[tor-talk] Tor Browser bookmarks
Hey... I'm running Tor Browser 10.5.2 on Windows, and I can't edit bookmarks. Is this just me or do I have something misconfigured? If I edit the properties of an existing bookmark the Save button is greyed out even after changing the name or location, the Star button in the URL bar doesn't respond at all, and dragging the current URL to the bookmark bar is ignored. Worked fine at some point in the past, not sure when it last worked or when it broke, I was just trying to update some bookmarks to version 3 onion services rather than relying on redirects. -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] trackers in OONI Probe Mobile App / was: NEW RiseupVPN test in OONI Probe Mobile App
I’m not sure I see the point. If we assume we are building a probe with a client and server component, can the client not just connect to the server using a pinned certificate (or otherwise validate this connection via any of the well established public key mechanisms) and then each side connect to the target, retrieve the certificate, calculate the fingerprint and compare? Of course this also assumes that you get the same fingerprint from everywhere, something that is absolutely not guaranteed in the general case, although many specific targets will use one certificate universally. Admittedly the quoted protocol proposal might have some advantages if you (operating the client) don’t trust the server, or want a cryptographic guarantee, but at least for the use-cases of OONI Probe Mobile that I see (detecting whether my current connection is being censored, relying on a centralized platform to provide censorship test data) it seems to be overkill. > On Feb 16, 2021, at 04:33, Aymeric Vitte wrote: > > Resending ccing directly the participants since apparently it's not going to > make it to the list > > > Message transféré > Sujet : > Re: [tor-talk] trackers in OONI Probe Mobile App / was: NEW RiseupVPN test in > OONI Probe Mobile App > Date : > Wed, 10 Feb 2021 17:21:20 +0100 > De : > Aymeric Vitte > Pour : > tor-talk@lists.torproject.org > > > You might consider adding to OONI features the "Interception Detector", see http://ianonym.peersm.com/intercept.html This is from 2012 but still actual, the basic principles are that you are intercepting yourself with the help of a remote server (ie an OONI node here), by "browser" below we could mean the OONI app Indeed, one browser page is acting as a server page connected to a remote server via websockets, once the user enters the domain to check (for example abcd.google.com) it generates a self-signed TLS certificate and a link (https://abcd.google.com), clicking on the link opens a client page in the browser which produces a https request with the target server name (google.com) that is proxied to the server, then a TLS handshake is initiated between the browser client page and the browser server page since the messages are intercepted by the server that relays messages between both Then the user can check that the signature/fingerprint of the certificate in the handshake match the ones indicated on the server page, if not it means that someone in the path between the browser and the server did intercept the TLS connection In fact, we can summarize this today (because browsers do not really give the possibility any longer to accept self signed certificates) as: if the browser does not raise a security exception then you are for sure intercepted Of course a positive result does not say that you are not intercepted (because the interceptor might have missed the server name honeypot or just not be interested by it), that's where OONI network becomes interesting since you can multiply the tests via various destinations/nodes This is not a "week-end" project as some "experts" think since it requires to implement TLS in js inside the browser, some other experts here might question/destroy the concepts, please do It would have defeated the logjam attack if deployed at that time It's not open source for now but can be with some little funding For the other concerns in this thread you should develop things by yourself instead of adding dubious third party sw, 1.3 MUSD (at least) of funding since years should allow this, no? Le 10/02/2021 à 10:28, Maria Xynou a écrit : > On 09/02/21 19:39, Dave Warren wrote: >>> It should give results for middle boxes , DNS/TLS hijacking ...etc >>> something useful/worth to run OONI for. >> These would be great things to consider adding too. > Thanks for the feedback (and support!). > > Current OONI Probe tests are available here: > https://github.com/ooni/probe-engine/tree/master/experiment > > We are working towards shipping new tests (such as that for measuring > SNI based filtering) as part of the OONI Probe apps. > > Code review and feedback is greatly appreciated, and we also encourage > community members to contribute their own tests. > > For example, the recent RiseupVPN test (shipped in the latest OONI Probe > mobile release) was contributed by community members. > > Cheers, > > Maria. > -- Sophia-Antipolis, France LinkedIn: https://fr.linkedin.com/in/aymeric-vitte-05855b26 Move your coins by yourself (browser version): https://peersm.com/wallet Bitcoin transactions made simple: https://github.com/Ayms/bitcoin-transactions Zcash wallets made simple: https://github.com/Ayms/zcash-wallets Bitcoin wallets made simple: https://github.com/Ayms/bitcoin-wallets Get the torrent dynamic blocklist: h
Re: [tor-talk] trackers in OONI Probe Mobile App / was: NEW RiseupVPN test in OONI Probe Mobile App
On 2021-02-06 01:11, bo0od wrote: Actually OONI tests is absolute useless to find anything bad, All the tests being done can be known trivially by using the internet e.g: - check for websites blockage - check for Tor blockage - check for Internet speed ..etc Which one of that need magic/effort to be known? child using the internet in that area can give you all the results without the need to run this OONI app The app gives me a one-click "Is this network censored, and what sort of censorship might apply" without manually maintaining such a list myself, and inspecting each site manually. For my own part, I'm a lot more comfortable explaining why I am using a censorship diagnostics tool than I am opening offensive sites in a public location. And while we're on the topic, you might well want to spend your time checking 25-1463 of the sites on the global list manually, and if this is how you spend your free time, all power to you! I would rather a tool do the work and give me a summary report which I can inspect. And if you do go through this process manually, regularly, on different networks, I trust you collect the results and tabulate the results in a meaningful and collaborative way to provide public information on censorship across a wide range of networks and countries? I have no affiliation with the app developers, except as a satisfied user who does find value in the current app. Could there be more functionality added? Sure! It should give results for middle boxes , DNS/TLS hijacking ...etc something useful/worth to run OONI for. These would be great things to consider adding too. -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Private Exits
On Sun, Jun 28, 2020, at 23:49, mpan wrote: > > The Tor network with Private Exits: > > Alice uses Tor Browser to connect to myexit.onion. > > Tor Browser connects to a guard note, then a middle node, then to > > myexit.onion. myexit.onion provides a portal to the internet via a web > > interface similar to a VNC session. myexit.onion is not recognized as a > > Tor exit node and Alice can then go to mywebsite.com without any extra > > harassment. […] > (If I understand that correctly) > > > If the “private exit node” belongs to Alice, then it is no longer > anonymizing her. Correct. This is not the only reason to use tor. > It’s no different than Alice running a VPN service for > herself, except it’s very convolutd and wastes resources on hopping > through Tor for no gain. Similar story with multi-user tor relay from > some company: the user are not anonymous to the provider, so any > anonymization layer between them and the final relay is useless. There actually are some benefits. And of course, some costs/risks. If I subscribe to a commercial VPN what are the odds that any other customer of that same VPN are using the same last-mile connectivity/wifi as myself? The situation gets worse if I connect to my corporate VPN service, or run my own VPN endpoint. Unless there are any other users of the same VPN service, I can be tracked as I move between networks, even if I randomize my MAC address or use burner hardware. Even if there are other users of that same VPN server, are they configured identically? Does the VPN protocol exchange credentials or certificates securely? Is there any other uniqueness in the initial VPN handshake? Has the VPN service modified their defaults over time, meaning that the date I downloaded my configuration file from the provider dictates my settings providing a further fingerprint? Is my VPN client version unique? By routing the first hop through tor, I am not consistently connecting to one single endpoint, and I blend into the background with other tor users. > This idea is also usable right now without any changes to Tor. Alice > may setup her own proxy and connect to it through Tor. But it offers no > protection. If it were me, I think I would set up a tor hidden service and run a proxy on the .onion to complete the final connection to the internet, either as a proxy or a VPN endpoint. -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] "Tor Circuit" list in TBB displaying incorrect exit node and IP address
On Sun, Dec 23, 2018, at 14:05, Roger Dingledine wrote: > Assuming the difference is "cloudflare vs not cloudflare", check out > https://trac.torproject.org/27590 One of the comments on this bug is severely wrong: "Why the hell doesn't it inform about using plain text .onion connections on https sites?!!! (No questions for https .onion alternate routes.) Example of cf alt-svc: cflarexljc3rw355ysrkrzwapozws6nre6xsy3n4yrj7taye3uiby3ad.onion:443 (plain text (http)!!!)" This is not correct, alt-svc over port 443 not only uses https, but it uses the certificate of the original site (not the cflarex...onion) address displayed, ensuring that the alt-svc is valid and able to serve traffic for the original site's URL using a valid certificate. I can't be arsed to register just to post one comment and correcting people who are severely confused about Cloudflare (and/or alt-svc) would easily be more than a single full time job, but it might be worth noting in this case to reduce confusion. -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Why do you use Tor?
On 2018-12-10 10:05, Nathaniel Suchy wrote: Hi, I'm curious to learn the reasons that various people on the lists, for those who are comfortable sharing, why they use Tor. I'm also curious as to whether users on this list only use Tor or if there are times they use a normal browser (if so what tasks). For my own part, I use tor when I want to access a .onion site, as a "even more private" browser, but also just to access my own sites/services from outside my network. Sometimes I use it for no particular reason at all, under the theory that more legitimate traffic helps those who are using tor for legitimate (non-malicious) reasons where their safety and security is a factor. -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] alt-svc supported by TBB
On 2018-09-18 21:17, TNT BOM BOM wrote: thats nice, but doesnt look akward that the company who blocked Tor and had that arguements (back then) , went all of a sudden to help Tor? do i expect the holy ghost democraciz their brains and get the demon of blocking free internet out from them? i dunno but its for sure suspecious. but on the same time if they really want to help Tor users then thats a good sign. (ofcourse that doesnt mean cloudflare dns safe , nor im supporting to register any website in their services. just saying its a good step if they are as they are saying). I don't really think Cloudflare was ever intentionally actively hostile to Tor users, but rather it was an unintended consequence of how they attempted to separate legitimate vs malicious traffic. The reality is that Tor exits emit both legitimate and malicious traffic, and TBB users are (by design) indistinguishable from each other by typical browser fingerprinting techniques, so Cloudflare had no obvious way to separate malicious vs legitimate requests. For some time Cloudflare has made it easy for site operators to whitelist Tor exits (noting that this means site operators absorb the abuse rather than Cloudflare blocking it, and also noting that only a tiny fraction of site operations actually do this), they also put effort into Privacy Pass (a way to reduce the negative impact without giving up privacy). Could they have done more, better, or sooner? Maybe. But alt-svc wasn't supported by TBB until 8.0, and Cloudflare was quick to take advantage of it for the benefit of Tor users, that's worth noting. More importantly though, even if your belief is that Cloudflare was previously actively hostile toward Tor, isn't a corporation changing their stance a good thing? Isn't a pivot toward being accepting of users who want more privacy than usual a good thing for both regular users and Tor users? -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] alt-svc supported by TBB
On 2018-09-18 14:33, Dave Warren wrote: On 2018-09-18 13:33, nusenu wrote: Dave Warren: Can anyone confirm if the current release of TBB supports alt-svc? I'm testing the Cloudflare alt-svc .onion beta project and I do see the alt-svc header, but I'm trying to determine whether TBB is actually using it or not. It seems like not, given that the website can see a tor exit IP in the Cloudflare headers (I wouldn't expect this since subsequent requests should be delivered over a .onion address). TorBrowser is supposed to support alt-svc since version 8 but we have had mixed results when testing it https://twitter.com/arthuredelstein/status/1037559553380966400 Using the test page at https://perfectoid.space/test.php I get either red or yellow exclusively, no amount of refreshing and/or changing circuits seems to get green which confirms my own testing on a site I operate that is participating in the beta. I've been monkeying around a bit, and I can sometimes get this to work, but very infrequently. It feels like if I open a tunnel to each of their .onion addresses first then it increases the odds although I'm not sure if this makes sense since a new hostname (the test site vs their .onion addresses) should result in a new tunnel anyway. And maybe this is just a limitation of the test site (although I don't think so), but it seems that Cloudflare fails to notice many IPv6 exits, whereas IPv4 exits usually get the country "T1" (meaning Cloudflare knows this is a Tor exit and adds the Alt-Svc header). Unfortunately the reliability doesn't seem to be here enough to try and achieve Cloudflare's stated goals, but hopefully this is just an early attempt and not the end of the road. On the flip side, maybe it is working a little more than it appears since I'm not seeing CAPTCHAs when using TBB 8, but I am from a second machine running TBB 7. One final note: Are there any other Cloudflare users on the Free or Pro plans? If so, could you go check if Onion Routing was enabled for you? Their blog says it is enabled by default, but it is disabled on two of my three sites -- Maybe this is due to being part of the beta though, I did manually enable it on that third site and maybe that precluded it from being enabled on my other two? -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] alt-svc supported by TBB
On 2018-09-18 13:33, nusenu wrote: Dave Warren: Can anyone confirm if the current release of TBB supports alt-svc? I'm testing the Cloudflare alt-svc .onion beta project and I do see the alt-svc header, but I'm trying to determine whether TBB is actually using it or not. It seems like not, given that the website can see a tor exit IP in the Cloudflare headers (I wouldn't expect this since subsequent requests should be delivered over a .onion address). TorBrowser is supposed to support alt-svc since version 8 but we have had mixed results when testing it https://twitter.com/arthuredelstein/status/1037559553380966400 Using the test page at https://perfectoid.space/test.php I get either red or yellow exclusively, no amount of refreshing and/or changing circuits seems to get green which confirms my own testing on a site I operate that is participating in the beta. -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] alt-svc supported by TBB
On 2018-09-18 13:59, TNT BOM BOM wrote: whythe hell would anyone use anything from Cloudflare with Tor??? Primarily to reduce the load on exits, but Cloudflare putting resources into being more usable (and less annoying) for Tor users can only be a good thing for those who use Tor to access the internet. -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
[tor-talk] alt-svc supported by TBB
Can anyone confirm if the current release of TBB supports alt-svc? I'm testing the Cloudflare alt-svc .onion beta project and I do see the alt-svc header, but I'm trying to determine whether TBB is actually using it or not. It seems like not, given that the website can see a tor exit IP in the Cloudflare headers (I wouldn't expect this since subsequent requests should be delivered over a .onion address). -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] How do tor users get past the recapacha and it's super short 2min exemption
On 2018-07-17 17:30, grarpamp wrote: On Mon, Jul 16, 2018 at 3:08 PM, Dave Warren wrote: The whole point of tor is that you are anonymous just like everybody else. Privacy Pass attempts to allow you to bypass CAPTCHAs by providing you with tokens that anonymously prove you have solved CAPTCHAs recently. https://support.cloudflare.com/hc/en-us/articles/115001992652-Privacy-Pass Presumably those tokens get passed to all participating sites, so all your sessions across them all are easily linkable by cloudflare, the sites, their backend databrokers, etc. "Privacy Pass"... lol. Interestingly no, you cannot be tracked across sites. They put a lot of effort into this aspect of the design specifically to ensure that the signing happens only against the blinded version of passes so when the passes are redeemed they can be verified as valid, but not linked to the original generator of the passes. If you're interested in how this works, they have an overview and links to the actual papers and protocol: https://privacypass.github.io/ -- You don't need to take my or their word for it, the cryptography is public and you can write your own implementation if you desire or review the source for their extensions should you have the appropriate skill sets (I do not). they do make it easy for site operators to approve tor traffic in a more general way (by treating tor as a separate country in their whitelisting system). So what are the default settings provided to new cloudflare / recaptcha subscribers? There are no default settings at the individual customer or site level to handle tor exit IP addresses differently than any other IP address. If you can think of a way to differentiate good traffic vs abusive traffic without JavaScript (to verify that the connection is from a human driven browser) and/or cookies (to identify one user from another) and/or a extension such as privacy pass I would encourage you to write a paper and publish it. -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] How do tor users get past the recapacha and it's super short 2min exemption
> On Jul. 14, 2018, at 09:39, David Niklas wrote: > > On Wed, 11 Jul 2018 18:50:48 -0700 > Dave Warren wrote: >> However there is a larger than average amount of abuse from tor exits, >> and this abuse returns intermittently the longer an exit has been >> around so their automation does learn to treat tor IPs with suspicion. >> It also means using non-standard browsers (Such as an iOS project) are >> more likely to fail the "Is this a browser" test resulting in a full >> CAPTCHA. > > Perhaps you could tell them (or tell me how to tell them), that I am > legit. I get the full Captcha every time. The whole point of tor is that you are anonymous just like everybody else. Privacy Pass attempts to allow you to bypass CAPTCHAs by providing you with tokens that anonymously prove you have solved CAPTCHAs recently. https://support.cloudflare.com/hc/en-us/articles/115001992652-Privacy-Pass > They *really* need to increase the timeout. I have to say, I don’t see this myself on a regular basis. Perhaps you are not keeping cookies such that they can identify the you that passed a CAPTCHA is the same you that is browsing now? Without cookies or other local storage being available, every request is new/unique from Cloudflare’s perspective and therefore they don’t know that you passed a challenge. It could also be that site owners have set the timeout very low, I can go as low as 5 minutes on the free tier. I believe the default is a week although I’m not certain. I set mine to much longer (but I also whitelist Tor across the board). This is something website operators can control: https://support.cloudflare.com/hc/en-us/articles/200170136-What-will-changing-the-Challenge-Passage-TTL-do- > >> To their credit, they do make it easy for site operators to approve tor >> traffic in a more general way (by treating tor as a separate country in >> their whitelisting system). > > That is useful, is there an instruction that I can point authors to? > https://support.cloudflare.com/hc/en-us/articles/203306930-Does-CloudFlare-block-Tor- -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] How do tor users get past the recapacha and it's super short 2min exemption
On Wed, Jul 11, 2018, at 09:32, Lara wrote: > On Wed, 11 Jul 2018, at 16:01, Nathaniel Suchy wrote: > > I hate Cloudflare and what they’re doing to Tor users. > > Luckily Cloudflare, Google, Facebook do not hate you or the other Tor > Users. Talking about being unfair. Several Cloudflare staff members have commented that they do support tor and have taken steps to enable tor users to have better experiences than would naturally happen as a result of their automated abuse prevention systems were left to score tor users based entirely on behaviour alone. One such example is that their "Is this a browser or a bot?" JavaScript takes the tor browser bundle's behaviour into account and doesn't penalize the browser for lacking any features which are normally disabled. However there is a larger than average amount of abuse from tor exits, and this abuse returns intermittently the longer an exit has been around so their automation does learn to treat tor IPs with suspicion. It also means using non-standard browsers (Such as an iOS project) are more likely to fail the "Is this a browser" test resulting in a full CAPTCHA. To their credit, they do make it easy for site operators to approve tor traffic in a more general way (by treating tor as a separate country in their whitelisting system). I'm not suggesting that Cloudflare couldn't do more/better, but they could also outright blacklist tor trivially or intentionally make the experience much more negative, but based on their statements they have made minor changes to try and improve the user experience without causing their customers grief. And based on their results (the Onion browser on iOS suddenly went from a "always blocked" to "Only occasionally blocked" shortly after I bought up the topic and provided them with a link to it). It is an imperfect world. This is part of why I use TBB for random legitimate things, specifically to increase the amount of "This is just a regular 'ol user, doing regular 'ol normal web things on Tor". -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] CloudFlare captchas disappeared?
That might be part of it, but I just fired up a fresh Tor browser, opened half a dozen sites that used to always require a CAPTCHA and none did. I haven't used Tor in a couple weeks, so I'm not really sure when this started. But they did discuss trying to reduce the impact some months ago, and a few weeks ago there was a regression which they were working on addressing. It seems that they actually have improved the situation. On 2018-03-08 10:38, Watson Ladd wrote: Blinded tokens finally shipped. As a result they can remember that you solved the captcha. On Thu, Mar 8, 2018 at 5:15 AM,wrote: Recently I've realized that I'm not seeing the CloudFlare capchas anymore in TBB, or seeing them far less often. Is it just me, or they have really changed something about their captchas? -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] does that cat clip play for you in TorBrowser?
On 2018-02-09 10:24, nusenu wrote: https://twitter.com/torproject/status/961964200477233152 According to Steph it plays in TorBrowser, does it play for you as well? It does play here. -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] some websites are blocking me now
On 2018-01-08 16:29, Roger Dingledine wrote: On Mon, Jan 08, 2018 at 03:25:09PM -0800, jbclem wrote: Since I started using Tor browser I can't reach certain websites. www.craigslist.org is a good example. I get an error message that "this ip has been automatically blocked". I wonder if using Tor is causing this, or if I've been assigned an ip address that is unacceptable to these websites? And how can I get Tor to change the ip address so I can test with a different one...any thoughts on this problem? Check out this blog post for a good start to the issue: https://blog.torproject.org/call-arms-helping-internet-services-accept-anonymous-users Craigslist's business model is basically to have a proprietary data set that its users can interact with but that its competitors can't get. So they're stuck being scared of the Internet and blocking connections from anyplace that yelp, tripadvisor, etc might use to fetch their secrets. I don't think that that is why Craigslist blocks Tor, rather, I think it's more about geo-locating IPs to help negate a wide range of scams which don't require a local presence, and also, to make it easier to detect and track abuse when it does happen. Craigslist relies heavily on a shadow-ban system, such that when you violate rules and get flagged, your future posts may appear to succeed without ever being published publicly (they show up to you, and possibly other shadow-banned users). This system relies upon being able to identify users and for better or for worse, blocking Tor, proxies, and similar increases the difficulty of signing up multiple accounts in an attempt to keep them unique. While Craigslist does take steps to avoid being scraped, I believe blocking Tor is more about scam and spam prevention. I could be wrong. As for getting Tor to switch circuits, Tor Browser has a "New Tor Circuit for this Site" option (click the little green onion). But for sites like Craiglist, moving to a new circuit will rarely help. Indeed, switching circuits won't make any difference at all when accessing a service designed to restrict/block Tor. -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Motivations for certificate issues for onion services
On 2017-08-09 16:53, Seth David Schoen wrote: Notably, it doesn't apply to certificate authorities that only issue DV certificates, because nobody at the time found a consensus about how to validate control over these domain names. I don't completely understand this, since outside the Tor world it's possible to acquire DV certificates using verification performed on unencrypted (HTTP) channels. Wouldn't the same be possible for a .onion, simply requiring that the verification service act as a Tor client? This would be at least as good, given that Tor adds a bit of encryption. -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Tor E-mail gateway - how to transfer messages from the Tor Network ?
On Thu, Jul 27, 2017, at 22:36, Random User wrote: > > On 07/24/2017 11:07 PM, Random User wrote: > > > > My impression was that all of the major free email providers required a > > > valid phone number in order to sign-up. I would find it quite > > > interesting if Yandex does not. > > On Tue, Jul 25, 2017, at 07:35 PM, Mirimir wrote: > > > Neither VFEmail.net nor Cock.li require phone numbers. > > Thanks, I appreciate that info. and I'm sure that it can be useful to > others as well. > > I think you would agree, though, that as much as those two email > providers may have to offer in their own right, neither could be > considered "major". One consideration, I believe, with lesser-known > email providers is that mail sent from them and/or mail from addresses > with their domain are more likely than mail sent from one of the "Big > Guys" to get caught in spam filters. Would you consider Outlook.com to be a major provider? It was possible, at least as of a year ago, to set up an Outlook.com account without a phone number. You could not forward or enable certain other features until you validated a phone number, but each of the phone number requests could be skipped or ignored. -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] A Pluggable Transport based on i2p?
On Thu, Mar 16, 2017, at 17:19, Kevin wrote: > I disagree. In today's climate, speed matters. Maybe for some use cases. If you're having a real time text conversation, you need as many B/s as you can type (most likely 1-2 digits) and a multiple second latency is fine. I first connected out to the world from my computer on a 2400bps modem and got along just fine and had an absolutely amazing time. 33.6K was a godsend and was more than functional for small documents. It doesn't fit all modern use cases of the internet, but there are many things that are more than sufficient on a very minimal connection. -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Question about less frequently used function of Tor Browser
> ? I think no one will use "Sign in to Sync" in Tor Browser, and it > doesn't work because most of use have adjusted security settings and > don't want to enable JavaScript. Personally, I would use Sync if it worked. I also use bookmarks. -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Tor and Google error / CAPTCHAs.
On 2017-02-09 23:40, grarpamp wrote: On Wed, Oct 5, 2016 at 8:11 AM, Alec Muffettwrote: a) I like the idea of Google giving you "one free search" and from that trying to determine whether you are an "asshole" after which it lightens up with the oppression That's fine, if implemented well, because the 'one free' is the same as 'account creation', everyone gets a chance, then there's other metrics applied after you're in to continually evaluate further addition / subtraction of oppression. I like the idea in theory, but in practice in the case of Tor where all users are intentionally identical and any user can become a new user any time, the difference between "one free" and "all free" is clicking the "new identity" button (or more likely, just dumping cookies). From an abuse handling standpoint, it becomes nearly impossible to identify whether user is on their first "free" shot or not. Worse, this is a feature, not a bug. The only real fix is to apply a cost to making the first-free, be it an account creation/login, captcha, or similar, which I think takes us full circle and defeats the point? -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] TAILS people
On Tue, Jan 24, 2017, at 16:00, I wrote: > > > Probably because you don't want the release candidate. > > > --Roger > > Isn't the idea to seed the prospective version for testing, hence the > button to get it? > The button leads to the dud link. Right now there isn't a prospective version, said version has been released. -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Cameras
On Wed, Nov 23, 2016, at 22:41, Jon Tullett wrote: > On 22 November 2016 at 10:55, Ben Taskerwrote: > > The problem with blocking the camera in software is that it can then be > > unblocked in software (and still potentially without your permission). > > And not just > cameras...https://www.wired.com/2016/11/great-now-even-headphones-can-spy/ > > Software control is always risky. I dislike laptops without hardware > switches for wireless adapters for much the same reason. I'm amazed that this is considered news, this has seemed perfectly obvious since ports started being able to handle connections from multiple types of devices. But hey, I guess good for the rest of the world for figuring basics out? -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Quote Line Prefixes in Linux Text Editors
It might be a bit more complicated than that, as that approach won't wrap properly and may generate the Outlook Express-like situation where quoted lines wrap before 80 characters, resulting in alternating lines being quoted and having a single unquoted word. Unfortunately wrapping while maintaining quoting is really more of a science itself, and you probably won't get format=flowed right when doing it outside your client anyway, so it's always going to look a little janky. On the other hand, maybe that's better than risking unencrypted text leaking, it depends on your situation :) On Sat, Oct 15, 2016, at 20:30, ban...@openmailbox.org wrote: > Found answer for my own question: > > sed 's/^/> /' original > reply > -- > tor-talk mailing list - tor-talk@lists.torproject.org > To unsubscribe or change other settings go to > https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] getting Tor to be default browser
On Sun, Sep 4, 2016, at 23:51, No Spam wrote: > On 16-09-04 14:50:23, Dave Warren wrote: > > <...> > If this is the Setting, I THINK Whonix has their VM build with TBB as > Standard Browser Probably, but in my (limited) experience, it's either painfully slow or a memory hog, or both. The overhead for a Windows 10 VM is surprisingly small, and it's snappy and responsive. Attacks to identify me and/or correlate my physical location or "real" identity vs my tor identity aren't a threat model that worry me in my circumstances, so this configuration is Good Enough for my purposes. > > I also feel that adding legitimate traffic to Tor is a net positive to > > the network (since capacity is not currently an issue), if only to > > prevent the perception that all of Tor is evil bad people doing evil bad > > things. > Yes but the biggest Problem are Malicious Gateways that may try to > steal Credentials or put Malware in you Downloads This is why god invented HTTPS and HTTPS Everywhere. I wish TBB didn't block 1Password (although I understand why it does), as this would reduce my exposure to various types of attacks. Also, I trust random Tor nodes more than random wifi hotspots in tourist/traveler locations (airports in particular, where you have gov't actors, the airport itself and other users). > IMHO the best way to legitimate the Tor network would be to provide and > use HS ( which are much less prone to the previous mentioned Problem > AFAIK ). Having trivial access to hidden services is great too. Facebook is a prime example, I have no practical need as I'm using my real identity, not hiding anything, Facebook forces HTTPS (and I believe, pins their certificates in HSTS lists?), and I discuss my approximate physical location with people on Facebook. But it's likely harder to attack the hidden service than the public HTTPS site, plus staying within the tor network has benefits. But, I want the output from Tor exit nodes to show more legitimate traffic, so even for non-HS traffic, I feel that adding legitimate traffic is a net good idea until/unless the tor network becomes over-saturated or my traffic otherwise impedes a user with actual safety or security needs. I would always yield to those users, as I am lucky and privileged enough to not be one.I understand why the Cloudflares of the world see a lot of abuse coming from tor, but I want to them to see a lot of legitimate user traffic as well. -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] getting Tor to be default browser
On Sun, Sep 4, 2016, at 13:38, No Spam wrote: > Hi, > > As far as i know this would be a bad idea, but i can't exactly cite the > reasons from my head; While there may be cases where it's a bad idea, I'd prefer that Tor warn me and let me shoot myself in the foot -- I run TBB in a VM, so the attack surface is minimal, and I have no particular need for anonymity, rather, I just want privacy when I'm on someone else's last-mile, so for me, many of the risks that Tor helps to prevent aren't relevant. I also feel that adding legitimate traffic to Tor is a net positive to the network (since capacity is not currently an issue), if only to prevent the perception that all of Tor is evil bad people doing evil bad things. -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] My absence from the mailing lists...
On Fri, Aug 26, 2016, at 04:25, carlo von lynX wrote: > On Thu, Aug 25, 2016 at 03:16:12PM -0400, Nathaniel Suchy wrote: > > address with a matching GPG key instead. I am still active on Tor's > > IRC Channels under the username "deatives" and will continue to do > > I still don't understand why you guys hang out on a public surveilled > IRC network where each line you type goes straight into XKEYSCORE. Is it any different than participating in a public surveilled mailing list? -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] sadly have to shut down my tor relay after less then 24 hours
That is not a DMCA complaint, a complaint under the DMCA is required to be specific, and reports are made under oath and penalty of perjury that the complainer owns the copyright for the item in question. However, your host may not be passing on all the details to you, that's a matter of discussion between yourself and your host. On Tue, Aug 23, 2016, at 11:12 AM, Sarah Alawami wrote: > No, the DMCA was not specific. That's all they told me was that copyright > material were going through the vps and I was breaking the TOS. > > On Aug 22, 2016, at 5:19 PM, Mike Perrywrote: > > > > Sarah Alawami: > >> Hello to all. Sadly I have to shut down my tor relay after less then 24 > >> hours, as I received a copyright violation and I don't want any network > >> restrictions placed on me as I want the 150mbps speed. > >> > >> Sorry to all who were using it, but yeah there it is. > > > > Was this a DMCA takedown related to bittorrent traffic? When I ran an > > exit, I had a lot of luck with this policy: > > https://trac.torproject.org/projects/tor/wiki/doc/ReducedExitPolicy > > > > Basically restricting yourself to core internet services reduces the > > chances that bittorrent clients choose a port from the policy. With a > > 1Gbit exit and that policy, I went from 60 DMCA notices a day down to 0 > > over the life of the exit (about 3 years). > > > > Unless something new is happening? Did the complaint(s) give specifics > > about the location and type of infringing content that was accessed? > > > > More services are always better. I've been thinking about making that > > policy into a torrc option, so it would be useful to know if the > > situation has changed. > > > > -- > > Mike Perry > > -- > > tor-talk mailing list - tor-talk@lists.torproject.org > > To unsubscribe or change other settings go to > > https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk > > -- > tor-talk mailing list - tor-talk@lists.torproject.org > To unsubscribe or change other settings go to > https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] List messages marked as spam by gmail
On Mon, Aug 22, 2016, at 11:09 AM, David Balažic wrote: > Hi! > > Lately (like last 10 days) I see many messages (more than usual) on > the list marked as spam by gmail (using the gmail.com web interface). > > The reason given is most often: > - (this message) It has a from address in foo.com but has failed > foo.com's required tests for authentication. > - It's similar to messages that have been detected by our spam filters. > > Is it just "a nothing" or is something going on? I'd guess just a "blip", but Google relies heavily on user behaviour to train their filters, so marking as "Not Spam" is usually productive. You can also write filters to avoid having listmail ever delivered as spam (and automatically labeled or whatever else). -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Making TBB undetectable!
No, you can't just patch in a hardcoded window and screen size unless it reflects the actual viewport size. JavaScript is often used to position elements using relatively absolute positioning based on the viewport that it understands is correct, this will fail if the viewport vs reported size isn't accurate. More importantly, it won't even work, JavaScript can detect where wrapping happens, and some creative 1 pixel tall transparent images could detect the actual horizontal width by using varying widths. On 2015-09-26 08:45, aka wrote: Can't TBB devs just patch in a hardcoded 1366x768 window and screen size in the javascript handler? Also, if you want true undetectability you need to install a Tor instance and your OS for TBB in seperate VMs and setup the Tor VM to be a transparent router for your OS, so even if java/flash/exploit is executed, it doesn't leak your real IP, since even your OS in the VM is forced through Tor. The FBI used an old firefox exploit to execute native code and did plain IP requests to uncover users. In that configuration they would need an additional VM escape exploit, which raises the cost exponentially. behnaz Shirazi wrote: In many different cases TBB users have to be undetectable (bypassing flags, escaping from deep investigations, confusing malicious iframes etc etc) when traffic flows through custom Tor exite nodes or even when traffic flows directly just for the privacy TBB offers at client side compared to plain Firefox. TBB have a distinguishable User-Agent and screen size that can be easily changed to something more common but it also have other fingerprints that are hard to change, such as timezone=0 or navigator.plugins=none or some dialogs [1] [2]. And TBB have even more fingerprints that we are not aware of yet Can someone please teach Tor users how to modify the source code and compile a custom build or create browser Add-ons that subvert these detection methods? There must be an option for those who urgently (...) need undetectability and it doesn't require much effort to make that happen. [1]: https://www.browserleaks.com/canvas [2]: https://www.browserleaks.com/firefox -- Dave Warren http://www.hireahit.com/ http://ca.linkedin.com/in/davejwarren -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Tor Browser does not recommend the default window size anymore?
On 2015-09-17 13:47, Joe Btfsplk wrote: On 9/17/2015 12:12 AM, Dave Warren wrote: You're not wrong, but at the same time, annoying experienced users who understand (and don't care about) the consequences isn't necessarily useful either. I don't have the answer. Just thinking out loud. e.g., when less experienced users don't understand a warning. Guessing if users haven't read how making certain changes to TBB can make them stand out, they may think that message doesn't apply to them. This is true, but conversely, popup/warning fatigue is a very real thing, and every popup you throw in front of a user decreases the attention that they'll give to the subsequent one. -- Dave Warren http://www.hireahit.com/ http://ca.linkedin.com/in/davejwarren -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] IBM says Block Tor
On 2015-08-30 11:24, Martijn Grooten wrote: On Sun, Aug 30, 2015 at 05:01:53PM +0200, Andreas Krey wrote: On Sun, 30 Aug 2015 11:01:42 +, Martijn Grooten wrote: ... But a company that blocks Tor because, as IBM puts it, a lot of malicious actors use Tor is making a sensible security decision. But that is not a reason to block torproject.org or even to forbid using the tor browser. It would be a reason to block exits on the corporate web servers. And these get pretty conflated in that article. Ouch. I stand corrected. I had missed that bit - I had only skimmed through the paper last week - and it does explicitly say that the Tor Project website should be blocked. It even suggests disciplinary action should be taken if people try to access the site. Wow. Sure, but this is probably just a case of using too blunt an instrument; they likely just classified Tor (all of it, including websites) as an unacceptable product. Expecting mid-level management to understand the finer points of what Tor is, how it works, or the difference between the website and the service and the protocol isn't realistic in a world where usually the concept of a site, service and protocol are all one and the same. -- Dave Warren http://www.hireahit.com/ http://ca.linkedin.com/in/davejwarren -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] 1PassWord Firefox extension
On 2015-08-28 13:55, Graham Heather Harrison passed on what 1Password support wrote: As with most proxy/firewall software that customers add to their computers to increase security, we can tell them to add an exception to the whitelist for localhost (127.0.0.1), but in the case of Tor, I just don't know enough about the internals of how it goes about blocking things it deems potentially harmful to know whether adding an exception for 127.0.0.1 would be considered voiding the protection offered by Tor. The Tor proxy itself is contained on 127.0.0.1, port 9051, so bypassing for localhost might inadvertently induce a whole host of other, non-1Password applications/utilities/helper programs to pass information outside of the Tor channels, potentially exposing your real IP address. I just don't know. In my own testing just now, i can confirm that adding 127.0.0.1 to Tor's Preferences = Advanced = Network Settings does indeed allow the 1Password extension to work...but at what cost to the anonymity afforded by Tor, I have no idea. This here is why I love 1Password, they're actively understanding their customer's desire for the security of Tor over their own needs. It would be trivial for them to simply add 127.0.0.1 (either in the extension, or by documentation) without caring about the implications or impact on the user. As an alternative, while it's clunky and annoying to use, you could consider using 1Password's Autotype, which allows the 1Password client to type username and password data into the browser (or other application) without using the clipboard or any extension. -- Dave Warren http://www.hireahit.com/ http://ca.linkedin.com/in/davejwarren -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Privacy Badger
On 2015-08-28 20:05, Mike Perry wrote: Yikes! I didn't know this. This is especially bad, especially if Privacy Badger has custom storage mechanisms for this that aren't cleared regularly (which you touch on below). And if you do clear this list regularly, Privacy Badger is useless; it functions by learning which sites are legitimate and which are potentially tracking you based on the fact that by their nature, trackers are resources loading from a consistent location into various unrelated sites using cookies that are potentially uniquely identifying. Resetting it's history leaves you vulnerable to tracking until it has re-learned your behaviour, by which time you're vulnerable to fingerprinting. It might be possible to take the same concept and democratize it in some fashion that would share the heuristically learned data between users, such that users aren't individually fingerprintable (while uses of Privacy Badger itself would become more obvious), but then you have the problem of building a whitelist for resources that are actually useful, and potential malfeasance on the part of whitelist submissions, as well as the efforts to manage the whitelist. Without a whitelist, it will eventually break sites, and if you whitelist yourself, you again generate a fingerprint. As much as I love Privacy Badger in general, I don't see how it can fit into the Tor model. -- Dave Warren http://www.hireahit.com/ http://ca.linkedin.com/in/davejwarren -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Request: Firefox extension/addon checking tutorial
On 2015-08-20 21:27, Cain Ungothep wrote: Anybody care to make a peer-reviewed guide of how to check the extensions for leaks, cheats and other dirty tricks? I would say use the source, Lara. It's problematic, of course, since it requires an expert not only on programming, networking, privacy and security but also on Mozilla's extension architecture. But really, I don't think there's any other way. I doubt there are many people who are truly competent to check the source. You don't just need a programmer who checks to make sure the code does what they expect, but also that there aren't any corner cases where something does leak, just a little. To be secure, one must also check the entirety of the Firefox source, since Firefox could easily have some behaviour which intentionally leaks when Tor is active (and possibly only when other conditions are met, to reduce the odds of anyone who isn't a target from observing any unexpected behaviour) -- Dave Warren http://www.hireahit.com/ http://ca.linkedin.com/in/davejwarren -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Best devices to boot Tails off of?
On 2015-08-14 22:20, Qaz wrote: Are there flash drives that really work well with Tails? Or does it not really matter? In theory, it shouldn't matter. In practice, well, things are possibly more complicated if an attack were targeted at Tails in particular. I installed Tails on a Sandisk Cruzer and it seems it wouldn't boot or at least show the login screen, just gets stuck with the blue and white progress bar. I think I have seen a list of which devices will probably work well with Tails but I'm not sure. At least in theory, most any flash drive should work. But it's dependent on the drive, BIOS/UEFI and it's configuration, whether it passes off control of the USB drive properly, etc. But most modern hardware should handle this just fine; I haven't personally run into a non-bootable USB disk or motherboard in quite some time. But that's not to say you won't, or that your hardware is configured appropriately for your media. Are DVD-R's the safest way to boot Tails off of? Safest, probably. At least in theory, once you finalize optical media, it should be truly read-only, and the worst that could happen is that bits could be written (which would corrupt the disk-level checksums, destroying the disk) I wouldn't totally trust flash media to be read-only, even if it has a physical switch as these could easily be poorly implemented and allow a compromised OS to persist between reboots. How do can I further protect my Tails installation on a flash drive? Would doing a checksum from another OS on my Tails device help ensure it's safeness/integrity? Yes, you shouldn't trust any checksum or other verification from the compromised device itself. (All in my opinion, as a lay-person, I have no specific knowledge of Tails specific issues) -- Dave Warren http://www.hireahit.com/ http://ca.linkedin.com/in/davejwarren -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] [tor-dev] Porting Tor Browser to the BSDs
On 2015-04-14 06:05, Apple Apple wrote: I'm not too familiar with Whonix. May I ask what it does exactly to protect the system from a malicious actor with root level access to the gateway machine? As I understand it, this isn't a threat that they are addressing. Instead, they're trying to ensure that such access doesn't happen in the first place. The attack surface is inherently small since you don't run browsers or applications on the gateway itself, so you need to find a specific vulnerability in the gateway itself AND you need to find a way to exploit it. By splitting the gateway and workstation, you can run less-safe code on the workstation, a browser level exploit wouldn't automatically be able to violate your privacy without a second vulnerability on the gateway itself since the code on the workstation doesn't have the information needed in the first place. On Tails, you have to assume that the software you're running isn't actively trying to thwart you, which may not be the case since browsers often have vulnerabilities. It's not perfect, but it would seem to dramatically raise the bar since a browser based exploit alone is no longer sufficient to unmask a user like with TBB, and potentially with Tails. At least to me, Whonix seems to be a natural next step beyond Tails if you want to ensure that an entire workstation is protected even if the workstation itself has compromises. It's overkill for many Tails users, and has tradeoffs since the gateway and workstation are split (introducing potential attack surfaces between the two) just as Tails itself is probably overkill for many TBB users. But I might be way off. -- Dave Warren http://www.hireahit.com/ http://ca.linkedin.com/in/davejwarren -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Are webmail providers biased against Tor?
On 2015-03-16 21:20, grarpamp wrote: block Tor completely since I don't have any legitimate traffic from Tor. This is funny since some of use just spent the entire day reading wikipedia, communicating via email, logged in to work, talking to friends, donating via bitcoin and generally surfing the web. If you'd quote properly instead of cutting the context, you'd note that I absolutely did not say I block Tor completely, nor was I suggesting doing so. What I did say is that good users GET LUMPED IN WITH THE BAD simply because there's no way to tell them apart. That's the whole point of Tor, and TBB in particular. it's the fact that a higher percentage of abuse comes from Tor Ahem, objective citation as to all tor users please, thank you. That's the whole point -- Not all Tor users are abusive, but abusers tend toward Tor because of the fact that it provides anonymity and human shields in one package. That's just the nature of the game. The result is that connections from Tor will be treated with suspicion. For example, Google will put you through additional validation steps on a more regular basis since it can't tell if you are you, or you are some other Tor user who borrowed your password. -- Dave Warren http://www.hireahit.com/ http://ca.linkedin.com/in/davejwarren -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Are webmail providers biased against Tor?
On 2015-03-16 16:01, Richard Leckinger wrote: I think 'track record' is the relevant point. Everywhere is suspicious until you have a track record of accessing google from there. Tor by design is meant to prevent any track record from developing. The fact that you're constantly accessing Google from an otherwise totally clean and featureless browser itself is a fingerprint that Google could act upon, and Tor exit node could be treated as a country like any other. Even if they can't separate you from other Tor users, it's potentially just as significant as a fingerprint like Accesses NY, NJ frequently from each of the four largest providers' dynamic IP ranges, and does not retain cookies However, the reality is that the rate of abuse from anonymous sources will naturally be much higher, and as a result, it does make sense to treat such connections with a higher level of suspicion. A few weeks ago I ran a query against some servers logs which were fed from SMTP, POP3, IMAP and webmail authentication attempts against a DNSBL (torexit.dan.me.uk, I think?) that lists Tor exit nodes, there were tons of unsuccessful authentication attempts coming from Tor exit nodes, while there were zero successful authentication requests in the time period studied. Many of the IPs were doing obvious dictionary attacks, trying many thousands of attempts (with the IP itself being locked out completely after just a few minutes). Based on this limited analysis, it would make a lot of sense to block Tor completely since I don't have any legitimate traffic from Tor. Various other countries would meet this same criteria. However, I don't like to block this indiscriminately. I'm sure Google's scale means that there are a lot more legitimate users Tor users than I have, but just the same, it's quite reasonable to treat Tor traffic with a higher level of suspicion -- It's not about bias against Tor, or against Tor users, or even a dislike of Tor, but rather, it's the fact that a higher percentage of abuse comes from Tor than from most other sources, even when you take the percentage of legitimate traffic into account. The fact that Tor, by it's privacy centric nature, makes it more difficult to use other fingerprinting techniques to sort out legitimate users means that good users get lumped in with the bad automatically. -- Dave Warren http://www.hireahit.com/ http://ca.linkedin.com/in/davejwarren -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Tor over SSH (torsocks) (?)
On 2015-02-16 03:30, blo...@openmailbox.org wrote: On 2015-02-16 02:31, Dave Warren wrote: On 2015-02-15 16:35, Mirimir wrote: On 02/15/2015 02:22 PM, blo...@openmailbox.org wrote: I want to login to my VPS over SSH. Is torsocks still a safe way to do this? A lot of the documentation (such as it is) is several years old. I prefer to run an SSH hidden service on the VPS. I'd tend to agree; if you control the endpoint, set it up as a hidden service rather than having Tor exit node involved at all. While running hidden services alongside non-hidden services introduces some risks, most of these are less significant when connecting to SSH on a server that you control. I don't think I phrased my question very well. I'm not running a hidden server. I'm just logging in to a shared VPS to ftp. etc, rather than logging in to a control panel over HTTPS. I just want a simple way to do ssh IP port but with Tor. Understood. But the suggestion is that you SHOULD run a hidden server to listen for SSH connections over Tor as this will be far more reliable and secure than having to rely on an exit node. The rest of the server doesn't need to be a hidden server, and SSH can still listen as both a Tor hidden server and a regular public server, but by making it a hidden server within Tor, you remove one of the major risk factors of using Tor: The exit node. -- Dave Warren http://www.hireahit.com/ http://ca.linkedin.com/in/davejwarren -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Tor over SSH (torsocks) (?)
On 2015-02-15 16:35, Mirimir wrote: On 02/15/2015 02:22 PM, blo...@openmailbox.org wrote: I want to login to my VPS over SSH. Is torsocks still a safe way to do this? A lot of the documentation (such as it is) is several years old. I prefer to run an SSH hidden service on the VPS. I'd tend to agree; if you control the endpoint, set it up as a hidden service rather than having Tor exit node involved at all. While running hidden services alongside non-hidden services introduces some risks, most of these are less significant when connecting to SSH on a server that you control. -- Dave Warren http://www.hireahit.com/ http://ca.linkedin.com/in/davejwarren -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Funded search engine for onionspace?
On 2015-02-13 15:30, l.m wrote: If you instead use a google search appliance couldn't you use google engine for indexing without having to use google itself? Wouldn't that also avoid the problem of google queries being associated with the client making the request? It might, but it's licensed based on the number of documents (pages?), starting around $20,000, so it's probably not really an ideal solution for this type of use. (Pricing from http://www.techrepublic.com/blog/google-in-the-enterprise/what-is-a-google-search-appliance/ -- You have to contact them to get a quote, which usually means the price is not reasonable to begin with) -- Dave Warren http://www.hireahit.com/ http://ca.linkedin.com/in/davejwarren -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Using Tor Hidden Services as Time Source
On 2015-02-06 14:41, Patrick Schleizer wrote: Hello, I a developer of an anonymity-centric distribution. Called Whonix, it's similar to TAILS but optimized for virtual machines. We need to use a source to calibrate our system clock. For obvious and non-obvious reasons, that source can't be NTP. The way we do it at the moment is to fetch HTTP headers over SSL from trusted servers and use the timestamp data. We want to get rid of SSL and make use of the strong security properties of Tor's end-to-end encryption for Hidden Services in order to safeguard against clearnet SSL MITM attacks, which are within reach of powerful adversaries. Our plan is to contact hidden service operators, adding multiple trustworthy hidden services to the list for both redundancy and load distribution. Our estimated user base is 5000. The requests will only involve fetching an HTTP header from the server, similar to `curl --head atlas777hhh7mcs7.onion`. Before simply implementing this feature and hoping Tor handles the load without issue, we'd like expert (deep knowledge of Tor internals, network size, paths, etc) and (hopefully) official responses to our idea. I assume you're okay with very low accuracy here, clock drift of over a second will be quite common when using HTTP over Tor. This probably isn't a big deal for desktop users, but but part of why NTP is generally used is because it can allow for accurate time delivery even over networks with higher latency, and somewhat inconsistent latency. -- Dave Warren http://www.hireahit.com/ http://ca.linkedin.com/in/davejwarren -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Confidant Mail
On 2015-02-03 21:28, Andrew Roffey wrote: Except for the few big names, most domain providers do not provide inexpensive certificates so the point is not invalid (yet). I don't think changing domain providers to bundle the cost is a reasonable solution to the high costs of certificates. HTTPS certificates can easily be found under $20/year. Less, if you pay multiple years in advance. While this isn't a trivial cost, I have trouble calling this a high cost. In fact, many (possibly most) TLDs cost more for the domain than the certificate, even when purchasing from independent vendors. -- Dave Warren http://www.hireahit.com/ http://ca.linkedin.com/in/davejwarren -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] VPN/TOR Router
On 2015-02-02 11:06, Seth David Schoen wrote: spencer...@openmailbox.org writes: Hey :) I have been looking at a physical product by Cryptographi called the 'SnoopSafe Encrypted VPN/TOR Router'[0]. Does this work? Is this safe? [0] http://cryptographi.com/products/snoopsafe There have been a number of discussions on this mailing list before about standalone Tor routers. The usual consensus is that using a separate router together with regular Internet applications is risky, because the applications don't know that they shouldn't behave in certain ways. For example, the applications might mention your real IP address in the course of some protocol, or they might send or allow to be sent a persistent cookie, which might eventually be sent over both a Torified and a non-Torified connection. It occurs to me that such a computer wouldn't *know* your real IP to share, it would only see it's local IP, and the only IP it would learn as an external IP is that of the Tor exit node. However, the other anonymity related concerns would definitely apply. Things like browser identification, cookies and other data that are used within Tor and outside of Tor and similar would be huge problems. If your goal is to be anonymous, this is obviously a major problem, but not everyone needs anonymity, sometimes it's desirable and sufficient to encrypt and protect your traffic from the first hop. In this type of environment, implementing Tor at the network level would have a number of advantages, including reducing the odds of certain types of leakage while still allowing many/most applications to function without further configuration. While I wouldn't necessarily suggest using Tor at the router level for all users, for at least some use cases, it probably makes a lot of sense to consider this as an option. -- Dave Warren http://www.hireahit.com/ http://ca.linkedin.com/in/davejwarren -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Torbirdy
On 2015-01-26 03:10, Cypher wrote: Also, since the only data leaked seems to be the local datetime, I'd think it's not a massive concern since my local datetime is shared with a few million other people. While true, the time*zone* is also mentioned, and timezones can be a more interesting kettle of proverbial fish. Timezone rules vary from region to region, and so upon observing the dates your DST rules apply, I might determine your country or geopolitical location more specifically then just a 1/24th slice of the planet (plus all those funky :30 zones) More complicated is when you travel, if you update the timezone on your machine, this information is leaked too, so over time, your timezone information may actually reveal your travel to a very broad degree. Chances are that it would only take a very small number of cross-timezone trips for a gov't actor to correlate your timezone shifts with your travel itinerary, assuming such information is made available now or in the future. For most people, it's probably not a major risk, but for those who's livelihood or freedom relies upon anonymity, this is just the sort of leak that Big Data can use. -- Dave Warren http://www.hireahit.com/ http://ca.linkedin.com/in/davejwarren -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Yelp blocking Tor users from viewing entire site
On 2015-01-21 05:04, Aymeric Vitte wrote: It would be interesting to know if sites like Yelp/Craiglists are more afraid of anonymity and possible spam/trolls than crawlers. If they cannot detect a crawler using Tor, then they cannot detect any other crawler, like a crawler switching IPs as mentionned in another post, using vpns or proxies, etc So in that case it's useless to block Tor, because Tor network's size is not really significant compared to other means that crawlers have, probably they just choosed the easy way as well as crawlers might have chosen the easy way too (use Tor), blocking Tor so they have solved one problem. But in fact they have solved nothing if they are not protected against crawlers, and if they are protected the protection would be something like blocking the IP or sending a captcha. Maybe the exit nodes could implement an anti-crawler feature, even if the crawler is switching among 1000 exit nodes I think it's feasible to fingerprint it in the Tor network finite space, I don't know if there are studies about this, an efficient crawler can never behave like a human being or a normal browser. This might sound like a kind of censorship but that's probably not the goal of the Tor network to crawl and spam the web, the exit nodes that would have removed the feature would just get blocked. I think that Craigslist is a bit different, the ultimate goal is for local people to meet in real life, but they have a very high rate of spammers and abuse, most of which is non-local. Dealing with spam has been a massive problem for Craigslist, and one of the things that has helped is to geolocate users when posting and use that to help prevent abuse. More importantly though, when Craigslist identifies you're doing something abusive, they don't always tell you. Your posts will appear to post, will be visible to you and by number, but not to users who search. Given that real posts don't show up instantly either, this works well because spammers don't get feedback and therefore can't work around the system as easily, but it creates an extremely negative user experience for legitimate users who share an IP with a spammer as you will think everything is working, but your ad never makes it and you feel like you're being ignored. I'm not sure that blocking Tor is the best approach, but it probably makes sense from a user experience perspective since Tor nodes would quickly get flagged for abuse if they weren't blocked outright. I am a bit mixed about whether reducing anonymity is a good thing or not for a site that is ultimately centered around people interacting in real-life. -- Dave Warren http://www.hireahit.com/ http://ca.linkedin.com/in/davejwarren -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Craigslist now blocking all Tor IPs? Template for anyone:
On 2015-01-20 15:21, Seth wrote: On Tue, 20 Jan 2015 13:15:43 -0800, Greg Norcie gnor...@umail.iu.edu wrote: I (and a few other friends) have noticed Padmapper's results seem less complete than usual lately. Coincidence? I would think than an organization like Padmapper would have the technical and financial wherewithal to build out their own network of scraper nodes apart from the tor network. This would be almost impossible to block especially if they stood up the infrastructure on a large cloud providers where instances could be re-provisioned with new IP address in numerous cities all over the globe in a matter of minutes with a click of the button. I'm not so sure that that would work particularly well, humans rarely live in datacenters, and it's tough to make cloud IPs look and act the same as residential IPs, especially when other IPs in the same /24 (or larger) are owned by different customers. User behaviour would also be quite different, and it would probably be difficult to mimic typical human patterns of usage while scraping enough information to be worthwhile before Craigslist pulls the plug. Tor exit nodes, on the other hand, have a lot of human shields using them too, so it makes it a lot harder to narrow down a specific bad actor without also hitting actual users. So while Tor isn't necessary an ideal choice here, it has some advantages over dynamically allocating and dropping cloud IPs. I'm curious why Craigslist doesn't just sell their listing data via API access to companies like Padmapper, that would be a win-win. Because they're actively hostile to creating a better user experience. Don't get me wrong, the fact that their website doesn't look like someone from marketing took a dump all over it is part of what is awesome about it, but still... -- Dave Warren http://www.hireahit.com/ http://ca.linkedin.com/in/davejwarren -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] What relay does really help the TOR project?
On 2015-01-16 12:40, Josef 'veloc1ty' Stautner wrote: The past days I made some short tcpdump traces to find out what people use TOR for. Well, it's kind of sad. A short analyse of the hostnames gave me the result: 80% Porn, 10% site crawling, 5% Wordpress comment spam and 5% human traffic. I don't get why people use TOR for watching porn. For all the same reason as any other type of traffic? Porn is illegal (or quite restrictive) in many parts of the world, and if you know your ISP is observing traffic, why give them information that could be potentially used against you, even if only to embarrass you? I have trouble seeing why it matters what type of traffic people are generating, unless it's abusive toward any of the networks involved (including the internet at large). -- Dave Warren http://www.hireahit.com/ http://ca.linkedin.com/in/davejwarren -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Tor on the iPhone?
On 2015-01-15 07:08, Nathan Freitas wrote: iOS doesn't allow external background proxies in the way that Android does. They do if you develop it as a VPN solution. OpenVPN is one such example of a VPN technology which is not supported by iOS natively, but can be added via third party application. I'd be surprised if a proxy can be handled the same way, but if the underlying application were to act as a VPN as well, it should be possible. -- Dave Warren http://www.hireahit.com/ http://ca.linkedin.com/in/davejwarren -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Libevent vulnerability CVE-2014-6272 - Tor affected?
On 2015-01-06 12:50, Nikolas Raiser wrote: Hi folks, can anyone tell me if Tor, since it uses libevent, is affected by this vulnerability Advisory: integer overflow in evbuffers for Libevent = 1.4.14b,2.0.21,2.1.4-alpha [CVE-2014-6272] http://archives.seul.org/libevent/users/Jan-2015/msg00010.html . Check the list archives for CVE-2014-6272. The answer is: this does not affect Tor. -- Dave Warren http://www.hireahit.com/ http://ca.linkedin.com/in/davejwarren -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk