Hidden Service authorization is a pretty obscure feature of HSes, that
can be quite useful for small-to-medium HSes.
Basically, it allows client access control during the introduction
step. If the client doesn't prove itself, the Hidden Service will not
poroceed to the rendezvous step.
This
So most of my work over the next three days is writing and editing
documentation on hidden services.
I'm in Boston and the purpose of this trip is to rewrite existing documentation
to be more useful, but with authenticated hidden services, what's available is
extremely sparse. GlobaLeaks and
On Sun, Nov 09, 2014 at 12:50:00PM +, George Kadianakis wrote:
I suspect that HS authorization is very rare in the current network,
and if we believe it's a useful tool, it might be worthwhile to make
it more useable by people.
Yes, HS authoritzation is rare. It's rare enough that it was
On Sun, 9 Nov 2014 16:19:24 +
Andrea Shepard and...@torproject.org wrote:
How would Tor Browser learn about this reason for not being able to
connect/ tell Tor the authentication info? This is starting to sound
like wanting SOCKS5 extensions to indicate different causes for
connection
SecureDrop (and former Firefox) dev here. A few months ago I started
working on a patch to support prompting users for an authenticated
hidden service cookie in the manner of HTTP Basic Auth. [0] We require
journalists who use SecureDrop to download submissions from an
authenticated Tor hidden
Hi everyone,
Operation Onymous, the anecdotes about it (I don't think the DoS was a
DoS), the wording of the related legal documents, and the previous CMU
research... make me think that traffic confirmation attacks are now
widely used in practice. Other, cat-and-mouse implemetation
I'm probably missing significant Tor development history here, but section
5.2 of the tor design paper
http://www.onion-router.net/Publications/tor-design.pdf mentions using
the domain format x.y.onion where x is used for authorization and y.onion
is used for actual the actual addressing. I'm not
I think the option to rate-limit guard selection is a great idea to defend
against guard DoS. The downside is possible connection loss even if you’re not
under attack and you just happen to pick flaky guards. In case you’re
interested, I examined this defense and how often such benign service
George K:
I suspect that HS authorization is very rare in the current network,
and if we believe it's a useful tool, it might be worthwhile to make
it more useable by people.
Is anyone making their HSDir onion descriptor scraping patches
available somewhere? I'd suspect the rarity of HS
This might be a good use for the Alternate-Protocol header currently
used by Chrome to allow opportunistic upgrade from HTTP to SPDY.
See also the Alt-Svc header proposed by the HTTPbis WG earlier this year.
___
tor-dev mailing list
I have some news to report, along with more data.
The August DoS attempt appears to have been a crawler bot after all. An
old friend came forward after reading tor-dev and we laughed about his
dumb crawler bot vs my dumb must-serve-200-codes-at-everything nginx
config. His user agent string only
On Sun, Nov 09, 2014 at 07:25:39PM +, Fears No One wrote:
In other news, the same guy runs a bot that records uptimes for various
onions, and he gave me output related to up/down times for doxbin,
Cloud9, and Silk Road 2.0.
NOTE: Time zone is GMT+9:30 on all of these. He used sed to
In the future Next Generation Hidden Services specification there
are again two ways to do authorization:
https://gitweb.torproject.org/torspec.git/blob/HEAD:/proposals/224-rend-spec-ng.txt#l1446
One way is with a password and the other is with a public key.
A {shared secret,key} and a user
I have several hundred thousand (or million? Haven't counted) hs descriptors
saved on my hard disk from a data collection experiment (from 70k HSes). I'm a
bit nervous about sharing these en masse as whilst not confidential they're
supposed to be difficult to obtain in this quantity. However,
On 11/9/14 8:58 PM, Jacob Appelbaum wrote:
For example, it would be interesting if TBB would allow people to
input a password/pubkey upon visiting a protected HS. Protected HSes
can be recognized by looking at the authentication-required field of
the HS descriptor. Typing your password on the
On Sun, Nov 09, 2014 at 07:25:39PM +, Fears No One wrote:
I have some news to report, along with more data.
The August DoS attempt appears to have been a crawler bot after all. An
old friend came forward after reading tor-dev and we laughed about his
dumb crawler bot vs my dumb
Hi!
I´m new to the Tor project and I´m looking for some easy project to get me
started. preferebly in Java, I can do debugging or write some code.
Conny
___
tor-dev mailing list
tor-dev@lists.torproject.org
Hi Connny, glad you want to get involved! Please take a peek at...
https://www.torproject.org/getinvolved/volunteer.html.en#Projects
If you're interested in Java then Orbot
(https://guardianproject.info/apps/orbot/) and Metrics
(https://metrics.torproject.org/) are your best bets.
Cheers!
NB I'm copying the tor-dev mailing list on this message.
At CCS I saw Rishab present these papers:
CS-BuFLO: A Congestion Sensitive Website Fingerprinting Defense
http://www3.cs.stonybrook.edu/~rnithyanand/pubs/wpes2014-csb.pdf
Glove: A Bespoke Website Fingerprinting Defense
On Sun, Nov 9, 2014 at 3:22 PM, Gareth Owen gareth.o...@port.ac.uk wrote:
I have several hundred thousand (or million? Haven't counted) hs descriptors
saved on my hard disk from a data collection experiment (from 70k HSes).
I'm a bit nervous about sharing these en masse as whilst not
On Sun, Nov 9, 2014 at 3:30 PM, Fabio Pietrosanti - lists
li...@infosecurity.ch wrote:
On 11/9/14 8:58 PM, Jacob Appelbaum wrote:
For example, it would be interesting if TBB would allow people to
input a password/pubkey upon visiting a protected HS. Protected HSes
can be recognized by looking
On 2014-11-09 15:30, Fabio Pietrosanti - lists wrote:
On 11/9/14 8:58 PM, Jacob Appelbaum wrote:
For example, it would be interesting if TBB would allow people to
input a password/pubkey upon visiting a protected HS. Protected HSes
can be recognized by looking at the authentication-required
On 22 October 2014 05:48, Roger Dingledine a...@mit.edu wrote:
What I had to do was make one of my Directory Authorities an exit -
this let the other nodes start building circuits through the
authorities and upload descriptors.
This part seems surprising to me -- directory authorities always
On Sun, Nov 09, 2014 at 09:16:40PM -0500, Griffin Boyce wrote:
On 2014-11-09 15:30, Fabio Pietrosanti - lists wrote:
On 11/9/14 8:58 PM, Jacob Appelbaum wrote:
For example, it would be interesting if TBB would allow people to
input a password/pubkey upon visiting a protected HS. Protected HSes
24 matches
Mail list logo
