Re: [tor-talk] How can an external observer detect if a malicious relay does excessive logging?

2021-06-24 Thread Georg Koppen 
Anders Andersson:
> Having had little luck with my question posted on
> tor.stackexchange.com[1] I will try here, perhaps there are more
> "eyes" on the mailing list.
> 
> Under "Criteria for rejecting bad relays" on the Network Health Team's
> wiki[2] there is a list of things that makes a relay be "malicious".
> Everything there seems possible to find out (with some effort) except
> this:
> 
> "- Excessive logging (over notice) during normal operation"
> 
> I've tried to figure out how this can be probed from the outside, but
> can't come up with anything realistic. How can it be probed?

I am not sure, it probably can't. However, there are other ways one can
get to know about this practice (e.g. due to mistakes the operator
makes), so it's still important to list it as a criterion even though it
is not straightforward how to verify that no excessive logging is taking
place.

Georg

> 
> [1] 
> https://tor.stackexchange.com/questions/22430/how-can-an-external-observer-detect-if-a-malicious-relay-does-excessive-logging
> [2] 
> https://gitlab.torproject.org/tpo/network-health/team/-/wikis/Criteria-for-rejecting-bad-relays
> 




OpenPGP_signature
Description: OpenPGP digital signature
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] >600 Tor relays without ContactInfo and similar properties

2020-10-23 Thread Georg Koppen 
nusenu:
>> Since the Tor directory authorities are no longer removing such undeclared 
>> relay groups
>> and I feel bad about sitting on this list without doing anything with it 
>> I'm posting it here for your information.
>>
>> This is a set of over 600 Tor relays that got added since 2020-01-29  on a 
>> limited set of hosters.
>> They have some similarities in their sign-up pattern and properties.
>>
>>
>> Most of them are middle relays (non exit relays).
>>
>> total guard probability: 3.6%
>> total middle probability: 10.1%
>>
>> https://github.com/nusenu/tor-network-observations/blob/master/20200129-20200819_unknown_middle_relaygroup.txt
>>
>> +---+--+
>> | as_name   |   relays |
>> +---+--+
>> | Microsoft Corporation |  254 |
> 
> all of those that used to run at at Microsoft 
> left (or got kicked?) on 2020-09-19 20:00

They did not get kicked out.

Georg



OpenPGP_signature
Description: OpenPGP digital signature
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Blur screen in TBB with fractional scaling

2020-03-27 Thread Georg Koppen 
Daniel Gorbe:
> Hi!
> 
> 
> I recently installed Kali with Wayland support.
> 
> I enabled fractional scaling because of hidpi monitor, using 150% scale.
> 
> Im trying to setup TBB, but the screen is blur.
> 
> The only firefox version i can setup properly is nightly.

Tor Browser is not based on Firefox Nightly but on Firefox 68 ESR. So,
if this feature is not even available in a Firefox release yet, it's no
surprise that Tor Browser does not have it. If it's not too invasive it
might be possible to backport. Thus, figuring out which Mozilla bug this
got fixed in could be a good next step towards Tor Browser support.

Georg

> 
> Do i missed something, or TBB dont support fractional scaling?
> 
> 
> I tried the Alpha version and the repo's version. None of them working.
> 
> 
> Thanks,
> 
>     g0rbe
> 
> 
> 
> 




signature.asc
Description: OpenPGP digital signature
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] TBB update mechanism

2020-03-01 Thread Georg Koppen 
Hans Vader:
> Dear TOR people,
> 
> I have a question regarding the updating mechanism of tor browser from
> within the browser.
> These updates are signed I stronly suppose. I would like to know, does
> checking these signatures depend on external programs like gpg? Is the
> signature verification application for updates part of the browser
> bundle itself?

For updates we essentially use the Firefox updater and, yes, we are
signing the update files.

Firefox and thus Tor Browser comes with its own means to check the
signature[1], there is no external tool required. For more information
about the Firefox update process and the .mar files, which are the
update files the Tor Browser build process produces, see the Mozilla
wiki[2] as a starting point.

Georg

[1] https://wiki.mozilla.org/Software_Update:MAR_Signing_and_Verification
[2] https://wiki.mozilla.org/Software_Update



signature.asc
Description: OpenPGP digital signature
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Grey Borders / Viewbox in tor

2019-11-06 Thread Georg Koppen 
Andreas Krey:
> On Tue, 05 Nov 2019 12:34:39 +, Jan wrote:
>> Hello folks,
>>
>> I'm using tor browser 9.0. Recently (since the last update?) a grey
>> border appears when maximising the window.
> 
> Or when resizing to anything that is not a multiple of 100px in either
> dimension, 200px when over 1600px.
> 
> Try with this: https://apk.li/ws (static page, displays windows.outer
> and .inner sizes, obviously requires javascript).
> 
>> That's a bit annoying, since a fair share of my screen is not used for
>> displaying the web page.
> 
> It indeed is on my laptop where I lose more that 10% of screen estate,
> and it's not big to begin with.
> 
> It's also annoying on the big screen when you work with night mode
> pages in fullscreen, and get a big glaring border around that.
> (Or youtube, for that matter.)

That's actually #32220 and will be fixed in the upcoming alpha and soon
in the stable series.

> And in my case, a size of 1800x1800 stands out exactly as much as
> 1920 x 1857 (maximized firefox) - the anonymity seems to be
> basically the same.
> 
>> Is there a way to disable this border?
> 
> I didn't find anything in about:config.
> 
> Would be help a lot, even if only in about:config - there are many pages
> where I care for location anonymity, but they know me anyway (login).

`privacy.resistFingerprinting.letterboxing` is probably what you want.

Georg



signature.asc
Description: OpenPGP digital signature
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Tor Browser Android 8.5.1 obfs4 Bridges Problem

2019-06-10 Thread Georg Koppen 
Lotta Kallio:
> Yes, i tried. It is not working. If someone can interest with this issue we 
> would be appreciated in here.

It is weird that those bridges are working for you on desktop and not on
mobile. Are you on the same network when it is working on desktop and
not on mobile? If so, could you file a ticket in our bug tracker at
https://trac.torproject.org/projects/tor ?

Georg

>> ----
>> From: Georg Koppen 
>> Sent: Fri Jun 07 09:29:00 CEST 2019
>> To: 
>> Subject: Re: [tor-talk] Tor Browser Android 8.5.1 obfs4 Bridges Problem
>>
>>
>> Lotta Kallio:
>>> Dear Tor Volunteers and Engineers,
>>>
>>> Hope you are fine.
>>>
>>> You know i had wrote an email about TB Android's built-in bridges and few 
>>> days later you released new build with new changes. I installed TB 8.5.1 
>>> and tried again. I waited for minutes but no luck. Respectfully nothing is 
>>> changed. I captured two (2) screenshots of TB Android. I attached those and 
>>> also uploaded.
>>>
>>> https://share.riseup.net/#XPnjRD_0eeveNMVq_XO9eQ
>>> https://share.riseup.net/#87nFB3buzwydBx9MF3kmDQ
>>
>> Do you have a desktop machine and can confirm that none of the bridges
>> that are failing on Android is working on desktop either?
>>
>> Georg
>>
> 
> 
> -- 
> Sent with https://mailfence.com
> Secure and private email
> 




signature.asc
Description: OpenPGP digital signature
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Tor Browser Android 8.5.1 obfs4 Bridges Problem

2019-06-07 Thread Georg Koppen 
Lotta Kallio:
> Dear Tor Volunteers and Engineers,
> 
> Hope you are fine.
> 
> You know i had wrote an email about TB Android's built-in bridges and few 
> days later you released new build with new changes. I installed TB 8.5.1 and 
> tried again. I waited for minutes but no luck. Respectfully nothing is 
> changed. I captured two (2) screenshots of TB Android. I attached those and 
> also uploaded.
> 
> https://share.riseup.net/#XPnjRD_0eeveNMVq_XO9eQ
> https://share.riseup.net/#87nFB3buzwydBx9MF3kmDQ

Do you have a desktop machine and can confirm that none of the bridges
that are failing on Android is working on desktop either?

Georg



signature.asc
Description: OpenPGP digital signature
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Data collection by Tor Browser

2019-05-15 Thread Georg Koppen 
npdflr:
> Thanks Georg and Roger.
> 
> 
> 
> I have taken some time to read the links given by Roger and try to understand 
> various terms related to tracking/privacy on the internet.
> 
> 
> Basically, I understand that there would be a need to gather some technical 
> data to keep the Tor network running and also improve the Tor network and if 
> there is any sensitive data gathered at all then it would be for as short as 
> time as possible depending on the requirements and also not made public.
> 
> Further, I would like to ask:
> 1. Whether any extensions (such as HTTPS, NoScript) or other 
> technologies/tools in-built (preinstalled) in Tor browser would be gathering 
> data?
> (or in other words: Should I go through their terms or contact them 
> separately?)

As far as I can tell, no, they should not gather data. If that's the
case then this is a bug we should fix.

> 2. Can Tor browser or Tor client be used in a commercial environment? (by an 
> organization or individuals who are self-employed)

Yes. There is nothing that speaks against that from the Tor side at least.

Georg

> Thank you.
> 
> 
>  On Wed, 06 Mar 2019 00:32:00 -0800 Georg Koppen 
> <mailto:g...@torproject.org> wrote 
> 
> 
> npdflr: 
>> Hi, 
>>
>>
>> Does Tor browser itself collect any data (Technical data, Web activity data, 
>> Personal data etc)? 
>>
>>
>>
>> As Tor is a modified Firefox ESR, does Tor browser follow the Firefox Data 
>> Collection Practice? (https://wiki.mozilla.org/Firefox/Data_Collection) 
>  
> No, there is no such data collection by the browser itself. We try 
> pretty hard to disable things like telemetry and other potential data 
> collection mechanisms. If we have overlooked something here then this is 
> a bug we should fix. 
>  
> Georg
> 
> 
> 
> 
> 
> 
> 
> 
>  On Fri, 01 Mar 2019 21:13:32 -0800 Roger Dingledine 
> <mailto:a...@torproject.org> wrote 
> 
> 
> 
> On Fri, Mar 01, 2019 at 08:00:17PM -0800, npdflr wrote:
> 
>> Does Tor browser itself collect any data (Technical data, Web activity data, 
>> Personal data etc)?
> 
>>  
> 
>> As Tor is a modified Firefox ESR, does Tor browser follow the Firefox Data 
>> Collection Practice? (https://wiki.mozilla.org/Firefox/Data_Collection)
> 
> 
> 
> I believe the answer is no, Tor Browser shouldn't tell anybody else
> 
> any of these things about you.
> 
> 
> 
> You can read the Tor Browser design goals here:
> 
> https://www.torproject.org/projects/torbrowser/design/
> 
> and anything where it reveals your browsing activity would count as a
> 
> bug -- and depending on the type of information leak, could qualify for
> 
> a bug bounty: https://hackerone.com/torproject .
> 
> 
> 
> Three caveats to my answer though:
> 
> 
> 
> (1) This word 'collect' is confusing, because that word sure makes it
> 
> sound like it includes internal program data structures. The browser
> 
> needs to know something about your web activity while it's loading web
> 
> pages for you, and that by itself isn't harmful. The key question is
> 
> whether it shares that information with anybody else. For this sort of
> 
> user info, we aim to stick to the principle of "no secret databases",
> 
> that is, anything that we gather should be so sanitized, and so safe to
> 
> collect, that we share it with everybody else too. That way we're never
> 
> in the position where attackers might want to break into our systems to
> 
> learn more about our users.
> 
> https://www.freehaven.net/anonbib/#wecsr10measuring-tor
> 
> For browser activity, the obvious simple approach to only publishing
> 
> safe things is to publish nothing at all, which is what we try to do.
> 
> 
> 
> (2) I might not be up on the latest Tor Browser moves, so it's possible
> 
> there are some open tickets for disabling telemetry or the like which
> 
> aren't yet fixed. Keeping up with the constant changes to Firefox is tough
> 
> to do perfectly. I'll let the browser team jump in here if they want.
> 
> 
> 
> (3) Other places on the Internet could still keep statistics, based
> 
> on your connections to them. I'm thinking in particular of:
> 
> 
> 
> (3a) the addons.mozilla.org server, which ought to see just anonymized
> 
> connections over Tor, but that still lets them gather general statistics
> 
> like how many Tor users there are, what extensions they have installed,
> 
> etc. Similarly, the periodic update pings, and update fetches, happen
> 
> over Tor but can still be counted in the aggregate:
&g

Re: [tor-talk] tor browser for android (alpha) from fdroid

2019-05-08 Thread Georg Koppen 
Georg Koppen:
> Linklinklink:
>> Hi, i missing orfox and not available in fdroid anymore?! Now then i tried 
>> tor browser for android (alpha) from fdroid, in the version before it 
>> crashed complete with a blank screen, now with the new version 60.6.1 
>> (2015615265) armeabi-v7a only, i can start the app without crash, when i 
>> touch the connect button swipe then to  the left to see tor logs, then i 
>> have always this error:
>>
>> Unable to start tor: Java.io.IOExeption: Control port file not created 
>> /data/data/org.torproject.torbrowser_alpha/app_torservice/lib/tor/control.txt,
>>  len = 0
>>
>> Can this be fix it please?? I have no other browser on my phone. :(
>> I have kitkat android 4.4.4
> 
> We are working on it, see:
> https://trac.torproject.org/projects/tor/ticket/30401

Ahem, I actually meant:
https://trac.torproject.org/projects/tor/ticket/30284

Georg



signature.asc
Description: OpenPGP digital signature
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] tor browser for android (alpha) from fdroid

2019-05-08 Thread Georg Koppen 
Linklinklink:
> Hi, i missing orfox and not available in fdroid anymore?! Now then i tried 
> tor browser for android (alpha) from fdroid, in the version before it crashed 
> complete with a blank screen, now with the new version 60.6.1 (2015615265) 
> armeabi-v7a only, i can start the app without crash, when i touch the connect 
> button swipe then to  the left to see tor logs, then i have always this error:
> 
> Unable to start tor: Java.io.IOExeption: Control port file not created 
> /data/data/org.torproject.torbrowser_alpha/app_torservice/lib/tor/control.txt,
>  len = 0
> 
> Can this be fix it please?? I have no other browser on my phone. :(
> I have kitkat android 4.4.4

We are working on it, see:
https://trac.torproject.org/projects/tor/ticket/30401

Georg



signature.asc
Description: OpenPGP digital signature
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Tor Browser disabled NoScript, but can't update

2019-05-07 Thread Georg Koppen 
Roman Mamedov:
> On Sat, 4 May 2019 02:21:15 -0500
> Joe  wrote:
> 
>> I've used the latest stable TBB 8.0.8 (Linux) since released with the
>> latest NoScript (at that time).
>> Today is the 1st day I saw that NoScript was disabled by TBB.
>>
>> I see now that it's not a TBB only issue, but also Firefox.
>> A comment on Reddit said, "They [Mozilla] let their add-on signing
>> certificate expire and it invalidated a shitload of add-ons."
> 
> It is very surprising to see that TBB relies on Mozilla like this. Turns out

I think we should differentiate a bit here. Of course, Tor Browser
relies on that as we support installing extensions as long as they are
signed by Mozilla. It's a fair point, though, saying the extensions we
ship as essential Tor Browser extensions should be resistent to Mozilla
PKI failures or we should fall back to safer defaults or... We have some
options here which we will discuss in the near future and then we'll
implement those we deem worthwhile.

> an unrelated 3rd party can suddenly remotely disable Tor anonymity protections
> at their whim, and possibly endanger TBB users (or deliberately help in
> deanonymizing them).

I think that's not adequately describing the situation we were in.
Mozilla did not suddenly remotely disable Tor anonymity protections at
their whim. What happened was that Tor Browser users on higher security
levels got suddenly essentially the same experience as any Tor Browser
user that is using Tor Browser as we ship it. This is definitely a
serious bug, I agree. However that did not happen by pressing some
button remotely as the certificate you had *locally* in your browser
expired.

You could argue that Mozilla could just sign any exension and ship that
one as an "update" to NoScript and Tor Browser would happily install it.
Yes, this possibility exists and we will revisit that screnario (see
above). However, there are no known ways that Mozilla can induce a Tor
bypass be it remotely or by installing an extension into Tor Browser (or
by failing to monitor expiration dates of certificates) (if I am wrong
here, please let us know). I think that should be kept in mind as well
when talking about the scope of the problem at hand.

Finally, if you look at the amount of code we inherit from Firefox (way
more than 99%) then there is plenty of room where things can go wrong
(for a bunch of "wrong"s), so even if we avoid the NoScript problem in
the future (which we should), we are pretty dependent on Mozilla.

Georg



signature.asc
Description: OpenPGP digital signature
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Tor Browser disabled NoScript, but can't update

2019-05-04 Thread Georg Koppen 
Mirimir:
> On 05/04/2019 12:21 AM, Joe wrote:
>> I've used the latest stable TBB 8.0.8 (Linux) since released with the
>> latest NoScript (at that time).
>> Today is the 1st day I saw that NoScript was disabled by TBB.
>>
>> I see now that it's not a TBB only issue, but also Firefox.
>> A comment on Reddit said, "They [Mozilla] let their add-on signing
>> certificate expire and it invalidated a shitload of add-ons."
>>
>> I assume it expired today?  When TBB & Fx checked for addon versions, it
>> saw the expired signing certificate.
>> There is a script listed on Reddit that supposedly will re-enable the
>> addons, but until Mozilla fixes the signing certificate bug, they said
>> the script would need running every 24 hrs.
> 
> See https://trac.torproject.org/projects/tor/ticket/30388 for temporary fix.

In addition to that: We plan to ship an updated Tor Browser as soon as
Mozilla has fixed the bug on their side. I expect Mozilla to be ready
later today so that we might be able to get a new Tor Browser out
tomorrow, or latest, Monday morning EU time. Sorry for the inconvenience.

Georg



signature.asc
Description: OpenPGP digital signature
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] tor project website change

2019-04-30 Thread Georg Koppen 
Lee:
> On 4/5/19, Lee wrote:
>> On 4/5/19, Kevin Simper  wrote:
>>> You should submit a patch, that would be a great way to move the
>>> conversation forward 
>>
>> If I thought they'd add some warnings, sure, but I suspect that adding
>> anything that would make the tor browser look less than perfectly safe
>> isn't going to happen.
>>
>> For the download page:
>> line 132 - remove this bit
>>   
>>   
>> Download Tor Browser
>>   
>>   
>> You're already on https://www.torproject.org/download/
>> Having a link to the page you're already on is confusing at best.
> 
> Both of the "Download Tor Browser" links still point to
>   https://www.torproject.org/download/
> 
> Would someone please either get rid of those links or change them to
>   https://www.torproject.org/download/languages/

Those belong to the header and footer of any of the new pages on our
website. Thus, I think this is working as expected. It seems to me it
would be way more confusing if the header and the footer suddenly on the
download page behaved differently than on any other page of our website.

Georg



signature.asc
Description: OpenPGP digital signature
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] tor project website change / contributing

2019-04-12 Thread Georg Koppen 
entensai...@use.startmail.com:
> Dear all,
> 
> Sorry for not replying to a specific mail.
> I believe it is possible to extract valuable information from the
> comments on this mailing list and I would like to help improve the
> website. So I have a few questions:
> 
> Is there a specific group of people working on the website?
> How do you communicate and manage your work? (would that be the
> #tor-project group on IRC?) How could I get in touch?

Thanks for asking. We have #tor-www for website work, please be welcome
and join us. Help is very much appreciated.

> I believe this list may not be the best medium for feedback, is there a
> place that would be more appropriate and suitable?
> (Where the feedback is actually going to be received by the team working
> on the website.)

I think the team is closely watching our lists and grateful for
constructive feedback. If you are not used to IRC, filing a ticket in
our bug tracker might help (see below). I am not sure about the
appropriate mailing list for discussion. Others might chime in here.

> Did anyone extract and collect the valuable feedback from this mailing
> list yet?

Yes, we did extract feedback and created tickets where apprpropriate in
our bug tracking system. The parent ticket is

https://trac.torproject.org/projects/tor/ticket/29901

and we have a bunch of child tickets so far. In case we missed any,
please add them. We'll triage that list regularly.

> Thank you Kevin for creating the guide on contributing to Tor! That
> saves a lot of time. :D

Indeed, thanks for that.

Georg




signature.asc
Description: OpenPGP digital signature
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Data collection by Tor Browser

2019-03-06 Thread Georg Koppen 
npdflr:
> Hi,
> 
> 
> Does Tor browser itself collect any data (Technical data, Web activity data, 
> Personal data etc)?
> 
> 
> 
> As Tor is a modified Firefox ESR, does Tor browser follow the Firefox Data 
> Collection Practice? (https://wiki.mozilla.org/Firefox/Data_Collection)

No, there is no such data collection by the browser itself. We try
pretty hard to disable things like telemetry and other potential data
collection mechanisms. If we have overlooked something here then this is
a bug we should fix.

Georg



signature.asc
Description: OpenPGP digital signature
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] TLS 1.3 in Tor Browser?

2019-02-11 Thread Georg Koppen 
Nathaniel Suchy:
> Okay so if I connect to my blog in Tor Browser, it does not attempt to use 
> TLS 1.3 while Google Chrome and Mozilla Firefox use TLS 1.3 without an issue. 
> (Ref: https://i.ibb.co/x7S3w5H/Screen-Shot-2019-02-11-at-9-46-37-AM.png 
> )

Hard to say what is going on. I guess what would help to understand the
issue would be figuring out what's happening in the TLS handshake. Maybe
it's the TLS 1.3 draft version Tor Browser ships with? Maybe it's
something else...

Georg

> Cordially,
> Nathaniel Suchy
> 
> 
> 
> Feb 11, 2019, 8:00 AM by g...@torproject.org:
> 
>> Nathaniel Suchy:
>>
>>> Does Tor Browser not support TLS 1.3?
>>>
>>
>> It supports the draft version as Firefox ESR 60 does (which Tor Browser
>> is based on). There is a ticket about a possible backport of the
>> standards-track version, see #27141 for that and the context.
>>
>> Georg
>>
> 




signature.asc
Description: OpenPGP digital signature
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] TLS 1.3 in Tor Browser?

2019-02-11 Thread Georg Koppen 
Nathaniel Suchy:
> Does Tor Browser not support TLS 1.3?

It supports the draft version as Firefox ESR 60 does (which Tor Browser
is based on). There is a ticket about a possible backport of the
standards-track version, see #27141 for that and the context.

Georg



signature.asc
Description: OpenPGP digital signature
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Tor browser and remembering settings

2019-02-07 Thread Georg Koppen 
Joe:
> On 2/4/19 2:04 PM, Robin Lee wrote:
>> Hi
>>
>> There was a regression some time ago in Tor browser that it would no
>> longer remember that java scripts had been allowed for specific sites.
>> Now every time you start Tor browser it has forgotten all your
>> previous settings. I thought it was just some temporary regression but
>> now it has been a while and it has started to bug me so I thought I
>> would ask if it is going to fixed at some point?

You have the option now to remember your temporary, site-specific
changes across sessions. See:
https://trac.torproject.org/projects/tor/ticket/27185 for how to do that.

> I didn't read it closely, but I thought there was something in the
> changelog for TBB 8.0.5, that would allow users to save settings.
> If it was supposed to be fixed, it's not working for me.  I still can't
> export settings.

That's https://trac.torproject.org/projects/tor/ticket/27825 and still
not fixed.

Georg



signature.asc
Description: OpenPGP digital signature
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] noscript 10.2 default mandatory sites, trusted sites

2018-12-20 Thread Georg Koppen 
Joe:
> Many of these settings aren't brand new (some are fairly new), but I'm
> not sure how some of these settings are actually used in NoScript.
> If they are used "as is," or if settings in one file (say, defaults.js)
> interacts w/ or is overridden by other NS files.  Has anyone seen
> official explanations how these sites shown as default or trusted
> actually work in TBB?
> 
> All of these are from TBB 8.4, noscript 10.2.
> To see the files / settings, you have to copy or extract the noscript
> .xpi file to a different location (has an alpha-numeric name:
> {73a6fe31-595d-460b-a920-fcc0f8843232}.xpi, from
> profile.default/browser-extension-data.
> 
> These are from the NS /legacy/defaults.js file:
> 
> "mandatory": "[System+Principal] about: about:addons about:blocked
> about:certerror about:config about:crashes about:feeds about:home
> about:memory about:neterror about:plugins about:preferences
> about:privatebrowsing about:sessionrestore about:srcdoc about:support
> about:tabcrashed blob: chrome: mediasource: moz-extension:
> moz-safe-about: resource:",
>   "default": "about:blank about:pocket-saved about:pocket-signup
> addons.mozilla.org afx.ms ajax.aspnetcdn.com ajax.googleapis.com
> bootstrapcdn.com code.jquery.com firstdata.com firstdata.lv gfx.ms
> google.com googlevideo.com gstatic.com hotmail.com live.com live.net
> maps.googleapis.com mozilla.net netflix.com nflxext.com nflximg.com
> nflxvideo.net noscript.net outlook.com passport.com passport.net
> passportimages.com paypal.com paypalobjects.com securecode.com
> securesuite.net sfx.ms tinymce.cachefly.net wlxrs.com yahoo.com
> yahooapis.com yimg.com youtube.com ytimg.com",
> 
> Note sites like google.com, googlevideo.com, hotmail.com,
> maps.googleapis.com, paypal, yahoo & yahooapis.com and many others.
> Are the legacy/default.js sites applied "as is" in TBB?  Where is that
> explained?
> 
> If they're allowed as shown, for example, I wouldn't want anything for
> yahoo & their horrible security record, always enabled by default.
> 
> The following are from the noscript /common/Policy.js file. I only
> scratched the surface:
> 
>  function defaultOptions() {
>     return {
>   sites:{
>     trusted: `addons.mozilla.org
>   afx.ms ajax.aspnetcdn.com
>   ajax.googleapis.com bootstrapcdn.com
>   code.jquery.com firstdata.com firstdata.lv gfx.ms
>   google.com googlevideo.com gstatic.com
>   hotmail.com live.com live.net
>   maps.googleapis.com mozilla.net
>   netflix.com nflxext.com nflximg.com nflxvideo.net
>   noscript.net
>   outlook.com passport.com passport.net passportimages.com
>   paypal.com paypalobjects.com
>   securecode.com securesuite.net sfx.ms tinymce.cachefly.net
>   wlxrs.com
>   yahoo.com yahooapis.com
>   yimg.com youtube.com
> ytimg.com`.split(/\s+/).map(Sites.secureDomainKey),
>     untrusted: [],
>     custom: {},
>   },
>   DEFAULT: new Permissions(["frame", "fetch", "other"]),
>   TRUSTED: new Permissions(Permissions.ALL),
>   UNTRUSTED: new Permissions(),
>   enforced: true,
>   autoAllowTop: false,
>     };
>   }
> Again, are these used "as is," or is there a reason they're shown here
> as (always) trusted?
> Many users wouldn't want some of them Trusted by default - maybe never.

No worries, Tor Browser does not trust those sites. I think your
confusion above stems for a misunderstanding: we use NoScript for a very
specific purpose, which is for helping us with our Security Slider,
while its default use in any other browser, say Firefox, is a quite
different one (giving you protections against scripts running etc.).

So, with that in mind looking at the NoScript source alone for
interfering what it does in Tor Browser is not sufficient. You need at
least to look at our code controlling NoScript as well.[1]

> Note also - Policy.js shows the Default tab permissions are only
> supposed to be: "frame, fetch & other."
> Everytime I start TBB, *ALL permissions* are enabled again under Default
> tab, not just the 3 shown.  NoScript 10 in Firefox saves custom settings
> & only has the 3 permissions enabled under Default tab.

Re: the permissions, yes, that's again because NoScript serves a
distinct purpose in Tor Browser (which is different from its default
usage in other browsers).

> This was reported right after NS 10 landed in TBB & still not fixed. 
> Like users aren't supposed to touch them. NoScript saving settings
> between sessions - if users choose - should be fairly simple.  Most apps
> outside of TBB allow it.
> In TBB 8.0 - 8.4, backing up NS settings after changes still doesn't
> work, but works OK in Firefox.

That's fixed in our alpha releases, provided you flip a preference.[2]
We plan to backport that fix, probably to the next stable, but won't
make it easier to mess with NoScript's settings as the risk to shoot
oneself in the foot by tweaking/"tuning"

Re: [tor-talk] Tor Browser macOS Seatbelt Profiles

2018-10-10 Thread Georg Koppen 
Nathaniel Suchy:
> Hi,
> 
> I'm a bit curious as to if anyone released macOS Seatbelt Sandbox Profiles
> for Tor Browser?

We used such profiles in the past but that broke with Firefox's content
sandboxing. It seems that is not easy to fix.[1] (If it is, please let
us know)

Georg

[1] https://trac.torproject.org/projects/tor/ticket/22000#comment:14



signature.asc
Description: OpenPGP digital signature
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] TBB 8.0 for Windows not accessible screenreader

2018-09-17 Thread Georg Koppen 
john doe:
> Hi,
> 
> Beginning with TBB 8.0 for Windows I can no longer use it with my
> screenreader (1).
> My screenreader is totally lost and makes TBB 8.0 unusable in this case.
> 
> Given that TBB 8.0 is focused on user I realy hope that all users will
> be able to continue using TBB.

We too. We are tracking this problem in
https://trac.torproject.org/projects/tor/ticket/27503. The bug is not
easy to solve, but we are currently exploring ways in getting help with
that.

Georg



signature.asc
Description: OpenPGP digital signature
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] TBB 8 GUI changes

2018-09-14 Thread Georg Koppen 
Oleg Chernikow:
>  Hello! Updated Tor browser Windows  to version 8.5.1в  found that the
> "bookmarks bar" had disappeared, an obvious bug. How to tell the developers?

It's already in our bug tracker
(https://trac.torproject.org/projects/tor/ticket/27264) and we are
currently working on fixing it.

Thanks,
Georg

> ср, 12 сент. 2018 г. в 22:20, Mirimir :
> 
>> In Whonix 13 (Debian jessie with KDE) TBB 8 seems to ignore themes.
>>
>> On 09/12/2018 12:00 PM, Joe wrote:
>>> Can anyone in Torland confirm whether any Linux TBB version - or latest
>>> v8, ever uses any UI colors from the active Linux theme, that usually
>>> affects all Linux apps?
>>>
>>> On 09/08/2018 02:00 AM, Joe wrote:
 In Tor Browser 8 - Linux, I guess Tor Browser never uses the selected
 theme's colors (in Linux Preferences - Themes), modifying scrollbars and
 sliders (or thumbs, in Windows)?

>>>
>> --
>> tor-talk mailing list - tor-talk@lists.torproject.org
>> To unsubscribe or change other settings go to
>> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
>>




signature.asc
Description: OpenPGP digital signature
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Bridges and Tor Browser on macOS

2018-07-20 Thread Georg Koppen 
Nathaniel Suchy:
> Hi,
> 
> Obfuscating when I use the Tor Network and the Tor Browser Bundle is
> important to me.
> 
> An ISP can easily pull the built in obfs4 bridges from the saved torrc file
> after installing the Tor Browser Bundle. They can then determine any
> connections to those IP Addresses are likely Tor traffic and treat the
> traffic differently.
> 
> As such my first thought is to get bridges from
> https://bridges.torproject.org/ however when I open up Tor Network settings
> and add them (both OBFS4 and non-OBFS4) the Tor circuit won’t establish.
> 
> There is not a “problem” with the built in bridges other than a skilled
> adversary knowing it’s Tor traffic which is something I would like to avoid
> if possible.
> 
> I’m using the Tor Browser Bundle on macOS High Sierra if this information
> helps with finding the problem.
> 
> What can I do to try and solve this problem?

I think a good start would be to describe in more detail what you did.
Did you copy a bunch of bridge lines you got from BridgeDB into the
input box? If so, I assume you got them via
https://bridges.torproject.org? If so, did you make sure that each of
them is actually running at the moment you tried to use them? Do you
have log output showing what is happening under the hood?

Georg



signature.asc
Description: OpenPGP digital signature
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Included OBFS4 Bridges in Tor Browser

2018-07-20 Thread Georg Koppen 
Nathaniel Suchy:
> The Tor Browser Bundle has a set of OBFS4 Bridges bundled. How are these
> bridges selected and which individual or entity is running them?

The process is outlined here:

https://trac.torproject.org/projects/tor/wiki/doc/TorBrowser/Hacking#AddingNewDefaultBridges

There is currently no canoncial list showing who is running those
bridges. I guess you could assemble it by looking at the respective Trac
tickets. Default bridges are run by someone we more or less know.

Georg





signature.asc
Description: OpenPGP digital signature
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] TBB 7.5.5 detached .asc file isn't encrypted or tar

2018-06-12 Thread Georg Koppen 
Joe:
> The detached .asc signature file for linux-64 is
> "tor-browser-linux64-7.5.5_en-US.tar.xz.asc"
> GPG complains it can't verify:
> 
> gpg: can't open `tor-browser-linux64-7.5.5_en-US.tar.xz.asc'
> gpg: verify signatures failed: file open error
> 
> Was a different key used to sign TBB 7.5.5 (linux64) than used for 7.5.3?
> 
> Note: it says "can't open the .asc file," not that it's a bad signature.
> The files are in the same directory in my ~/Downloads directory.
> TBB D/L version 7.5.3 verifies OK with the .asc file on Tor Project's
> D/L page.  I checked it again today, using the same GPG version on my
> system.
> 
> I'm not sure if it has to do with the GnuPG version that Tor Project
> used to sign the file & create the detached signature and my gpg
> version, 1.4.20, or another key that I don't have was used to sign this
> time ?
> 
> The TBB 7.5.5 .asc file (nor v7.5.3) doesn't show the GnuPG version used
> , like often seen in other .asc files, e.g., "Version: GnuPG v2.0.14."

Yes, that's a feature. If you are interested

https://riseup.net/en/security/message-security/openpgp/best-practices

has some hints on how to improve your GnuPG setup.

> I verify signed files all the time (that used GnuPG 2.0.x to sign) & GPG
> never complained it "couldn't open a signature file" with the same
> naming convention as the v7.5.5 program file and its .asc file.

What does

gpg --verify tor-browser-linux64-7.5.5_en-US.tar.xz.asc
tor-browser-linux64-7.5.5_en-US.tar.xz

say in your terminal?

Georg



signature.asc
Description: OpenPGP digital signature
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Better bridge management for clients

2018-05-18 Thread Georg Koppen 
CarlSpackler@getbackinthe.kitchen:
> When using bridges on a daily basis, how may I know which
> work and which don't? (Say for example you added multiple
> bridge lines and not simply one bridge)
> 
> It would be nice to add to the GUI some color coded buttons,
> like "green" for "working bridge" and "red" for "bridge
> is no longer usable" and the user is either given the option
> to tick a box and remove the non functioning bridges with the
> red color beside them or have them pruned automatically before
> all is said and done. An option to save (overwrite) the user's saved
> list of bridges with only working bridges would be nice.
> 
> In addition to this being a healthy way of managing bridges
> for clients, it would prevent users from hammering away
> at IPs where bridges are down, IPs may be dynamic, and some
> poor fool obtaining an IP formerly used as a Tor Bridge and
> wondering why he's seeing all of this incoming traffic!
> 
> Now there may be some internal way of Tor checking this
> but it does no good to the Tor client user if he is reusing
> the same set of bridges every day, with no apparent feedback
> to which are good and which are no longer up.
> 

I think I agree with the general idea and that it would be a benefit to
have some kind of differntiation between "bridge is working right now"
and "bridge is not working right now".

However, I wonder how we (say Tor Browser) should measure that safely
and make sure that it is actually the bridge that is down (maybe there
was just an upstream issue at that time). Or do you mean the latter does
not really matter to users anyway and as long as bridges are not
reachable for whatever reason they should be treated as down? Moreover,
once bridges are marked as down I am not convinced yet we should just
discard them. Bridges are scarce and it might be just a short time the
bridge was/is actually not reachable/down.

An other option could be to incorporate external measurement data but
that comes with the price of enhanced complexity making sure that all
users have up-to-date data about bridge reachability readily available.
And even that is error-prone because even though that external
measurement might indidicate a bridge is down/up that might not match
the experience an individual user has.

So, hrm,
Georg



signature.asc
Description: OpenPGP digital signature
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] GNOME Is Removing the Ability to Launch Apps from Nautilus

2018-05-18 Thread Georg Koppen 
Nathaniel Suchy (Lunorian):
> According to recent commits the desktop enviroment GNOME is removing the
> ability to launch apps from Nautilus. This will likely affect all Tor
> Browser users on Ubuntu in the name of "security". What steps will /
> should be taken from now till the time the update is released to protect
> Tor Browser users from losing access?

It's not clear yet what we will and should do. We have
https://trac.torproject.org/projects/tor/ticket/21939 to track this bug,
though. Suggestions are welcome in the Trac ticket.

Georg

> Cheers,
> Nathaniel
> 
> 
> 




signature.asc
Description: OpenPGP digital signature
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Tor Browser Security Settings warning

2018-04-05 Thread Georg Koppen 
Joe:
> Probably around the time of recent changes in Tor Browser / TorButton, I
> started seeing a warning when I click on Security Settings in Tor Button.
> 
> Pop up title: Tor Browser Security Settings
> Security Level
> "Your custom browser preferences have resulted in unusual security
> settings.  For security and privacy reasons, we recommend you choose one
> of the default security levels."
> 
> After that, only a "Restore Defaults" button shows in the message - no
> options to choose from.  That's part of the problem.  If I try to check
> TBB's security level setting (low, medium, high) it always shows the
> message above.
> I can click Restore Defaults, but next session - w/o me changing
> anything in between, it shows the same message if I try to check
> "Security Settings."
> 
> As far as I've ever been able to tell, clicking Restore Defaults doesn't
> change anything under the browser Preferences > Privacy tab or anything
> in NoScript.
> 
> In TBB - Preferences > Privacy, the only non-default setting I know is
> "Remember my browsing & download history" is checked.
> But all data is set to be deleted when browser closes.  TBB does that
> anyway.
> All other settings in Preferences/Privacy are default.
> 
> After several times (sessions), over the last few TBB versions, of
> clicking "Restore Defaults" (security settings) the next session it
> shows the same popup if I check security settings again.
> 
> Other than that, I don't know what "unusual settings" it means, or if
> Tor Button security is slightly broken?
> The security slider is usually set on low; sometimes medium.  That
> doesn't affect seeing the popup.

The problem you are seeing is due to a preference governed by the slider
which is being changed by something else in your Tor Browser. Do you
have additional extensions installed that could be responsible for that?
Or do you have changed settings in Tor Browser yourself that could cause
this?

Restoring the default settings is not changing anything visible on the
privacy pane, you are right, but it does adjust important settings both
in the browser and NoScript.

A safe thing to do would be downloading a clean, new Tor Browser from
our website and start over again (mabye exporting the bookmarks from the
currently used Tor Browser and importing them in the newly downloaded one).

Georg





signature.asc
Description: OpenPGP digital signature
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] [!! SPAM] Re: Tor browser error message

2018-02-22 Thread Georg Koppen 
MFP:
> Have done both - no change.

There is a bunch of other people suddenly having a similar issue, too. I
wonder if any of you has some third party software installed (e.g.
antivirus/firewall software) that got an update and is now intefering
with your traffic.

If you have such a tool running, could you uninstall it for testing
purposes (disabling might not be enough) and report back whether that
fixes it for you?

Georg

[snip]



signature.asc
Description: OpenPGP digital signature
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] TBB-alpha doesn't update

2018-01-25 Thread Georg Koppen 
Andreas Krey:
> On Thu, 25 Jan 2018 11:40:00 +0000, Georg Koppen wrote:
> ...
>> Could you enable update logging (with `app.update.log` set to `true`)
>> and check the the browser console whether there is any error visible? If
>> so, what is it complaining about?
> 
> Fresh install, no config change, except for the above (I still have
> the old install.exe).
> 
> This is probably the interesting part - the beginning of the browser log
> after the restart:

[snip]

> AUS:SVC readStatusFile - status: failed: 19, path: 
> C:\Users\HP\Desktop\tba-test\Browser\TorBrowser\UpdateInfo\updates\0\update.status

I think this means CERT_VERIFY_ERROR both for your incremental and
stable update files. Now, the interesting question is how this can
happen because I just tested both 7.5a10 and older Tor Browser versions
both 32bit and 64bit on a Windows 7 machine and all of them can update
without issue to 8.0a1 (both with an incremental and a full update). Hrm.

Georg



signature.asc
Description: OpenPGP digital signature
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] TBB-alpha doesn't update

2018-01-25 Thread Georg Koppen 
Andreas Krey:
> Hi all,
> 
> I have (since last week) two installations of the alpha browsers, both on
> win7. The update of yesterday failed for both of them, first saying that
> the incremental update could not be applied, then the full update couldn't
> be either ('The Update could not be installed (patch apply failed)').
> 
> Nonstandard thing: I changed extensions.torlauncher.control_port and
> network.proxy.socks_port to be able to run the alpha in parallel with
> the standard TBB.

Could you enable update logging (with `app.update.log` set to `true`)
and check the the browser console whether there is any error visible? If
so, what is it complaining about?

> Aside: I would like a distinction between alpha and stable TBB that
> is a bit more obious and mnemonic than the location of the noscript button
> (to the left in alpha, to the right in stable).

Ha. They should be both left side (that the one is on the right one is a
Noscript bug). But, seriously, we could think about doing that. Do you
mind filing a bug in ou bug tracker?

Georg




signature.asc
Description: OpenPGP digital signature
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Using Tor Browser with non-Tor proxies?

2017-11-23 Thread Georg Koppen 
Ivan Vilata-i-Balaguer:
> Hi everyone,
> 
> At the [CENO2 project](https://censorship.no/) we're developing a
> distributed system to enable P2P cooperation between its users to
> circumvent web censorship, both by providing P2P routing and caching of
> previously accessed content.
> 
> Since the user's requests may at some point hit untrusted machines (the
> requests themselves or a simplified version of them may be cached when
> caching content), we considered it reasonable to keep an eye on requests
> and maybe anonymize them to some extent before sending them to the
> network.
> 
> Since the main entry point to the system will usually be a web proxy, we
> were wondering whether it would make sense to use the Tor Browser and
> leverage all the great efforts already put into it to take care of such
> anonymization of requests, instead of reinventing the wheel ourselves.

Could you elaborate on what you mean with "anonymization of requests"?

> Do you think it makes sense to use the Tor Browser with a different
> proxy than Tor?  Is there some technical hurdle (i.e. some source code
> modification) that would prevent it from working?

Yes, you would need to patch Tor Browser to adapt it to your needs.
There have been a lot of requests in the past for being able to use Tor
Browser and its defenses without Tor. There are folks that stepped up
and made this happen. Look at all the jondobrowser- repos at
https://github.com/jondos.

Georg



signature.asc
Description: OpenPGP digital signature
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] can not connect with Tor connection port

2017-08-01 Thread Georg Koppen 
Hi!

Havemoebler Danmark:
> Hej , 
> I use for Tor for long time but recently when I open Tor browser  it inform 
> that ( could not connect with Tor control point ) I turn off for virus 
> software but it is still not working . can you help me how to resolve it ?  . 
> thanks
> Do cao Thang

Are you on Windows? We have

https://trac.torproject.org/projects/tor/ticket/20890 and
https://trac.torproject.org/projects/tor/ticket/22978 for bug reports
tha might be related to your one. If you could help us with those that
would be neat (see, for example comment 1 in ticket 22978 for debug
output we'd like to see in order to make progress tracking this issue down)

Georg





signature.asc
Description: OpenPGP digital signature
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Regarding latest TOR Browser update 652

2017-04-24 Thread Georg Koppen 
Andri Effendi:
> Hi Tor community,
> 
> Thanks for the updates allowing Twitter.
> 
> It really helps, since I was using Tor for just about everything except
> twitter.
> 
> I have noticed though that at least on the Mac version of Tor that after
> the update "6.5.2" the tor browser window is very laggy and I don't mean
> the page loading, I mean the system responsiveness and the rainbow spiral.
> 
> I know it is not my Machine because it passed a clean bill of health
> after thorough diagnostics.
> 
> My machine handles everything else alright, just not Tor after the last
> update.
> 
> Please let me know if any other mac users are experiencing these issues
> since the update.

You've been the only one so far. So, not sure what is going on. You
could test with an old 6.5.1 to check whether it is really the update to
6.5.2 that caused this:
https://archive.torproject.org/tor-package-archive/torbrowser/6.5.1/

Georg




signature.asc
Description: OpenPGP digital signature
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Website minor detail

2017-04-10 Thread Georg Koppen 
Mikko Viinamäki:
> 
> Please make 64 default, 32 is historical by now. I'm talking about this
> page https://www.torproject.org/docs/verifying-signatures.html.en
> 
> Currently is says "For Linux users (change 32 to 64 if you have the
> 64-bit package):
> 
> gpg --verify tor-browser-linux32-6.5.1_en-US.tar.xz.asc
> tor-browser-linux32-6.5.1_en-US.tar.xz"
> 
> It's just a little wrinkle but still needs fixing. So swap 32 and 64 (in
> text and URLs.).

Thanks. This is https://trac.torproject.org/projects/tor/ticket/21906 now.

Georg




signature.asc
Description: OpenPGP digital signature
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] tor browser crash

2017-03-21 Thread Georg Koppen 
Hi Andreas!

Andreas Krey:
> Hi everybody,
> 
> my up-to-date (6.5.1 (based on Mozilla Firefox 45.8.0)) install
> of (windows) TBB crashes reproducibly when going to
> 
> https://help.github.com/categories/writing-on-github/
> 
> (I've had random crashes on multiple installs, but this
> is the first one I can pinpoint.)

Thanks. I've opened
https://trac.torproject.org/projects/tor/ticket/21795 to investigate
this problem further.

Georg




signature.asc
Description: OpenPGP digital signature
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Can no longer run tor-browser

2017-03-10 Thread Georg Koppen 
Charles T. Bell:
> I am using Kubuntu 14.04 LTS on my desktop and on a laptop.
> I was using tor-browser_en-US on both when suddenly both
> have stopped working for an unknown reason.  There is no
> log to report and no indication of what the cause is.  I
> have repeatedly tried to delete the directory with the
> program in it and re-install the directory and run the program
> from there.  After multiple attempts on both computers I
> have to admit defeat and ask for some suggestions.
> Thank you!

What output do you get if you open a terminal, change into the
tor-browser_en-US directory and start Tor Browser with

./start-tor-browser.desktop --debug

Georg




signature.asc
Description: OpenPGP digital signature
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Finally a Cloudflare captchas workaround thanks to next-gen onion services?

2017-02-20 Thread Georg Koppen 
Lolint:
> Hi
> 
> One of the possible solutions that was mentioned earlier concerning 
> Cloudflare captchas was generation .onion automatically for sites on 
> Cloudflare to make things easier all round. However Cloudflare's CEO didn't 
> want such solution because "weak hash used by .onion means theoretical risk 
> you can create collision on two addresses." 
> [https://twitter.com/eastdakota/status/710357574579650560
> ](https://twitter.com/eastdakota/status/710357574579650560)
> Now that coming next-gen onion services will use stronger crypto that would 
> eradicate the problem above, does that mean that we will finally see a 
> workaround to Cloudflare's captchas?

I don't think so as I don't see how next generation .onion services
solve the underlying problem.

Georg




signature.asc
Description: OpenPGP digital signature
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] TBB 6.5 screen resize not working

2017-01-27 Thread Georg Koppen 
Joe Btfsplk:
> With default settings, TBB 6.5 (Win) doesn't round screen sizes at all.
> Browserspy.dk shows 993 x 695.  I see the pref
> "extensions.torbutton.resize_windows" is still set false by default.
> Toggling it to true gives different reported screen size, but not
> increments of 100 or 200.
> 
> The pref "extensions.torbutton.resize_new_windows" = true (default), but
> I don't find toggling both these prefs in any combo correctly rounds
> screen size.
> 
> In TBB 6.08, when I tested setting "extensions.torbutton.resize_windows"
> = true, it consistently rounded screens to 1000 x 800 on this monitor.
> With that pref at default False in v6.08, reported screen height was odd
> size - like 72x (x not 0).  But the width was *still 1000.*
> 
> In v6.5, neither width or height is rounded correctly, regardless of the
> pref value.  What happened?  I thought 6.5 was supposed to fix screen
> size rounding?

We fixed a bunch of issues with screen size rounding by moving our
Torbutton hack into a direct Firefox patch. If you look at our bug
tracker
(https://trac.torproject.org/projects/tor/query?status=accepted=assigned=merge_ready=needs_information=needs_review=needs_revision=new=reopened=~tbb-fingerprinting-resolution=priority)
you'll see that there are still issues open regarding our resizing
efforts, though. E.g. #14098 where you commented recently. If you think
your issue is not covered yet, please file a new bug with steps how to
reproduce it.

Georg




signature.asc
Description: OpenPGP digital signature
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] IndexDB support in TorBrowser?

2017-01-27 Thread Georg Koppen 
anth...@cajuntechie.org:
> 
> 
> Is there a technical or security reason why TorBrowser doesn't support 
> IndexDB? If there isn't, is it planned to be implemented?

IndexedDB is not working in private browsing mode which Tor Browser is
using. See: https://bugzilla.mozilla.org/show_bug.cgi?id=781982. Until
this bug is solved on Mozilla's side there won't be a Tor Browser
supporting it.

Georg

> 
> 
> 
> Sent from my mobile device. Please excuse typos and brevity. 
> 
> 
> 
> 
> 




signature.asc
Description: OpenPGP digital signature
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] confusion over verification instructions for build verification on Mac OS X

2016-12-14 Thread Georg Koppen 
Jonathan Marquardt:
> On Mon, Dec 12, 2016 at 10:48:46AM -0500, Tor-talk wrote:
>> Reading through this:
>> https://www.torproject.org/docs/verifying-signatures.html.en#BuildVerification
>>
>> Trying to do this on Mac OS X.
>>
>> `shasum -a 256 .dmg` clearly gives me a checksum that 
>> doesn't match the one in the "sha256sums-unsigned-build.txt" file. Tried it 
>> with 6.0.6 and 6.0.7.
>>
>> From what I understand, if the PGP signature is valid that confirms the 
>> package wasn't tampered with.
>>
>> But it is confusing and disturbing to a newbie to try this and get a 
>> mismatched checksum. Please modify these instructions so it's clear what 
>> this process is and what you have to do to get it to work because it doesn't 
>> work "out of the box" for Mac OS X.
>>
>> Thanks--
>> -- 
>> tor-talk mailing list - tor-talk@lists.torproject.org
>> To unsubscribe or change other settings go to
>> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
> 
> I had to ask the guys on the IRC myself. The hashes don't match because they 
> were created before Apple does their code signing. Hence the "unsigned-build" 
> in the filename. If you want to verify Windows/OS X builds, you can only use 
> the individual .asc signatures as described in the paragraphs above.

FWIW: we adapted the website to make it more clear that plain checking
of SHA-256 sums is not giving the expected results on OS X.

That said there are ways to verify Windows binaries just by checking the
signature of the sha256sums file, stripping the installer signature and
doing a SHA-256 sum calculation. They are desribed on the
verifying-signatures-website. We are working on that for OS X as well,
see https://trac.torproject.org/projects/tor/ticket/18925.

Georg





signature.asc
Description: OpenPGP digital signature
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Another issue "never remember history" at Tor browser setting didn't last for actualisation

2016-11-30 Thread Georg Koppen 
tort...@arcor.de:
> Hi Torusers,
> 
> there isn't a notice for Tor users that you can't set Tor browser from:
> about:preferences#privacy or Tools Options Privacy:
> 
> "Use custom settings for history" to "Never remember history" 
> 
> You can check that from default "Use custom settings for history" to "Never 
> remember history". But it is not saved. Whenever you press "reload current 
> page" right to the address bar or "New Tor Circuit for this Site" or you do 
> another session it jumps back do default "Use custom settings for history".

That's actually https://trac.torproject.org/projects/tor/ticket/19369

Georg




signature.asc
Description: OpenPGP digital signature
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Javascript exploit

2016-11-30 Thread Georg Koppen 
Roger Dingledine:
> On Tue, Nov 29, 2016 at 09:55:23PM -, firstwa...@sigaint.org wrote:
>> This is an Javascript exploit
> 
> Thanks. I pointed some folks on irc to this mail, and Daniel Veditz
> (Mozilla Security Team) said "the Firefox team was sent a copy of that
> this morning. We've found the bug being used and are working on a patch."
> 
> So it sounds like the immediate next step is that Mozilla finishes their
> patch for it; then the step after that is a quick Tor Browser update. And

FWIW: We plan to release 6.0.7 with the patch Mozilla developed in a
couple of hours. Updates to the alpha and hardened series will we
provided as well thereafter.

Georg

> somewhere in there people will look at the bug and see whether they
> think it really does apply to Tor Browser.
> 
> --Roger
> 




signature.asc
Description: OpenPGP digital signature
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] NoScript on Torbrowser annoys with cross-site scripting msg providing no search result

2016-11-24 Thread Georg Koppen 
tort...@arcor.de:
> Hi Torusers,
> 
> there is a notice which appears from the 2nd search on at the Torbrowser, can 
> be seen on top below URL within a yellow box:
> 
> "NoScript filtered a potential cross-site scripting XSS attempt from 
> [[System+Principal]]. Technical details have been logged to the Console."
> 
> While search engines did provide no result for that msg to solve that 
> problem, any suggestion is appreciated, thanks.
> 
> There is no entry on the Console (pressed F12 ">_ Console, Web Console"). 
> Every search with any char(s) with any search engine produce that msg. 
> Reinstall Torbrowser (Tor Browser for Windows Version 6.0.6 - Windows 10, 8, 
> 7, Vista, and XP) doesn't help. 
> 
> The last things which were done before this are watching two YT documentary 
> videos, one after the other.

This seems to be caused by the recent NoScript update. Giorgio is aware
of the issue and is working on it:
https://forums.informaction.com/viewtopic.php?f=7=22296

We are tracking it on
https://trac.torproject.org/projects/tor/ticket/20752. The ticket should
contain some workarounds for the time being.

Georg




signature.asc
Description: OpenPGP digital signature
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Hardened Tor Browser for Windows

2016-10-18 Thread Georg Koppen 
Tamara West:
> Excuse my ignorance but what exactly must happen for us to get a 64-bit
> hardened Tor Browser for Windows? Not everyone in the world is running
> Linux and not everyone can run Linux at work. I've been wondering about
> this for awhile. Any info would be appreciated. TIA.
> 

First of all there must be a 64bit Tor Browser build for Windows. We are
planning to work on that one and if all goes well Tor Browser 7.0
(scheduled for Q2 2017) will have 64bit versions for Windows, too.

Additionally, the hardened features currently being available for Linux
like ASan and selfrando need to be available for Windows as well which
is currently not the case (at least not in a Firefox/Browser context).

Georg



signature.asc
Description: OpenPGP digital signature
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] About Hardened Tor Browser roadmap

2016-10-18 Thread Georg Koppen 
juanjo:
> Just two questions: where is the roadmap for Hardened Tor Browser? where
> can we expect the first stable version or even become the default
> version of Tor Browser?

There is currently no roadmap for Tor Browser hardened. Regarding the
transition to the stable series: we don't plan to have a stable series
with all the hardened features some day. Yes, some of those features
will hopefully be available there as well (selfrando comes to mind) but
the hardened series is mainly aimed at developers wanting to stress-test
Tor Browser in order to shake out more bugs. Fixes for those bugs should
then get backported to the stable and alpha series.

That said we are still entertaining the idea to get the hardened
features merged into our alpha series. That is currently blocked (at
least) by https://trac.torproject.org/projects/tor/ticket/17400.

Georg



signature.asc
Description: OpenPGP digital signature
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Tor Browser Bundle update mechanism for Unix

2016-08-25 Thread Georg Koppen 
anonymous.cow...@posteo.de:
> Dear list,
> 
> can someone explain how the TBB update mechanism works precisely with
> Unix operating systems?
> 
> Especially I´d like to know, does it use a shell script for updating the
> TBB?
> If yes, will the shell script be downloaded first or is it already
> existing?
> 
> Is the binary Browser/updater the program that processes the update?
> 
> I´m asking, because I use Mandatory Access Control to confine the
> browser bundle and need to know how the update mechanism may require to
> access the TBB directory and files.

We are basically using the update mechanism of Firefox but point it to
our own servers. See: https://wiki.mozilla.org/Software_Update and the
links in the link list on that site to get an overview of how the system
is working.

Georg

> Thanks
> 




signature.asc
Description: OpenPGP digital signature
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Tor 0.2.9.2-alpha is released

2016-08-24 Thread Georg Koppen 
Allen:
> IMO, having folks compile Tor themselves under Windows will cause the
> project more problems, not fewer.

We regularly compile tor and bundle it separately for Windows in our Tor
Browser nightly builds, alpha builds and release builds.

For the nightlies see:

https://people.torproject.org/~linus/builds/

For recent alphas see:

https://dist.torproject.org/torbrowser

(https://dist.torproject.org/torbrowser/6.5a2/tor-win32-0.2.8.5-rc.zip
is the one you got with the last alpha)

And the release version is directly linked to from our website (the
expert bundle.

Georg

> On Wed, Aug 24, 2016 at 4:17 PM, Juan Miguel Navarro Martínez <
> juanmi.3...@gmail.com> wrote:
> 
>> There is a way to compile it yourself on Windows using NSIS but it's old
>> (last change on 2014-06-05 and it uses openssl-1.0.1h, zlib-1.2.8,
>> libevent-2.0.21 and tor-0.2.4.22) and may or may not be recommended.
>>
>> The link of the article and the download of the TXT with the compiling
>> steps are here: http://www.mictronics.de/2014/
>> 04/how-to-build-tor-for-win32/
>>
>> That said, and official way to compile it on Windows (or cross-compile
>> from Linux) using a manual guide or scripts would be nice.
>>
>> On 2016-08-24 at 21:14, Allen wrote:
>>> On Wed, Aug 24, 2016 at 2:55 PM, Nick Mathewson 
>>> wrote:
>>>
 Hi, all!  There is a new alpha release of the Tor source code, with
 fixes for several important bugs, and numerous other updates.

>>>
>>> It would be really helpful for both users and the Tor project if there
>> were
>>> Windows binaries built so the alpha, beta and rc versions could be better
>>> tested.
>>>
>>
>> --
>> Juan Miguel Navarro Martínez
>>
>> GPG Keyfingerprint:
>> 5A91 90D4 CF27 9D52 D62A
>> BC58 88E2 947F 9BC6 B3CF
>> --
>> tor-talk mailing list - tor-talk@lists.torproject.org
>> To unsubscribe or change other settings go to
>> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
>>




signature.asc
Description: OpenPGP digital signature
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Did Australian Authorities hack (US) computers with Tor's help?

2016-08-22 Thread Georg Koppen 
tort...@arcor.de:
> Hi!
> 
> I found two articles which may have something in common. 1. Some Tor users 
> (29.000) got deanonymized by authorities while up/downloading childporn. 2. 
> Someone claims that "Tor suddenly dump over 30 megabloats of steaming faeces 
> onto a file system on exit".

They don't have anything in common. Looking at our bug tracker would
have easily solved the mystery about 2. (it is not even a bug).
https://trac.torproject.org/projects/tor/ticket/19932#comment:3 has some
details.

Georg




signature.asc
Description: OpenPGP digital signature
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] "Your Firefox is out of date"

2016-08-12 Thread Georg Koppen 
shirish शिरीष:
> at bottom :-
> 
> On 12/08/2016, Georg Koppen <g...@torproject.org> wrote:
> 
> 
> 
>>
>> Ugh. There should be no need to redownload 6.0.3 again. Although you'd
>> need to reinstall the languague pack you'd used at least. So, all in all
>> it might be the easiest to use a fresh 6.0.3, alas. I am sorry about that.
>>
>> Georg
>>
>>
> 
> Hi Georg,
> 
> I should have been more clear. What has happened is while I  can see
> the addons in Tools > Addons , near the URL bar where there are icons,
> that space doesn't have much.  I have the URI locator, search-engine
> and then the drop-down menu thing which has things like Cut, Copy,
> Paste.
> 
> Is there a way to take backup of all the extensions (and data in
> extensions) and passwords and bookmarks ?

You could just backup your profile directory which is
tor-browser_en-US/Browser/TorBrowser/Data/Browser/profile.default and
contains all the things you mention.

That said, your issues are probably somehow caused by changes in that
directory, although I am not sure how. Thus, backing up that profile and
reimporting it in a new Tor Browser might not help much.

Georg

> This is where my tor browser lies
> 
> ─[$] alias tor
> 
> tor=/home/shirish/.local/share/torbrowser/tbb/x86_64/tor-browser_en-US/start-tor-browser
> 
> I would like to have minimum fuss happening. I'm ok with downloading
> the browser again.
> 
> I am using the english languagepack so that shouldn't be any different, right 
> .
> 




signature.asc
Description: OpenPGP digital signature
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] "Your Firefox is out of date"

2016-08-12 Thread Georg Koppen 
shirish शिरीष:
> at bottom :-
> 
> On 11/08/2016, Georg Koppen <g...@torproject.org> wrote:
> 
> 
> 
>>
>> Yes, this is bug 19890 and it should be fixed on Mozilla's side right
>> now (I tested it a while ago): having a clean Tor Browser you won't get
>> that warning anymore. To quote from the blog post update:
>>
>> """
>> Update (August 11, 10:04 UTC): Starting from a couple of hours ago Tor
>> Browser users might see a notification box in their browser claiming
>> that Firefox is too old providing a button to get a newer one. This is
>> both due to a server-side code change on Mozilla's side and an oversight
>> by us during the ESR45 transition. Clicking on the "Get Firefox" button
>> is save and leads the user to our Tor Browser download page. Needless to
>> say, this whole behavior is highly confusing and we are apologizing for
>> it. We are working on a fix as past as possible and hope to get Mozilla
>> to exempt Tor Browser users from this feature while we are working on a
>> new release. For technical details see our bug tracker.
>> """
>>
>> We plan to release a new Tor Browser version shortly to address the
>> issue from our side. As a workaround one can either install a new Tor
>> Browser 6.0.3 version from our website or set
>> `extensions.systemAddon.update.url` to `""` which should get rid of the
>> out-of-date-extension the next time an extension update check gets
>> performed. Again, we are sorry for the inconvenience.
>>
>> Georg
>>
> 
> Dear Georg,
> 
> I tried and did as shared above, i.e. going ot about:config and
> changing the value from the URL. I even tried updating the addons in
> order to make the "Your Firefox is out of date" disappear but no
> change.

Yes, sorry, this was not a solution for immediate remedy. It should have
solved the problem during the next ping for extension updates. Depending
on when the last ping happened this can take up to 24 hours.

> I looked at the bug-report and tried the second option shared therein -
> 
> A solution --
> Go to about:config/extensions.bootstrappedAddon
> Reset the string Value to empty Value {}
> Restart Tor browser.
> The warning will not appear again.
> 
> That worked.
> 
> https://www.reddit.com/r/TOR/comments/4x8wwk/solution_for_the_false_warning_your_firefox_is/

Thanks, and glad it helped in your case.

Georg





signature.asc
Description: OpenPGP digital signature
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] tor browser graphics only updating when move mouse over window

2016-08-10 Thread Georg Koppen 
lu...@tutanota.com:
> 
> 31. Jul 2016 19:29 by de...@garlic.com:
> 
> 
>> On Sun, 31 Jul 2016 03:54:47 +0100 (BST)
>> <> ainge...@tutanota.de> > wrote:
>>
>>> Hello,
>>>
>>> My TOR browser exhibits the following symptom. The graphics on its
>>> window  don't update unless I move the mouse pointer over it. 
>>>
>>> Is this happening to anyone else?
>>>
>>> Tor browser is 6.0.2, based on Mozilla 45.2.0, running on a Debian
>>> unstable.
>>>
>>> #uname -srvm
>>> Linux 4.6.0-1-amd64 #1 SMP Debian 4.6.3-1 (2016-07-04) x86_64
>>
>> Suspect your window manager  and/or video driver. Historically,
>> it's always been one or both of those two. Try a different window
>> manager for a while.
>>
>>
> 
> 
> 
> 
> I had that too on my Debian Jessie stable with KDE. Not had a problem on 
> Windows / Firefox 45.2.0.

Does it help if you flip `gfx.xrender.enabled` back to `true`?

Georg

> 
> 
> 
> -- lukep
> 




signature.asc
Description: OpenPGP digital signature
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Is Tor Browser 5.5.1 vulnerable to any of the graphite font vulnerabilities?

2016-02-11 Thread Georg Koppen 
Cain Ungothep:
>> I would
>> like to know if Tor Browser 5.5.1 is vulnerable. Thanks
> 
> Looks like it is:
> 
> https://gitweb.torproject.org/builders/tor-browser-bundle.git/commit/?id=7a36dbece35a307675f396a019dccf6e431efb44
> 
> That build corresponds to a branch which includes the commit that
> supposedly fixed bug 1246093, and this commit was only pushed less than
> 48 hours ago.

Indeed. We plan to get at least a new stable version (5.5.2) out today
which is based on Firefox ESR 38.6.1. Mozilla released 38.6.1 just to
address the Graphite vulnerabilities.

> NOTE: Torbutton's security slider at level "High" says "Some font rendering
> features are disabled" and "[...] The Graphite font rendering mechanism
> is disabled."  It would be good to know if this prevents the
> vulnerability.

Yes. Both on "High" and "Medium-High" Graphite font rendering is disabled.

Georg

>> [1]: https://www.mozilla.org/en-US/security/advisories/mfsa2016-14/
>> [2]:
>> http://blog.talosintel.com/2016/02/vulnerability-spotlight-libgraphite.html
>> [3]:
>> https://blog.torproject.org/blog/tor-browser-551-released#comment-155968




signature.asc
Description: OpenPGP digital signature
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] automatic Tor browser updates

2016-02-08 Thread Georg Koppen 
Mirimir:
> When automatically updating, does Tor browser check GPG signatures of
> downloaded updates before installing them?

The update files are not using GPG signatures (see:
https://wiki.mozilla.org/Software_Update:MAR for detailed information
about the MAR file format). They are signed, though, and the updater
refuses to install the update if the signature is non-existing or wrong.

Georg




signature.asc
Description: OpenPGP digital signature
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] hackerone

2016-01-18 Thread Georg Koppen 
Hi,

charfeddine hamdi:
> hi
> i found some security issue and vulnerability in your site

You mean on our website?

> and i read in article you have a private bug bounty program on hackerone.com
> and i want to report this issue and vuln to you

We don't have a good means currently for dealing with vulnerabilities in
our website, alas. If you think the one you found is too sensitive to
talk about in an unecrypted mail, feel free to send me an encrypted one
and I try to figure out the person that might want to look at it.

> Please , if you can invite me to your bug bounty program

Well, the program is currently only for core Tor and the Tor Browser.
The website is not included. That said, if you still want to get
invited, contact me off-list.

Georg

> my username : charfee
> email : char...@gmail.com
> and thanks
> 




signature.asc
Description: OpenPGP digital signature
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] XUL seems dying, what direction is TBB going to take?

2016-01-14 Thread Georg Koppen 
Lara:
> Sorry for the old news. I found out that Mozilla announced in late
> August they are going to kill XUL in favor of a Chrome-like API[1]. What
> does that mean for the Tor Browser Bundle?

Well, we are following this move. Trying to close the gap between Tor
Browser and Firefox is already quite resource-consuming. There seems to
be no need to maintain XUL in addition to that.

Georg

> Cheers!
> 
> [1]
> https://blog.mozilla.org/addons/2015/08/21/the-future-of-developing-firefox-add-ons/
> 




signature.asc
Description: OpenPGP digital signature
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] What is "cookie protections"?

2016-01-13 Thread Georg Koppen 
Yury Bulka:
> Thanks for all the info. Yeah, I browse with third party cookies
> disabled. Additionally, I use two windows of TBB - one for the few sites
> where I stay logged in, and the other, in Private Browsing mode, for
> everything else.
> 
> Regarding the "cookie protections" menu item, it only shows up in the
> Tor button's menu if the "Don't record history" checkbox is unchecked in
> Privacy and Security settings.

For what it is worth cookie protections are still broken in current Tor
Browser versions: https://trac.torproject.org/projects/tor/ticket/10353

Georg




signature.asc
Description: OpenPGP digital signature
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Chaum Fathers Bastard Child To RubberHose ... PrivaTegrity cMix

2016-01-08 Thread Georg Koppen 
Bryan Ford:
> Travis Biehn wrote:
>> It was surprising (to me) that Chaum should be the one to produce the first
>> of the modern 'solving the key escrow problem' algorithms. Academia has
>> been ignoring this particular problem for quite a while - I expect that
>> more proposed solutions will follow, solutions that will be more difficult
>> to prove insecure…
> 
> Not quite true.  Although it’s not a “hot topic” in academia, we and a few 
> others have written a few papers exploring privacy-preserving approaches to 
> controlled, limited data collection for law enforcement.  For example:
> 
> - “Restructuring the NSA metadata program”: 
> http://outsourcedbits.org/2014/03/10/restructuring-the-nsa-metadata-program/
> - “Secure protocols for accountable warrant execution”: 
> https://freedom-to-tinker.com/blog/felten/secure-protocols-for-accountable-warrant-execution/
> - “Catching Bandits and Only Bandits: Privacy-Preserving Intersection 
> Warrants for Lawful Surveillance”: 
> http://dedis.cs.yale.edu/dissent/papers/bandits-abs
> 
> None of these papers really suggest or call for “key escrow” or “backdoors”, 
> especially not against general-purpose end-to-end encryption or mobile 
> devices.  But even so, this line of research understandably tends not to get 
> much love either from many die-hard privacy purists. :)

https://anon.inf.tu-dresden.de/publications/KWF2006ETRICSRevocableAnonymity.pdf

is probably one, in the context of the AN.ON/JonDonym system. See as
well: http://freehaven.net/anonbib/cache/sassaman-pet2008.pdf

Georg



signature.asc
Description: OpenPGP digital signature
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Making TBB undetectable!

2015-10-14 Thread Georg Koppen 
aka:
> Wasn't Mozilla working on a Firefox which uses Tor for "Private Browsing"?
> https://wiki.mozilla.org/Privacy/Roadmap/Tor
> If millions of people would use the same Firefox on the same version
> with mostly the same browser/javascript behaviour, it would make TBB
> obsolete. Wouldn't it make more sense to include those anonymity patches
> into the mainline Firefox and make them opt-in if the user uses Private
> Browsing?

Yes. We (and Mozilla) are working on that. We already got quite an
amount of patches upstreamed. More are coming...

Georg




signature.asc
Description: OpenPGP digital signature
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Design improvements

2015-09-14 Thread Georg Koppen 
1941...@tutanota.com:
> Hello,
> 
> I am writing to this list in regard to propose modification of design. Is 
> this list the right place to share possible improvements of the Tor browser 
> design ?

tbb-dev (https://lists.torproject.org/cgi-bin/mailman/listinfo/tbb-dev)
would be a fine choice to send your ideas to.

Georg




signature.asc
Description: OpenPGP digital signature
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Tor Browser does not recommend the default window size anymore?

2015-09-14 Thread Georg Koppen 
Qaz:
> Hi,
> 
> I noticed that I don't get the `we recommend you leave your window size
> with the default`  prompt when I fullscreen my window. Has it been fixed
> or something?

The alpha version does not have it anymore and you should only see it
three times if you are using a stable one.

Georg




signature.asc
Description: OpenPGP digital signature
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Privacy Badger

2015-08-31 Thread Georg Koppen 
Mike Perry:

[snip]

> I'm now actually curious if these types of filter addons aren't already
> being exploited for these and related weaknesses/shortcomings.
> 
> If any academics are interested in a good publication (Gunes Acar - are
> you listening? :), it would be *very* interesting to run a crawl to see
> if any websites have begun to behave adversarially against addons like
> Adblock, Privacy Badger, Ghostery, etc. After all, it is easy for sites
> to determine if an adblocker has blocked an ad load, and then proceed to
> load an ad from an alternate URL, domain name, or even another ad
> network that may not be covered by the default filters.

https://nta.mpi-sws.org/test2/test.html has a demo to use the AliasMatch
directive to force ad blockers to block whole domains which could be
problematic (In: Akkus/Weaver: The Case for a General and
Interaction-based Third-party Cookie Policy. W2SP 2015). Might be
interesting to see how susceptible current ad blockers are to this
simple trick.

[snip]

Georg



signature.asc
Description: OpenPGP digital signature
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Profiling Tor users via keystrokes

2015-08-20 Thread Georg Koppen 
flapflap:
 Hi!
 
 (I didn't find this topic discussed here yet and I think it might be
 interesting)
 
 the article
 
 http://arstechnica.com/security/2015/07/how-the-way-you-type-can-shatter-anonymity-even-on-tor/
 says that apparently it's possible to deanonymise Tor users by analysing
 their keystrokes in input fields of websites.
 
 Is it valid to assume that such a technique is possible to be deployed
 by, for example, cloudflare? (needs JavaScript, has an input field)
 (or is it required for learning to always enter the same text by the
 same user?)
 
 Is there need for modifications in the Tor Browser Bundle/upstream Firefox?

We already patch Tor Browser to reduce the precision of keypress events.
See: https://bugs.torproject.org/1517. It would be nice to see a study
that evaluates whether this is effective or not and if not, why not.
Anyway, there is still something to do in this area:
https://bugs.torproject.org/16110.

Georg




signature.asc
Description: OpenPGP digital signature
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Latest update fails to carry NoScript whitelist forward.

2015-08-12 Thread Georg Koppen 
pcrable:
 Today I updated my Tor installations on GNU/Linux and Windoze 8.1.  In
 both cases, the update program carried forward my bookmarks, but did not
 transfer the list of URL's in NoScript's whitelist.  It just took a
 moment to find an old white list and fix things.
 
 This is hardly the bug of the week.  I just mention this because
 beginning two updates ago, both bookmarks and whitelist URL's were
 carried forward.  Before then I had to export them to files, update Tor,
 and then import them.  I got lulled into complacency, I guess, and
 stopped doing that.

This is probably bug 16730: NoScript updated the whitelist sometimes
which is pretty dangerous in our context and we don't allow that anymore.

Georg




signature.asc
Description: OpenPGP digital signature
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] TBB does not employ fontconfig settings

2015-08-02 Thread Georg Koppen 
Hi,

Janis Haldemeyer:
 linux. regular firefox looks just fine but TBB
 seemingly does not take neither fonts.conf nor
 Xresources into account, thereby rendering fonts
 worse than ff does.
 
 is there a reason for such behaviour? I could
 certainly live with it but I'd like to fix it.
 moreover it worked fine in a virtual machine, no
 font issues whatsoever.

Is this still an issue with our latest alpha release, 5.0a3 (see:
https://dist.torproject.org/torbrowser/5.0a3/)? What exactly are the
font issues? How can I reproduce the problem (do you have a link to a
page which is broken?)?

How did you try to get a fonts.conf file used?

Georg




signature.asc
Description: OpenPGP digital signature
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] mar-tools changelog?

2015-08-02 Thread Georg Koppen 
Cain Ungothep:
 Hi guys.
 
 I posted this as a comment in the blog a few days ago, with no answer so
 far.
 
 I've been experimenting with manual incremental updates and noticed that
 the mar-tools-linux64.zip file in the distribution directory changes
 between Tor Browser releases (the executables inside the archive also
 change).
 
 I've seen it change at least twice between the two most recent releases.
 The signatures were good.
 
 Questions:
 
 1. Is the source in the tools being updated or is this some artifact
 of the build/distribution system?

I guess it depends. If we use a new toolchain then I'd expect a
different SHA-256 sum. If not, there might be things Mozilla does to the
source files between point releases which we pick up.

 2. If the source changes, are you guys doing that or are you just
 pulling from Mozilla?

We are pulling from Mozilla. There is one exception though: we needed to
patch some code (+ backport some Mozilla patches) to get the updater
working as we wanted. But this code is nothing what changes between
releases without being announced in the changelog. (see:
https://gitweb.torproject.org/tor-browser.git/commit/?h=tor-browser-38.1.0esr-5.0-1id=fd41a91598e22f02d3cfec838bcf0a205b2c79f8
for the current version)

 3. Is there a changelog anywhere?

Yes, you'll find it in the respective release announcements on our blog
and in the tor-browser-bundle git repository:

https://gitweb.torproject.org/builders/tor-browser-bundle.git/tree/Bundle-Data/Docs/ChangeLog.txt

 Thanks!

You are welcome.

Georg




signature.asc
Description: OpenPGP digital signature
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Tor help

2015-06-29 Thread Georg Koppen 
Hartmut Haase:
 Hi,
 if I click in the Tor Browser in Help-About Tor Browser on any item, I
 always get a Mozilla page, but never a Tor page. Why not?

This is a bug we are about to fix: https://bugs.torproject.org/16268

Georg




signature.asc
Description: OpenPGP digital signature
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Some Tor downloads are 0 byte in size

2015-06-16 Thread Georg Koppen 
aka:
 https://dist.torproject.org/torbrowser/4.5.2/tor-win32-0.2.6.9.zip
 https://dist.torproject.org/torbrowser/4.5.2/torbrowser-install-4.5.2_it.exe
 
 accessed via TBB using HTTPS

Should be fixed now. Sorry for the inconvenience.

Georg




signature.asc
Description: OpenPGP digital signature
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] 100-Foot Overview on Tor

2015-06-05 Thread Georg Koppen 
Tom Ritter:
 Hi all,
 
 I've put together a slide deck that aims to provide a 100-foot
 overview on little-t tor and Tor Browser. 100 foot, meaning I go into
 a lot of technical detail, but not 10 or 1 foot which means some
 things are definitely glossed over or handwaved a little. My
 consistency with the 'foot level' throughout the deck varies a bit,
 but I think it's decent.
 
 Before I post it on twitter or a blog, I wanted to sent it around
 semi-publicly to collect any feedback people think is useful. In
 particular:
  - Upcoming Improvements worth mentioning (I'm a little light on the
 Hidden Services 2.0, but that's proposal is big)
  - Interesting 'hidden depths' worth shedding a little light on
  - Particularly good resources for a specific topic (I'm trying to
 avoid linking too much, but some is good)
  - Anything factually wrong of course
 
 Slides are at: https://ritter.vg/p/tor-v1.2.pdf  Yes - it is long.
 There's a lot to tor these days :)

I looked at the latest version (thanks, Tom, for this effort!) and
stumbled over:

Each tab is its own Tor circuit

Is this due to the 100-Foot overview nature (maybe it looks that way
from 100 feet above :) )? The thing is that not the tab is the important
isolation criterion but the base domain of the URL you have in your
location bar. Thus, requests to blog.torproject.org and
trac.torproject.org in different tabs go over the same circuit (let's
ignore some corner cases like circuit timeouts etc.). And then there is
the catch-all circuit for requests not associated with a window/tab at
all... and all the things we have not fixed yet. Oh well...

Georg



signature.asc
Description: OpenPGP digital signature
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Crasher in tor browser alpha when playing videos

2015-05-18 Thread Georg Koppen 
Christian Stadelmann:
 Hi
 
 I found a crasher when playing videos in tor browser 5.0a1. This is not
 present in current firefox releases. It happens on different websites
 with a video tag, even on simple test sites. This issue was not
 present in TBB 4.5.
 
 Is this issue known? If yes, where do I find it (to not ask this
 question next time). I searched on trac without finding anything useful
 [1].

So apart from https://bugs.torproject.org/16026 there is nothing known
that resembles your problem. Do you have an example URL which crashes
your Tor Browser? What Linux are you using?

 If not, how do I debug this to find the cause and help fix it? Just
 running the same command line as the starter script does, inside gdb:
 
 gdb --args ./firefox --class Tor\ Browser -profile
 TorBrowser/Data/Browser/profile.default
 
 seems to be a bad idea and does not work. I could not find any tips for
 that e.g. in the FAQ [2].

Have a look at the HACKING document:

https://trac.torproject.org/projects/tor/wiki/doc/TorBrowser/Hacking

section Using gdb. I hope this helps.

Georg




signature.asc
Description: OpenPGP digital signature
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] expected circuit isolation behavior in torbrowser 4.5

2015-05-03 Thread Georg Koppen 
nusenu:
 Hi,
 
 is it correct that in TBB 4.5 it is expected that all streams
 originating from one browser tab are done through the _same_ circuit
 and that two distinct tabs pointing to two distinct domains do *not*
 share the any circuit?

Basically, yes, although the circuit isolation is strictly speaking not
tab-bound but bound to the URL bar domain: all streams that are
generated due to visiting a particular domain visible in your URL bar
should share the same circuit.

 If the above is true: Would the violation of this expectations be
 considered a bug?

I think so, yes. Note that we still have some corner cases to get
figured out/properly implemented like #13670, #1, #15599, #15499 and
#13669 to name a few.

Georg



signature.asc
Description: OpenPGP digital signature
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Upcoming change to Firefox internals that hopefully shouldn't break TBB

2015-04-23 Thread Georg Koppen 
Hi,

David Rajchenbach-Teller:
 Hi everyone,
 
  We are planning to land a change in Firefox that has a small chance of
 impacting TBB. The patch is here:
 https://bugzilla.mozilla.org/show_bug.cgi?id=1157235 .
 
 Now that Firefox handles internally the non-saving of private
 tabs/windows, we believe that this should have no impact. It would be
 great if someone working on TBB could confirm that we are not breaking
 anything.

I put that on my plate and will comment in the bug. Thanks for the heads-up,

Georg




signature.asc
Description: OpenPGP digital signature
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Tor Browser 4.5a4 on Raspbian wheezy

2015-03-10 Thread Georg Koppen 
Mirimir:
 On 03/09/2015 11:58 PM, Andreas Krey wrote:
 On Mon, 09 Mar 2015 20:32:11 +, Mirimir wrote:
 I've built Tor Browser 4.5a4 on Raspbian wheezy, using instructions at
 https://trac.torproject.org/projects/tor/wiki/doc/TorBrowser/Hacking.

 Is this news, or unremarkable?

Nice. I have not heard someone trying to do that before.

 At least, it's interesting. I wanted to look into that myself (because
 I only have a raspberry at one place and want the TTB), but...

 Did you build on the rasperry or cross? Care to share details?

 Andreas
 
 I built on a Pi 2, with Raspbian wheezy on a 32GB class 10 microSDHC
 card. It took 6-7 hours at 100% CPU, and I had to cool the Pi 2 with a
 small fan to prevent overheating. I followed exactly the instructions in
 the above URL at Building Just Firefox, except that I commented out
 ac_add_options --enable-tor-browser-update in
 ~/tor-browser/.mozconfig after configuring.
 
 After make -C obj-* package INNER_MAKE_PACKAGE=true, I executed
 ~/tor-browser/obj-armv7l-unknown-linux-gnueabihf/dist/firefox/firefox.
 And it works. But I've since discovered that add-ons are broken.

Not sure what you mean with works but starting it this way will create
a new profile (or use an existing one) without any of the extensions
needed for Tor Browser (like Torbutton and HTTPS-Everywhere etc.) and
without tor and pluggable transports.

 Browsing about:addons, I get:
 
 | XML Parsing Error: undefined entity
 | Location: about:addons
 | Line Number 390, column 15:
 |
 |label value=plugins.installed.find;/
 | ---^
 
 I'm not sure how to proceed, and would appreciate suggestions. I don't

Commit bc305e697edb6860fe035e4b67fc5f027de237a5 in Tor Browser needs
this entity and Torbutton defines it. This is, again, a sign that you
are missing the extensions we ship in Tor Browser.

 believe that Gitian is workable in Raspbian wheezy. But if Gitian is the
 way to go, I can try it in Ubuntu 14.10 / Linaro 15.01
 http://www.raspberrypi.org/forums/viewtopic.php?f=56t=98997.

I'd be very much interested in looking at the results/dead-ends/issues
when using the deterministic builds approach. Might be good to document
your findings in #12631 which is the ticket for the ARM port of Tor Browser.

Georg



signature.asc
Description: OpenPGP digital signature
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] TorBrowserBundle

2015-03-09 Thread Georg Koppen 
Travis Bean:
 Integrating the web browser into the operating system is essential for
 automatic security updates. From a computer security standpoint, this is
 what bothers me the most about the current Alpha phase that
 TorBrowserBundle is in. If a web browser is not integrated with the OS
 and is not kept up-to-date on a regular basis, this creates a HUGE
 security hole for hackers to exploit the OS by finding a weakness in the
 web browser and injecting malware into the HTTP stream.

Which is why we release every couple of weeks a new Tor Browser and use
the Tor Browser updater to keep the necessary user interaction at a
minimum. Integration of Tor Browser into the operating system (whatever
that exactly means) is orthogonal to having automatic security updates.
(This does not say anything about that integration being worthwhile or
not, though.)

Georg

Georg




signature.asc
Description: OpenPGP digital signature
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Tor and HTTP/2?

2015-02-19 Thread Georg Koppen 
Georg Koppen:
 Lara:
 intrigeri:
 Tor can transport basically anything that lives on top of TCP.
 Assuming HTTP/2 is TCP, then there's basically nothing to do on the
 Tor side, it should just work :)

 Right. But see the WebRTC issues, does Tor browser team know of problems
 with this new HTTP flavor?

 
 Yes. We talked to Marc Nottingham a while back which uncovered a bunch

I meant Mark Nottingham, sorry about that.

Georg




signature.asc
Description: OpenPGP digital signature
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Tor and HTTP/2?

2015-02-19 Thread Georg Koppen 
Lara:
 intrigeri:
 Tor can transport basically anything that lives on top of TCP.
 Assuming HTTP/2 is TCP, then there's basically nothing to do on the
 Tor side, it should just work :)
 
 Right. But see the WebRTC issues, does Tor browser team know of problems
 with this new HTTP flavor?
 

Yes. We talked to Marc Nottingham a while back which uncovered a bunch
of things we need to check when we switch to Firefox ESR 38 and led to
spec amendments, too. (see:
https://github.com/http2/http2-spec/issues/645). The ticket tracking
this effort is #14952.

Georg



signature.asc
Description: OpenPGP digital signature
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Once again: window size [solved?]

2014-12-04 Thread Georg Koppen 
Hartmut Haase:
 Hi Leeroy,
 I tested with an unused Tor  4.0.2:
  only one in 13,213 with 1000x900x24
 2. Use Tor-Button to change identities. The window should resize
 automatically. Test at this window size.
 only one in 13,176 with 1000x900x24
 3. Use the 'new window' option from the Tor-Browser menu. Test at this
 window size.
 only one in 13,140 with 1000x900x24
 
 That doesn't look bad, does it?

Yes. Keep in mind resizing the window by any means does break rounding
the window to a multiple of 200x100 currently. This is a bug we need to
fix but it is no easy one.

Georg



signature.asc
Description: OpenPGP digital signature
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Missing PW Store in Alpha 3

2014-10-21 Thread Georg Koppen 
RD:
 
 Hello Tor-Talk,
 
 I noticed that in alpha 4-2 I could retain passwords on sites.
 Once I switched to Alpha 4-3 I could not.
 
 So I switched back to version 2; did the appropriate Configs, under
 options, then and repeated the aforementioned.
 
 Whether by design or error, Alpha 4-2.0 can not retain P/W

Could you test Tor Brower 4.0? Your problem should be fixed there (by
bug 13366) if you allow storage to disk.

Georg





signature.asc
Description: OpenPGP digital signature
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] TBB 4.0 default screen size

2014-10-20 Thread Georg Koppen 
Philip Georgiev:
 hi there :)
 
 if I close TBB 4.0 while it's open bookmark panel, the new session has
 not default size, but larger - 1230x600 if I see correctly.
 
 I'm not familiar with tickets, so if this is a bug and somebody confirm
 it - pls report in my place.
 
 sorry for my bad english :)

What operating system are you using? How do I reproduce your problem?

Georg



signature.asc
Description: OpenPGP digital signature
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Unreachable address

2014-09-22 Thread Georg Koppen 
Hartmut Haase wrote:
 Hi,
 when I try to open www.stayfriends.de I get the following message:
 
 Dieser Verbindung wird nicht vertraut
 
 Sie haben TorBrowser angewiesen, eine gesicherte Verbindung zu
 www.stayfriends.de aufzubauen, es kann aber nicht überprüft werden, ob
 die Verbindung sicher ist.
 
 Wenn Sie normalerweise eine gesicherte Verbindung aufbauen, weist sich
 die Website mit einer vertrauenswürdigen Identifikation aus, um zu
 garantieren, dass Sie die richtige Website besuchen. Die Identifikation
 dieser Website dagegen kann nicht bestätigt werden.
 Was sollte ich tun?
 
 Falls Sie für gewöhnlich keine Probleme mit dieser Website haben, könnte
 dieser Fehler bedeuten, dass jemand die Website fälscht. Sie sollten in
 dem Fall nicht fortfahren.
 
 www.stayfriends.de verwendet ein ungültiges Sicherheitszertifikat. Dem
 Zertifikat wird nicht vertraut, weil keine Zertifikatsausstellerkette
 angegeben wurde. (Fehlercode: sec_error_unknown_issuer)
 
 The last paragraph tells the reason. The owner of the page tells me that
 his certificate is o. k.
 Who is right, and who is wrong?

Hard to say but the problem is that the PositiveSSL CA 2 is not in the
trust store in Firefox based browsers. That's why your issue is showing
up. The owner of the page is probably not using/not testing with Firefox
and thus not aware of it.

Georg



signature.asc
Description: OpenPGP digital signature
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Tor Browser default window size

2014-09-12 Thread Georg Koppen 
Hartmut Haase:
 Hi Georg,
 in Linux Tor Browser opens with the window size
 1296x1018
 when I make a screenshot of the window, it has that size, and it looks
 like that because the whole screen has 1920x1080

Okay, if you make a screenshot of the browser window and this gives you
different results for the height and width of whole window this may be
the result of having different toolbar, url bar and button sizes etc.
which is influenced, in part, by your underlying operating system. So,
this is nothing to worry about as long as the values web pages may
retrieve are rounded to multiples of 200 (width) and 100 (height) which
the inner window (i.e. the window only containing the rendered website)
is set to on start-up. Tor Browser reports those values even if for your
browser window (i.e. the window with the website and the toolbar, url
bar etc.)/screen size.

Georg



signature.asc
Description: OpenPGP digital signature
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Merging all languages (locales) into one Tor Browser package?

2014-09-12 Thread Georg Koppen 
David Balažic:
 On 7 September 2014 14:29, Sebastian G. bastik.tor 
 bastik@googlemail.com wrote:
 

 Downsides:
 - Higher file size for the package.
 - Higher bandwidth requirement for single package users.
 - Users have to select their language during install. (UI problem?)

 
 Users already made a language choice when installing the OS (or booting an
 OEM install for the first time).
 This choice should be good enough for the majority. The others can use a
 command line switch or similar.

I am not convinced by this argument. First, if you have 5 million users
then 3 million is a majority, too, which would still leave 2 million to
teach themselves how to switch to the desired locale. You might argue
Well, it would be much much less than 2 million people that would be
affected. Maybe, who knows.

But even then the first thing you'll get as support is users asking
Where do I get the [language of your choice] Tor Browser as they
landed on the english Tor project landing page and assume they get the
english browser if they can't switch to the language they want (as
Mozilla e.g. offers (see: https://www.mozilla.org/en-US/firefox/all/) ),
which they don't want.

If you somehow avoided/managed that you need to take care of the people
that really want to use another language or you ask all on first start
which would be the second hurdle users have to take to get Tor Browser
running. And you need that for all supported OSes propably with
screenshots explaining things.

Then you need to take care of a fraction of them that activated a
language (e.g. Chinese) you ship by accident and are now completely lost
as they are not able to parse, e.g. Chinese and thus to get back the
language they want.

So, in short: I am quite concerned about the usability issues (and I
probably missed a bunch) that would follow from having all locales in
one bundle.

But there is hope for you: We plan to have a hardened/alpha series which
contains all the locales already in it. See:

https://bugs.torproject.org/12967

Georg



signature.asc
Description: OpenPGP digital signature
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Dropping Tor Browser support for Mac OSX 10.6?

2014-09-11 Thread Georg Koppen 
Matt Pagan:
 
 
 Mike Perry wrote:
 Are there any 10.6 32bit Mac users on this list? Is Tails a workable
 option for you?

[snip}

 Sorry for asking you to do more work, but I'm requesting that we keep
 supporting Mac OS 10.6 with a deadline, maybe a year in the future.
 (The number of Mac 10.5 users has definitely decreased in the past
 year). If 32-bit Mac Tor Browsers are no longer distributed, I can
 imagine an increase in the help desk volume when confused, sometimes
 desperate, Mac users discover they can't run the Mac Tor Browser on
 their 32-bit Macbook.

Keeping support for OS X 10.6 and keeping support for 32 bit is not
strictly the same. In fact, I'd assume there is only a fraction of OS X
10.6 users that would not be capable of running a 64 bit Tor Browser.
So, what about switching to 64 bit but still supporting OS X 10.6?

Georg




signature.asc
Description: OpenPGP digital signature
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Tor Browser default window size

2014-09-11 Thread Georg Koppen 
Hartmut Haase:
 Sorry Georg,
 3) (without doing anything to the window) go to browserspy.dk/screen.php?
 1000x900

I thought so :). And that is good and expected. However, how does that
fit to your claims that in Linux Tor Browser opens with the window size
1296x1018, in Windows 7 with 1533x1021? What is happening? How can I
reproduce that problem?

Georg




signature.asc
Description: OpenPGP digital signature
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Tor Browser default window size

2014-09-09 Thread Georg Koppen 
Hartmut Haase:
 Hi Georg,
 does this happen with just downloaded vanilla Tor Browser packages?
 ???

What width/height do you see if you

1) download and verify the latest release Tor Browser (3.6.5)
2) start it
3) (without doing anything to the window) go to browserspy.dk/screen.php?

Georg




signature.asc
Description: OpenPGP digital signature
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] TorBrowser-3.6.5-osx32_en-US.dmg Image broken

2014-09-09 Thread Georg Koppen 
MacLemon:
 Hey!
 
 When downloading TorBrowser 3.6.5 for OS X I get an image that has no 
 mountable filesystems. From checksum and GPG signature I don't expect to have 
 a b0rken download but rather a problem during image creation.

What is happening? Do older Tor Browser images work (see:
https://archive.torproject.org/tor-package-archive/torbrowser/) ? Which
OS X are you on?

Georg





signature.asc
Description: OpenPGP digital signature
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Tor Browser Bundle 3.6.3: bad start

2014-09-08 Thread Georg Koppen 
Katya Titov:
 Joe Btfsplk:
 On 9/7/2014 5:36 AM, Geoff Down wrote:
 Same problem on Win7 with 3.6.5 - browser sometimes fails to open.

 On Sun, Sep 7, 2014, at 08:51 AM, Hartmut Haase wrote:
 Hi,
 sometimes when I try to start Tor, firefox will also be started,
 but there is no Tor Browser-window. I have to start several times
 until it works.
 I've had the same problem with TBB 3.6.3 in Vista.  Haven't tried
 3.6.5 yet.
 It doesn't happen too often - enough to be annoying.  When it's 
 happened,  I kill the Tor Browser / Firefox.exe process (that's
 running in background).

 I've never shut any other apps or services down, before starting TBB 
 again.  It almost always works on the 2nd try (actually opens the 
 browser window).
 So IF... something else is interfering w/ TBB starting correctly,
 it's not consistent.
 
 I have very similar results to Joe using the 64-bit Linux version. I
 have never been able to find relevant TBB logs, nor any system or home
 directory logs which point to the cause. Killing and then restarting
 TBB always fixes the problem. It probably happens 1-2 times per month.
 
 If anyone can suggest tracing/logging options I'm willing to try.

This is very likely #10804. Solving this is high on the priority list
but alas not as high as getting everything ready for the switch to ESR 31.

Georg





signature.asc
Description: OpenPGP digital signature
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Tor Browser default window size

2014-09-08 Thread Georg Koppen 
Hi,

Hartmut Haase:
 Hi,
 I have learned so far that the Tor Browser does not store the used
 window size like other programs do, becaus it always start with the same
 sine.
 But there is one thing I don't understand: in Linux Tor Browser opens
 with the window size 1296x1018, in Windows 7 with 1533x1021. Therefore
 there must be a place where the default window size us defined.

does this happen with just downloaded vanilla Tor Browser packages?
Which version? Are you resizing/maximizing the windows? What should
happen is a browser window showing up with rounded width/height which is
dependent on your real screen size.

Georg



signature.asc
Description: OpenPGP digital signature
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Help with Default Browser

2014-08-07 Thread Georg Koppen 
RD:
 Hello Tor,
 
 Despite my check-marking 'Make Tor Browser the Default browser', wherever
 I click on a link from an email regular Firefox opens up.
 
 How do I make Tor Browser always be the default?

There are (currently) issues with this idea:

https://bugs.torproject.org/12763

Georg



signature.asc
Description: OpenPGP digital signature
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] TBB with remote SOCKSPort: Something Went Wrong!

2014-08-05 Thread Georg Koppen 
Nusenu:
 Hi,
 
 although torbrowser *seems* to work fine, I get the message:
 Something Went Wrong!
 when starting torbrowser (which is configured to connect to a remote
 SOCKSPort).
 
 I remember reading about that issue before, but can't seem to find it
 anymore.
 
 Is there a trac ticket for this?

https://bugs.torproject.org/10178
https://bugs.torproject.org/11751

are probably the ones that come to mind here.

Georg



signature.asc
Description: OpenPGP digital signature
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Spoofing a browser profile to prevent fingerprinting

2014-07-30 Thread Georg Koppen 
Mirimir:
 With scripts allowed globally, Panopticlick sees another 2-3 bits. I
 suspect that much of the additional information is also the same for all
 Tor browsers, given what I've read about Tor-specific tweaks. If that's
 the case, this isn't a major issue.

That's not necessarily the case. But anyway, the current Panopticlick is
not a good way to test for Tor Browser uniqueness[1] (and see below).

 What is a major issue is the risk of being exploited through a
 JavaScript vulnerability. And that's why I always block scripts.

Note that we disable a bunch of JIT related preferences to mitigate that
risk[2] and are investing efforts in getting hardened builds deployed[3].

 The risk from doing that, of course, is that each user will tend to
 customize their NoScript profile in a distinct way. And that will allow
 websites to tell them apart.
 
 Even so, Panopticlick can't report anything about that. For that, one
 would need a version of Panopticlick that's restricted to assessing and
 comparing Tor browser profiles. Right?

Yes. There are plans for one which is helpful in this regard[4][5].

Georg

[1] https://bugs.torproject.org/6119
[2] https://bugs.torproject.org/9387#comment:17
[3] https://bugs.torproject.org/10599
[4] https://www.torproject.org/getinvolved/volunteer.html.en#panopticlick
[5] https://lists.torproject.org/pipermail/tor-dev/2014-March/006486.html




signature.asc
Description: OpenPGP digital signature
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Tor Browser window size

2014-07-25 Thread Georg Koppen 
Joe Btfsplk:
 On 7/24/2014 3:58 AM, Georg Koppen wrote:
 Joe Btfsplk:

 Should TBB always start in partial window size?
 It depends on your available screen size. But in almost all cases, yes,
 TBB should always start in partial window size at least until we find a
 good way to deal with maximized browser windows (see e.g.:
 https://bugs.torproject.org/7256).
 Thanks Georg,
 Clearly I've forgotten or never knew why (partial) TBB window sizes can
 be spoofed, but standard multiples for maximized TBB windows *can't* be
 spoofed, instead.
 
 ? Don't a majority of users maximize something like browsers, for
 general use?  I've never seen it mentioned that most users leave TBB in
 partial screen.
 I wouldn't think TBB (window size) would be used differently than
 regular browsers (a result of human habit).
 
 I rarely see people using browsers in partial size, unless doing some
 between app operation / comparison.  I'm talking about what the masses do.
 Vanilla Firefox starts in maximized mode, if that was the state when
 closed (I think).
 TBB always starts in partial screen mode, even if last closed while in
 full screen.  Many apps remember the last screen size.
 Is there an anonymity reason to have TBB  start in partial screen?
 Not per se, but see https://bugs.torproject.org/7256 for the issue that
 still needs to get solved first.

 I don't understand your last statement in relation to the bug you linked:

It meant that there is no inherent anonymity reason to start TBB in
partial screen mode. The reason we do that now is that it is the only
way we currently can sort of guarantee that the window dimensions
reported back to a website are properly rounded. Bug 7256 tracks one
idea that would cover maximized windows as well.

Georg




signature.asc
Description: OpenPGP digital signature
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Tor Browser window size

2014-07-24 Thread Georg Koppen 
grarpamp:
 Can't TBB also alternativly just rig the functions that report window
 size to report whatever size you tell it, regardless of actual size?
 ie 1024x768x24 .

Sure. You can report that you have a window size of 0x0 if you want. Or
42x23 or 1234x567. But the problem is a) that you want to be in a group
of users with the same window size AND b) that there is no means to get
(further) information on what your actual window size is. Reporting
whatever size you tell it is not appropriate to achieve these two
related goals. It turns out that especially b) is quite hard if you do
not report the actual window size.

Georg




signature.asc
Description: OpenPGP digital signature
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Tor Browser window size

2014-07-24 Thread Georg Koppen 
Joe Btfsplk:
 On 7/23/2014 2:49 AM, Georg Koppen wrote:
 Red Sonja:
 I'm running the latest TBB on linux32. How do I reset the window size? I
 moved one side by mistake and I can't set it back by hand. Each time I
 run it, it's the window size from the last session.
 That should not happen. If you resize a window and then e.g. click on
 New Identity you should get your default window size again and not the
 one from some last session. Does this happen with a clean, new Tor
 Browser? If so, please file a bug at https://bugs.torproject.org giving
 some steps to reproduce as we'd need to investigate that further.

 Should TBB always start in partial window size?

It depends on your available screen size. But in almost all cases, yes,
TBB should always start in partial window size at least until we find a
good way to deal with maximized browser windows (see e.g.:
https://bugs.torproject.org/7256).

 Vanilla Firefox starts in maximized mode, if that was the state when
 closed (I think).
 TBB always starts in partial screen mode, even if last closed while in
 full screen.  Many apps remember the last screen size.
 Is there an anonymity reason to have TBB  start in partial screen?

Not per se, but see https://bugs.torproject.org/7256 for the issue that
still needs to get solved first.

Georg



signature.asc
Description: OpenPGP digital signature
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Tor Browser window size

2014-07-23 Thread Georg Koppen 
Red Sonja:
 I'm running the latest TBB on linux32. How do I reset the window size? I
 moved one side by mistake and I can't set it back by hand. Each time I
 run it, it's the window size from the last session.

That should not happen. If you resize a window and then e.g. click on
New Identity you should get your default window size again and not the
one from some last session. Does this happen with a clean, new Tor
Browser? If so, please file a bug at https://bugs.torproject.org giving
some steps to reproduce as we'd need to investigate that further.

Georg




signature.asc
Description: OpenPGP digital signature
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] hardware acceleration OK or not?

2014-07-23 Thread Georg Koppen 
Joe Btfsplk:
 
 On 6/28/2014 4:54 AM, Roger Dingledine wrote:
 On Fri, Jun 27, 2014 at 01:27:50PM -0500, Joe Btfsplk wrote:
 Hardware acceleration is unchecked by default it Torbrowser.

 Other than some machines might not support it, is there a reason not
 to enabled it?

 Some fingerprinting or other issue?
 https://trac.torproject.org/projects/tor/ticket/10531
 which points to
 https://lists.torproject.org/pipermail/tor-talk/2013-June/thread.html#28620


 Basically, some Windows systems were crashing when Tor Browser had
 hardware acceleration enabled.

 I think we made that change in TBB 3.5rc1:
 https://blog.torproject.org/blog/tor-browser-bundle-35rc1-released

 See the (alas not labelled with a ticket number) line:
 Misc Prefs: Disable layer acceleration to avoid crashes on Windows

 It looks from the various tickets like the issue is not entirely sorted
 for all users.

 Thanks.  Has it been determined whether hardware acceleration being
 enabled can be detected for fingerprinting purposes?

I think it can if you write some tests measuring and comparing the
performance of particular browser features that may benefit from
hardware acceleration being enabled.

Georg



signature.asc
Description: OpenPGP digital signature
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Vidalia as stand-alone client???

2014-07-18 Thread Georg Koppen 
Joe Btfsplk:
 On 6/28/2014 2:16 PM, Roger Dingledine wrote:
 On Thu, Jun 26, 2014 at 11:30:19AM -0700, Bobby Brewster wrote:
 However, I'm wondering if this is the best way or is Vidalia now
 deprecated?
 It is now deprecated. It has been unsupported for years. :(

 https://www.torproject.org/docs/faq#WhereDidVidaliaGo

 The exception for now is the relay-by-default and bridge-by-default
 Windows bundles. But that's mostly because nobody has replaced them with
 anything better. Please do!

 Would it really be that difficult to write code for TB / develop an
 addon or stand alone app to go with the TB bundle, that at least shows
 the names  basic data of currently built circuits?

having something to include into Tor Launcher would be really
appreciated. Note that with fixing #3455 (which we are currently working
on/which is currently in need for review) #8641, which actually gives
what you want, will be fixed as well (work is underway here, too). So
there is hope.

Georg



signature.asc
Description: OpenPGP digital signature
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Torbrowser consistent crash on shut down_nssckbi.dll

2014-07-16 Thread Georg Koppen 
Joe Btfsplk:
 Has anyone experienced crashes when closing TBB, as described here?
 https://trac.torproject.org/projects/tor/ticket/10761#comment:5
 
 It happens almost every session, if I load pages in TBB.
 For me, it happens even if not restoring tabs / windows, as the bug OP
 mentioned (I never do).
 
 For me, the base cause listed in Event Viewer is:
 Faulting module name: nssckbi.dll.  Not quite sure what this dll does.
 
 My full event viewer details of the crash event are at:
 https://trac.torproject.org/projects/tor/ticket/10761#comment:36

Could you please open a new ticket to not mix these (maybe related,
maybe not) problems? Thanks,

Georg




signature.asc
Description: OpenPGP digital signature
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Tor identification Research

2014-07-16 Thread Georg Koppen 
alaa mub:
 Hi All,
 
 I'm doing some research on Tor identification, and it seems that Tor recently 
 implemented different type of defenses by enabling HTTP pipelining, padding, 
 and packet relaying and randomizing the pipeline size as well as the order of 
 requests. which one of these are implemented and which are not ? 

You mean you are looking for implemented defenses against website
traffic fingerprinting? In this case have a look at:

https://blog.torproject.org/blog/experimental-defense-website-traffic-fingerprinting

https://blog.torproject.org/blog/critique-website-traffic-fingerprinting-attacks

And, above all, see at the actual code and the commit message:

https://gitweb.torproject.org/tor-browser.git/commit/354b3b5d05c1cb83afdf2c8b3a8a321d89fd390c

Georg

 
 Thanks 
 




signature.asc
Description: OpenPGP digital signature
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] SPDYv3 [WAS:You could use ModX to create .onion sites, ]

2014-06-26 Thread Georg Koppen 
shm...@riseup.net:
 
 
 Mike Cardwell:
 SPDY is currently supported by Firefox, Chromium and Opera. A few
 examples of sites that already have SPDY enabled: Google.com+mail,
 Facebook, Twitter, Wordpress.com. Apache has a module for it:
 https://code.google.com/p/mod-spdy/ and the latest versions of Nginx
 have it built in.

 Yeah, I'm a fan of SPDY and I think Tor especially will benefit
 hugely from sites enabling it.
 
 just wondering why SPDY still isn't enabled by default in tbb ?

SPDY has some nice tracking features we don't want and which we need to
cope with first:

https://www.torproject.org/projects/torbrowser/design/

However, because SPDY can store identifiers and has extremely long
keepalive duration, it is disabled through the Firefox preference
network.http.spdy.enabled.

See as well:

https://bugs.torproject.org/6101
https://bugs.torproject.org/4100

If you'd like to work on that topic you are very welcome.

Georg




signature.asc
Description: OpenPGP digital signature
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

  1   2   >