Password (although I understand why it does), as this would
reduce my exposure to various types of attacks. Also, I trust random Tor
nodes more than random wifi hotspots in tourist/traveler locations
(airports in particular, where you have gov't actors, the airport itself
and other users).

> IMHO the best way to legitimate the Tor network would be to provide and
> use HS ( which are much less prone to the previous mentioned Problem
> AFAIK ).

Having trivial access to hidden services is great too. Facebook is a
prime example, I have no practical need as I'm using my real identity,
not hiding anything, Facebook forces HTTPS (and I believe, pins their
certificates in HSTS lists?), and I discuss my approximate physical
location with people on Facebook. But it's likely harder to attack the
hidden service than the public HTTPS site, plus staying within the tor
network has benefits.

But, I want the output from Tor exit nodes to show more legitimate
traffic, so even for non-HS traffic, I feel that adding legitimate
traffic is a net good idea until/unless the tor network becomes
over-saturated or my traffic otherwise impedes a user with actual safety
or security needs. I would always yield to those users, as I am lucky
and privileged enough to not be one.I understand why the Cloudflares of
the world see a lot of abuse coming from tor, but I want to them to see
a lot of legitimate user traffic as well.


-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] getting Tor to be default browser

[Dave Warren]

On Sun, Sep 4, 2016, at 13:38, No Spam wrote:
> Hi,
> 
> As far as i know this would be a bad idea, but i can't exactly cite the
> reasons from my head;

While there may be cases where it's a bad idea, I'd prefer that Tor warn
me and let me shoot myself in the foot -- I run TBB in a VM, so the
attack surface is minimal, and I have no particular need for anonymity,
rather, I just want privacy when I'm on someone else's last-mile, so for
me, many of the risks that Tor helps to prevent aren't relevant.

I also feel that adding legitimate traffic to Tor is a net positive to
the network (since capacity is not currently an issue), if only to
prevent the perception that all of Tor is evil bad people doing evil bad
things.


-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] My absence from the mailing lists...

[Dave Warren]

On Fri, Aug 26, 2016, at 04:25, carlo von lynX wrote:
> On Thu, Aug 25, 2016 at 03:16:12PM -0400, Nathaniel Suchy wrote:
> > address with a matching GPG key instead. I am still active on Tor's
> > IRC Channels under the username "deatives" and will continue to do
> 
> I still don't understand why you guys hang out on a public surveilled
> IRC network where each line you type goes straight into XKEYSCORE.

Is it any different than participating in a public surveilled mailing
list?

-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] sadly have to shut down my tor relay after less then 24 hours

[Dave Warren]

That is not a DMCA complaint, a complaint under the DMCA is required to
be specific, and reports are made under oath and penalty of perjury that
the complainer owns the copyright for the item in question.

However, your host may not be passing on all the details to you, that's
a matter of discussion between yourself and your host.

On Tue, Aug 23, 2016, at 11:12 AM, Sarah Alawami wrote:
> No, the DMCA was not specific. That's all they told me was that copyright
> material were going through the vps and  I was breaking the TOS.
> > On Aug 22, 2016, at 5:19 PM, Mike Perry  wrote:
> > 
> > Sarah Alawami:
> >> Hello to all. Sadly I have to shut down my tor relay after less then 24 
> >> hours, as I received a copyright violation and I don't want any network 
> >> restrictions  placed on me as I want the 150mbps speed.
> >> 
> >> Sorry to all who were using it, but yeah there it is.
> > 
> > Was this a DMCA takedown related to bittorrent traffic? When I ran an
> > exit, I had a lot of luck with this policy:
> > https://trac.torproject.org/projects/tor/wiki/doc/ReducedExitPolicy
> > 
> > Basically restricting yourself to core internet services reduces the
> > chances that bittorrent clients choose a port from the policy. With a
> > 1Gbit exit and that policy, I went from 60 DMCA notices a day down to 0
> > over the life of the exit (about 3 years).
> > 
> > Unless something new is happening? Did the complaint(s) give specifics
> > about the location and type of infringing content that was accessed?
> > 
> > More services are always better. I've been thinking about making that
> > policy into a torrc option, so it would be useful to know if the
> > situation has changed.
> > 
> > -- 
> > Mike Perry
> > -- 
> > tor-talk mailing list - tor-talk@lists.torproject.org
> > To unsubscribe or change other settings go to
> > https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
> 
> -- 
> tor-talk mailing list - tor-talk@lists.torproject.org
> To unsubscribe or change other settings go to
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] List messages marked as spam by gmail

[Dave Warren]

On Mon, Aug 22, 2016, at 11:09 AM, David Balažic wrote:
> Hi!
> 
> Lately (like last 10 days) I see many messages (more than usual) on
> the list marked as spam by gmail (using the gmail.com web interface).
> 
> The reason given is most often:
>  - (this message) It has a from address in foo.com but has failed
> foo.com's required tests for authentication.
>  - It's similar to messages that have been detected by our spam filters.
> 
> Is it just "a nothing" or is something going on?

I'd guess just a "blip", but Google relies heavily on user behaviour to
train their filters, so marking as "Not Spam" is usually productive. You
can also write filters to avoid having listmail ever delivered as spam
(and automatically labeled or whatever else).

-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Making TBB undetectable!

[Dave Warren]

No, you can't just patch in a hardcoded window and screen size unless it 
reflects the actual viewport size.


JavaScript is often used to position elements using relatively absolute 
positioning based on the viewport that it understands is correct, this 
will fail if the viewport vs reported size isn't accurate. More 
importantly, it won't even work, JavaScript can detect where wrapping 
happens, and some creative 1 pixel tall transparent images could detect 
the actual horizontal width by using varying widths.



On 2015-09-26 08:45, aka wrote:

Can't TBB devs just patch in a hardcoded 1366x768 window and screen size
in the javascript handler?

Also, if you want true undetectability you need to install a Tor
instance and your OS for TBB in seperate VMs and setup the Tor VM to be
a transparent router for your OS, so even if java/flash/exploit is
executed, it doesn't leak your real IP, since even your OS in the VM is
forced through Tor.
The FBI used an old firefox exploit to execute native code and did plain
IP requests to uncover users. In that configuration they would need an
additional VM escape exploit, which raises the cost exponentially.

behnaz Shirazi wrote:

In many different cases TBB users have to be undetectable (bypassing
flags, escaping from deep investigations, confusing malicious iframes
etc etc) when traffic flows through custom Tor exite nodes or even
when traffic flows directly just for the privacy TBB offers at client
side compared to plain Firefox.


TBB have a distinguishable User-Agent and screen size that can be
easily changed to something more common but it also have other
fingerprints that are hard to change, such as timezone=0 or
navigator.plugins=none or some dialogs [1] [2]. And TBB have even more
fingerprints that we are not aware of yet


Can someone please teach Tor users how to modify the source code and
compile a custom build or create browser Add-ons that subvert these
detection methods? There must be an option for those who urgently
(...) need undetectability and it doesn't require much effort to make
that happen.


[1]: https://www.browserleaks.com/canvas
[2]: https://www.browserleaks.com/firefox




--
Dave Warren
http://www.hireahit.com/
http://ca.linkedin.com/in/davejwarren


--
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Tor Browser does not recommend the default window size anymore?

[Dave Warren]

On 2015-09-17 13:47, Joe Btfsplk wrote:

On 9/17/2015 12:12 AM, Dave Warren wrote:
You're not wrong, but at the same time, annoying experienced users 
who understand (and don't care about) the consequences isn't 
necessarily useful either. 

I don't have the answer.
Just thinking out loud.  e.g.,  when less experienced users don't 
understand a warning.


Guessing if users haven't read how making certain changes to TBB can 
make them stand out, they may think that message doesn't apply to them. 


This is true, but conversely, popup/warning fatigue is a very real 
thing, and every popup you throw in front of a user decreases the 
attention that they'll give to the subsequent one.


--
Dave Warren
http://www.hireahit.com/
http://ca.linkedin.com/in/davejwarren


--
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] IBM says Block Tor

[Dave Warren]

On 2015-08-30 11:24, Martijn Grooten wrote:

On Sun, Aug 30, 2015 at 05:01:53PM +0200, Andreas Krey wrote:

On Sun, 30 Aug 2015 11:01:42 +, Martijn Grooten wrote:
...

 But a company that blocks Tor because, as IBM puts it, a lot of
 malicious actors use Tor is making a sensible security decision.


But that is not a reason to block torproject.org or even to
forbid using the tor browser. It would be a reason to block
exits on the corporate web servers. And these get pretty
conflated in that article.

Ouch. I stand corrected. I had missed that bit - I had only skimmed
through the paper last week - and it does explicitly say that the Tor
Project website should be blocked. It even suggests disciplinary
action should be taken if people try to access the site. Wow.


Sure, but this is probably just a case of using too blunt an instrument; 
they likely just classified Tor (all of it, including websites) as an 
unacceptable product.


Expecting mid-level management to understand the finer points of what 
Tor is, how it works, or the difference between the website and the 
service and the protocol isn't realistic in a world where usually the 
concept of a site, service and protocol are all one and the same.


--
Dave Warren
http://www.hireahit.com/
http://ca.linkedin.com/in/davejwarren


--
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] 1PassWord Firefox extension

[Dave Warren]

On 2015-08-28 13:55, Graham  Heather Harrison passed on what 1Password 
support wrote:



As with most proxy/firewall software that customers add to their computers to 
increase security, we can tell them to add an exception to the whitelist for 
localhost (127.0.0.1), but in the case of Tor, I just don't know enough about the 
internals of how it goes about blocking things it deems potentially harmful to know 
whether adding an exception for 127.0.0.1 would be considered voiding the protection 
offered by Tor. The Tor proxy itself is contained on 127.0.0.1, port 9051, so 
bypassing for localhost might inadvertently induce a whole host of other, 
non-1Password applications/utilities/helper programs to pass information outside of 
the Tor channels, potentially exposing your real IP address. I just don't know. In my 
own testing just now, i can confirm that adding 127.0.0.1 to Tor's Preferences = 
Advanced = Network Settings does indeed allow the 1Password extension to 
work...but at what cost to the anonymity afforded by Tor, I have no idea.


This here is why I love 1Password, they're actively understanding their 
customer's desire for the security of Tor over their own needs. It would 
be trivial for them to simply add 127.0.0.1 (either in the extension, or 
by documentation) without caring about the implications or impact on the 
user.


As an alternative, while it's clunky and annoying to use, you could 
consider using 1Password's Autotype, which allows the 1Password client 
to type username and password data into the browser (or other 
application) without using the clipboard or any extension.


--
Dave Warren
http://www.hireahit.com/
http://ca.linkedin.com/in/davejwarren



--
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Privacy Badger

[Dave Warren]

On 2015-08-28 20:05, Mike Perry wrote:

Yikes! I didn't know this. This is especially bad, especially if Privacy
Badger has custom storage mechanisms for this that aren't cleared
regularly (which you touch on below).


And if you do clear this list regularly, Privacy Badger is useless; it 
functions by learning which sites are legitimate and which are 
potentially tracking you based on the fact that by their nature, 
trackers are resources loading from a consistent location into various 
unrelated sites using cookies that are potentially uniquely identifying.


Resetting it's history leaves you vulnerable to tracking until it has 
re-learned your behaviour, by which time you're vulnerable to 
fingerprinting.


It might be possible to take the same concept and democratize it in some 
fashion that would share the heuristically learned data between users, 
such that users aren't individually fingerprintable (while uses of 
Privacy Badger itself would become more obvious), but then you have the 
problem of building a whitelist for resources that are actually useful, 
and potential malfeasance on the part of whitelist submissions, as well 
as the efforts to manage the whitelist. Without a whitelist, it will 
eventually break sites, and if you whitelist yourself, you again 
generate a fingerprint.


As much as I love Privacy Badger in general, I don't see how it can fit 
into the Tor model.


--
Dave Warren
http://www.hireahit.com/
http://ca.linkedin.com/in/davejwarren


--
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Request: Firefox extension/addon checking tutorial

[Dave Warren]

On 2015-08-20 21:27, Cain Ungothep wrote:

Anybody care to make a peer-reviewed guide of how to check the
extensions for leaks, cheats and other dirty tricks?

I would say use the source, Lara.

It's problematic, of course, since it requires an expert not only on
programming, networking, privacy and security but also on Mozilla's
extension architecture.  But really, I don't think there's any other
way.


I doubt there are many people who are truly competent to check the 
source. You don't just need a programmer who checks to make sure the 
code does what they expect, but also that there aren't any corner cases 
where something does leak, just a little.


To be secure, one must also check the entirety of the Firefox source, 
since Firefox could easily have some behaviour which intentionally leaks 
when Tor is active (and possibly only when other conditions are met, to 
reduce the odds of anyone who isn't a target from observing any 
unexpected behaviour)


--
Dave Warren
http://www.hireahit.com/
http://ca.linkedin.com/in/davejwarren


--
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Best devices to boot Tails off of?

[Dave Warren]

On 2015-08-14 22:20, Qaz wrote:

Are there flash drives that really work well with Tails? Or does it not
really matter?


In theory, it shouldn't matter. In practice, well, things are possibly 
more complicated if an attack were targeted at Tails in particular.



I installed Tails on a Sandisk Cruzer and it seems it
wouldn't boot or at least show the login screen, just gets stuck with
the blue and white progress bar. I think I have seen a list of which
devices will probably work well with Tails but I'm not sure.


At least in theory, most any flash drive should work. But it's dependent 
on the drive, BIOS/UEFI and it's configuration, whether it passes off 
control of the USB drive properly, etc. But most modern hardware should 
handle this just fine; I haven't personally run into a non-bootable USB 
disk or motherboard in quite some time.


But that's not to say you won't, or that your hardware is configured 
appropriately for your media.



Are DVD-R's
the safest way to boot Tails off of?


Safest, probably. At least in theory, once you finalize optical media, 
it should be truly read-only, and the worst that could happen is that 
bits could be written (which would corrupt the disk-level checksums, 
destroying the disk)


I wouldn't totally trust flash media to be read-only, even if it has a 
physical switch as these could easily be poorly implemented and allow a 
compromised OS to persist between reboots.



How do can I further protect my
Tails installation on a flash drive? Would doing a checksum from another
OS on my Tails device help ensure it's safeness/integrity?


Yes, you shouldn't trust any checksum or other verification from the 
compromised device itself.


(All in my opinion,  as a lay-person, I have no specific knowledge of 
Tails specific issues)


--
Dave Warren
http://www.hireahit.com/
http://ca.linkedin.com/in/davejwarren


--
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] [tor-dev] Porting Tor Browser to the BSDs

[Dave Warren]

On 2015-04-14 06:05, Apple Apple wrote:

I'm not too familiar with Whonix. May I ask what it does exactly to protect
the system from a malicious actor with root level access to the gateway
machine?



As I understand it, this isn't a threat that they are addressing. 
Instead, they're trying to ensure that such access doesn't happen in the 
first place. The attack surface is inherently small since you don't run 
browsers or applications on the gateway itself, so you need to find a 
specific vulnerability in the gateway itself AND you need to find a way 
to exploit it.


By splitting the gateway and workstation, you can run less-safe code on 
the workstation, a browser level exploit wouldn't automatically be able 
to violate your privacy without a second vulnerability on the gateway 
itself since the code on the workstation doesn't have the information 
needed in the first place. On Tails, you have to assume that the 
software you're running isn't actively trying to thwart you, which may 
not be the case since browsers often have vulnerabilities.


It's not perfect, but it would seem to dramatically raise the bar since 
a browser based exploit alone is no longer sufficient to unmask a user 
like with TBB, and potentially with Tails.


At least to me, Whonix seems to be a natural next step beyond Tails if 
you want to ensure that an entire workstation is protected even if the 
workstation itself has compromises. It's overkill for many Tails users, 
and has tradeoffs since the gateway and workstation are split 
(introducing potential attack surfaces between the two) just as Tails 
itself is probably overkill for many TBB users.


But I might be way off.

--
Dave Warren
http://www.hireahit.com/
http://ca.linkedin.com/in/davejwarren


--
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Are webmail providers biased against Tor?

[Dave Warren]

On 2015-03-16 21:20, grarpamp wrote:

block Tor completely since I don't have any legitimate traffic from Tor.

This is funny since some of use just spent the entire day
reading wikipedia, communicating via email, logged in to work,
talking to friends, donating via bitcoin and generally surfing the web.


If you'd quote properly instead of cutting the context, you'd note that 
I absolutely did not say I block Tor completely, nor was I suggesting 
doing so.


What I did say is that good users GET LUMPED IN WITH THE BAD simply 
because there's no way to tell them apart. That's the whole point of 
Tor, and TBB in particular.



it's the fact that a higher percentage of abuse comes from Tor

Ahem, objective citation as to all tor users please, thank you.


That's the whole point -- Not all Tor users are abusive, but abusers 
tend toward Tor because of the fact that it provides anonymity and human 
shields in one package. That's just the nature of the game. The result 
is that connections from Tor will be treated with suspicion. For 
example, Google will put you through additional validation steps on a 
more regular basis since it can't tell if you are you, or you are some 
other Tor user who borrowed your password.


--
Dave Warren
http://www.hireahit.com/
http://ca.linkedin.com/in/davejwarren


--
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Are webmail providers biased against Tor?

[Dave Warren]

On 2015-03-16 16:01, Richard Leckinger wrote:
I think 'track record' is the relevant point. Everywhere is suspicious 
until you have a track record of accessing google from there. Tor by 
design is meant to prevent any track record from developing. 


The fact that you're constantly accessing Google from an otherwise 
totally clean and featureless browser itself is a fingerprint that 
Google could act upon, and Tor exit node could be treated as a 
country like any other. Even if they can't separate you from other Tor 
users, it's potentially just as significant as a fingerprint like 
Accesses NY, NJ frequently from each of the four largest providers' 
dynamic IP ranges, and does not retain cookies


However, the reality is that the rate of abuse from anonymous sources 
will naturally be much higher, and as a result, it does make sense to 
treat such connections with a higher level of suspicion.


A few weeks ago I ran a query against some servers logs which were fed 
from SMTP, POP3, IMAP and webmail authentication attempts against a 
DNSBL (torexit.dan.me.uk, I think?) that lists Tor exit nodes, there 
were tons of unsuccessful authentication attempts coming from Tor exit 
nodes, while there were zero successful authentication requests in the 
time period studied. Many of the IPs were doing obvious dictionary 
attacks, trying many thousands of attempts (with the IP itself being 
locked out completely after just a few minutes). Based on this limited 
analysis, it would make a lot of sense to block Tor completely since I 
don't have any legitimate traffic from Tor. Various other countries 
would meet this same criteria. However, I don't like to block this 
indiscriminately.


I'm sure Google's scale means that there are a lot more legitimate users 
Tor users than I have, but just the same, it's quite reasonable to treat 
Tor traffic with a higher level of suspicion -- It's not about bias 
against Tor, or against Tor users, or even a dislike of Tor, but rather, 
it's the fact that a higher percentage of abuse comes from Tor than from 
most other sources, even when you take the percentage of legitimate 
traffic into account. The fact that Tor, by it's privacy centric nature, 
makes it more difficult to use other fingerprinting techniques to sort 
out legitimate users means that good users get lumped in with the bad 
automatically.


--
Dave Warren
http://www.hireahit.com/
http://ca.linkedin.com/in/davejwarren


--
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Tor over SSH (torsocks) (?)

[Dave Warren]

On 2015-02-16 03:30, blo...@openmailbox.org wrote:

On 2015-02-16 02:31, Dave Warren wrote:

On 2015-02-15 16:35, Mirimir wrote:

On 02/15/2015 02:22 PM, blo...@openmailbox.org wrote:

I want to login to my VPS over SSH.

Is torsocks still a safe way to do this? A lot of the documentation
(such as it is) is several years old.

I prefer to run an SSH hidden service on the VPS.


I'd tend to agree; if you control the endpoint, set it up as a hidden
service rather than having Tor exit node involved at all.

While running hidden services alongside non-hidden services introduces
some risks, most of these are less significant when connecting to SSH
on a server that you control.


I don't think I phrased my question very well. I'm not running a 
hidden server. I'm just logging in to a shared VPS to ftp. etc, rather 
than logging in to a control panel over HTTPS.


I just want a simple way to do ssh IP port but with Tor.


Understood. But the suggestion is that you SHOULD run a hidden server to 
listen for SSH connections over Tor as this will be far more reliable 
and secure than having to rely on an exit node.


The rest of the server doesn't need to be a hidden server, and SSH can 
still listen as both a Tor hidden server and a regular public server, 
but by making it a hidden server within Tor, you remove one of the major 
risk factors of using Tor: The exit node.


--
Dave Warren
http://www.hireahit.com/
http://ca.linkedin.com/in/davejwarren


--
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Tor over SSH (torsocks) (?)

[Dave Warren]

On 2015-02-15 16:35, Mirimir wrote:

On 02/15/2015 02:22 PM, blo...@openmailbox.org wrote:

I want to login to my VPS over SSH.

Is torsocks still a safe way to do this? A lot of the documentation
(such as it is) is several years old.

I prefer to run an SSH hidden service on the VPS.


I'd tend to agree; if you control the endpoint, set it up as a hidden 
service rather than having Tor exit node involved at all.


While running hidden services alongside non-hidden services introduces 
some risks, most of these are less significant when connecting to SSH on 
a server that you control.


--
Dave Warren
http://www.hireahit.com/
http://ca.linkedin.com/in/davejwarren


--
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Funded search engine for onionspace?

[Dave Warren]

On 2015-02-13 15:30, l.m wrote:

If you instead use a google search appliance couldn't you use google
engine for indexing without having to use google itself? Wouldn't that
also avoid the problem of google queries being associated with the
client making the request?


It might, but it's licensed based on the number of documents (pages?), 
starting around $20,000, so it's probably not really an ideal solution 
for this type of use.


(Pricing from 
http://www.techrepublic.com/blog/google-in-the-enterprise/what-is-a-google-search-appliance/ 
-- You have to contact them to get a quote, which usually means the 
price is not reasonable to begin with)


--
Dave Warren
http://www.hireahit.com/
http://ca.linkedin.com/in/davejwarren


--
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Using Tor Hidden Services as Time Source

[Dave Warren]

On 2015-02-06 14:41, Patrick Schleizer wrote:

Hello, I a developer of an anonymity-centric distribution. Called
Whonix, it's similar to TAILS but optimized for virtual machines.

We need to use a source to calibrate our system clock. For obvious and
non-obvious reasons, that source can't be NTP. The way we do it at the
moment is to fetch HTTP headers over SSL from trusted servers and use
the timestamp data.

We want to get rid of SSL and make use of the strong security properties
of Tor's end-to-end encryption for Hidden Services in order to safeguard
against clearnet SSL MITM attacks, which are within reach of powerful
adversaries.

Our plan is to contact hidden service operators, adding multiple
trustworthy hidden services to the list for both redundancy and load
distribution. Our estimated user base is 5000. The requests will only
involve fetching an HTTP header from the server, similar to `curl --head
atlas777hhh7mcs7.onion`.

Before simply implementing this feature and hoping Tor handles the load
without issue, we'd like expert (deep knowledge of Tor internals,
network size, paths, etc) and (hopefully) official responses to our idea.



I assume you're okay with very low accuracy here, clock drift of over a 
second will be quite common when using HTTP over Tor. This probably 
isn't a big deal for desktop users, but but part of why NTP is generally 
used is because it can allow for accurate time delivery even over 
networks with higher latency, and somewhat inconsistent latency.


--
Dave Warren
http://www.hireahit.com/
http://ca.linkedin.com/in/davejwarren


--
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Confidant Mail

[Dave Warren]

On 2015-02-03 21:28, Andrew Roffey wrote:

Except for the few big names, most domain providers do not provide
inexpensive certificates so the point is not invalid (yet). I don't
think changing domain providers to bundle the cost is a reasonable
solution to the high costs of certificates.


HTTPS certificates can easily be found under $20/year. Less, if you pay 
multiple years in advance. While this isn't a trivial cost, I have 
trouble calling this a high cost. In fact, many (possibly most) TLDs 
cost more for the domain than the certificate, even when purchasing from 
independent vendors.


--
Dave Warren
http://www.hireahit.com/
http://ca.linkedin.com/in/davejwarren


--
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] VPN/TOR Router

[Dave Warren]

On 2015-02-02 11:06, Seth David Schoen wrote:

spencer...@openmailbox.org writes:


Hey :)

I have been looking at a physical product by Cryptographi called the
'SnoopSafe Encrypted VPN/TOR Router'[0].

Does this work?  Is this safe?

[0] http://cryptographi.com/products/snoopsafe

There have been a number of discussions on this mailing list before
about standalone Tor routers.  The usual consensus is that using a
separate router together with regular Internet applications is risky,
because the applications don't know that they shouldn't behave in
certain ways.  For example, the applications might mention your real IP
address in the course of some protocol, or they might send or allow to
be sent a persistent cookie, which might eventually be sent over both a
Torified and a non-Torified connection.


It occurs to me that such a computer wouldn't *know* your real IP to 
share, it would only see it's local IP, and the only IP it would learn 
as an external IP is that of the Tor exit node.


However, the other anonymity related concerns would definitely apply. 
Things like browser identification, cookies and other data that are used 
within Tor and outside of Tor and similar would be huge problems. If 
your goal is to be anonymous, this is obviously a major problem, but not 
everyone needs anonymity, sometimes it's desirable and sufficient to 
encrypt and protect your traffic from the first hop. In this type of 
environment, implementing Tor at the network level would have a number 
of advantages, including reducing the odds of certain types of leakage 
while still allowing many/most applications to function without further 
configuration.


While I wouldn't necessarily suggest using Tor at the router level for 
all users, for at least some use cases, it probably makes a lot of sense 
to consider this as an option.


--
Dave Warren
http://www.hireahit.com/
http://ca.linkedin.com/in/davejwarren


--
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Torbirdy

[Dave Warren]

On 2015-01-26 03:10, Cypher wrote:

Also, since the only
data leaked seems to be the local datetime, I'd think it's not a massive
concern since my local datetime is shared with a few million other people.


While true, the time*zone* is also mentioned, and timezones can be a 
more interesting kettle of proverbial fish. Timezone rules vary from 
region to region, and so upon observing the dates your DST rules apply, 
I might determine your country or geopolitical location more 
specifically then just a 1/24th slice of the planet (plus all those 
funky :30 zones)


More complicated is when you travel, if you update the timezone on your 
machine, this information is leaked too, so over time, your timezone 
information may actually reveal your travel to a very broad degree. 
Chances are that it would only take a very small number of 
cross-timezone trips for a gov't actor to correlate your timezone shifts 
with your travel itinerary, assuming such information is made available 
now or in the future.


For most people, it's probably not a major risk, but for those who's 
livelihood or freedom relies upon anonymity, this is just the sort of 
leak that Big Data can use.


--
Dave Warren
http://www.hireahit.com/
http://ca.linkedin.com/in/davejwarren


--
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Yelp blocking Tor users from viewing entire site

[Dave Warren]

On 2015-01-21 05:04, Aymeric Vitte wrote:
It would be interesting to know if sites like Yelp/Craiglists are more 
afraid of anonymity and possible spam/trolls than crawlers.


If they cannot detect a crawler using Tor, then they cannot detect any 
other crawler, like a crawler switching IPs as mentionned in another 
post, using vpns or proxies, etc


So in that case it's useless to block Tor, because Tor network's size 
is not really significant compared to other means that crawlers have, 
probably they just choosed the easy way as well as crawlers might have 
chosen the easy way too (use Tor), blocking Tor so they have solved 
one problem.


But in fact they have solved nothing if they are not protected against 
crawlers, and if they are protected the protection would be something 
like blocking the IP or sending a captcha.


Maybe the exit nodes could implement an anti-crawler feature, even if 
the crawler is switching among 1000 exit nodes I think it's feasible 
to fingerprint it in the Tor network finite space, I don't know if 
there are studies about this, an efficient crawler can never behave 
like a human being or a normal browser.


This might sound like a kind of censorship but that's probably not the 
goal of the Tor network to crawl and spam the web, the exit nodes that 
would have removed the feature would just get blocked.


I think that Craigslist is a bit different, the ultimate goal is for 
local people to meet in real life, but they have a very high rate of 
spammers and abuse, most of which is non-local. Dealing with spam has 
been a massive problem for Craigslist, and one of the things that has 
helped is to geolocate users when posting and use that to help prevent 
abuse.


More importantly though, when Craigslist identifies you're doing 
something abusive, they don't always tell you. Your posts will appear to 
post, will be visible to you and by number, but not to users who search. 
Given that real posts don't show up instantly either, this works well 
because spammers don't get feedback and therefore can't work around the 
system as easily, but it creates an extremely negative user experience 
for legitimate users who share an IP with a spammer as you will think 
everything is working, but your ad never makes it and you feel like 
you're being ignored.


I'm not sure that blocking Tor is the best approach, but it probably 
makes sense from a user experience perspective since Tor nodes would 
quickly get flagged for abuse if they weren't blocked outright.


I am a bit mixed about whether reducing anonymity is a good thing or not 
for a site that is ultimately centered around people interacting in 
real-life.


--
Dave Warren
http://www.hireahit.com/
http://ca.linkedin.com/in/davejwarren


--
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Craigslist now blocking all Tor IPs? Template for anyone:

[Dave Warren]

On 2015-01-20 15:21, Seth wrote:
On Tue, 20 Jan 2015 13:15:43 -0800, Greg Norcie gnor...@umail.iu.edu 
wrote:


I (and a few other friends) have noticed Padmapper's results seem 
less complete than usual lately.


Coincidence?


I would think than an organization like Padmapper would have the 
technical and financial wherewithal to build out their own network of 
scraper nodes apart from the tor network.


This would be almost impossible to block especially if they stood up 
the infrastructure on a large cloud providers where instances could be 
re-provisioned with new IP address in numerous cities all over the 
globe in a matter of minutes with a click of the button.




I'm not so sure that that would work particularly well, humans rarely 
live in datacenters, and it's tough to make cloud IPs look and act the 
same as residential IPs, especially when other IPs in the same /24 (or 
larger) are owned by different customers. User behaviour would also be 
quite different, and it would probably be difficult to mimic typical 
human patterns of usage while scraping enough information to be 
worthwhile before Craigslist pulls the plug.


Tor exit nodes, on the other hand, have a lot of human shields using 
them too, so it makes it a lot harder to narrow down a specific bad 
actor without also hitting actual users.


So while Tor isn't necessary an ideal choice here, it has some 
advantages over dynamically allocating and dropping cloud IPs.



I'm curious why Craigslist doesn't just sell their listing data via 
API access to companies like Padmapper, that would be a win-win.


Because they're actively hostile to creating a better user experience. 
Don't get me wrong, the fact that their website doesn't look like 
someone from marketing took a dump all over it is part of what is 
awesome about it, but still...


--
Dave Warren
http://www.hireahit.com/
http://ca.linkedin.com/in/davejwarren


--
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] What relay does really help the TOR project?

[Dave Warren]

On 2015-01-16 12:40, Josef 'veloc1ty' Stautner wrote:

The past days I made some short tcpdump traces to find out what people
use TOR for. Well, it's kind of sad. A short analyse of the hostnames
gave me the result: 80% Porn, 10% site crawling, 5% Wordpress comment
spam and 5% human traffic.
I don't get why people use TOR for watching porn.



For all the same reason as any other type of traffic?

Porn is illegal (or quite restrictive) in many parts of the world, and 
if you know your ISP is observing traffic, why give them information 
that could be potentially used against you, even if only to embarrass you?


I have trouble seeing why it matters what type of traffic people are 
generating, unless it's abusive toward any of the networks involved 
(including the internet at large).


--
Dave Warren
http://www.hireahit.com/
http://ca.linkedin.com/in/davejwarren


--
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Tor on the iPhone?

[Dave Warren]

On 2015-01-15 07:08, Nathan Freitas wrote:
iOS doesn't allow external background proxies in the way that Android 
does. 


They do if you develop it as a VPN solution. OpenVPN is one such example 
of a VPN technology which is not supported by iOS natively, but can be 
added via third party application.


I'd be surprised if a proxy can be handled the same way, but if the 
underlying application were to act as a VPN as well, it should be possible.


--
Dave Warren
http://www.hireahit.com/
http://ca.linkedin.com/in/davejwarren


--
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Libevent vulnerability CVE-2014-6272 - Tor affected?

[Dave Warren]

On 2015-01-06 12:50, Nikolas Raiser wrote:

Hi folks,

can anyone tell me if Tor, since it uses libevent, is affected by this 
vulnerability Advisory: integer overflow in evbuffers for Libevent = 
1.4.14b,2.0.21,2.1.4-alpha [CVE-2014-6272] 
http://archives.seul.org/libevent/users/Jan-2015/msg00010.html .


Check the list archives for CVE-2014-6272. The answer is: this does not 
affect Tor.


--
Dave Warren
http://www.hireahit.com/
http://ca.linkedin.com/in/davejwarren


--
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk