Re: [tor-talk] Upcoming security releases for Tor 0.2.9 and up.

can we get a windows build, i.e., a tor-win32-0.2.9.xx.zip On Wed, Feb 21, 2018 at 10:17 AM, Nick Mathewson wrote: > Hi! > > This coming week, we'll be putting out new stable releases for 0.2.9 > and later to fix a few security bugs. The highest-severity bug to be > fixed

Re: [tor-talk] Is there a limit to how many .onion addresses I can generate/advertise/use for one hidden service?

> On 17/11/2017 05:51, Cyberpotato wrote: >> Is there any sort of limit (artificial, performance, or otherwise) to the >> number of hidden service descriptors or .onion addresses i can generate >> and/or use to access a single hidden service? The use case would be to >> generate a unique .onion

Re: [tor-talk] Does the Tor DNS transparent proxy code use clients nameservers?

> This looks OK. When I check with Wireshark I see no DNS queries leaving > my system. Must think about what this means. Or better, get some sleep. > It's been a long day... the DNS query should be tunneled over a tor connection, so if it's working right, you would see no DNS query leaving your

Re: [tor-talk] Does the Tor DNS transparent proxy code use clients nameservers?

ltiple times to bind to multiple addresses/ports. See SocksPort for an explanation of isolation flags. (Default: 0) On Wed, Oct 25, 2017 at 5:01 PM, Rob van der Hoeven <robvanderhoe...@ziggo.nl> wrote: > On Wed, 2017-10-25 at 16:50 -0400, Allen wrote: >> and what happens if you us

Re: [tor-talk] Does the Tor DNS transparent proxy code use clients nameservers?

or maybe better "dig @localhost:torport hostname +tcp" On Wed, Oct 25, 2017 at 4:50 PM, Allen <allen...@gmail.com> wrote: > and what happens if you use dig alone to talk directly to tor? > something like "dig -p torport hostname +tcp" (see man dig) > > On Wed

Re: [tor-talk] Does the Tor DNS transparent proxy code use clients nameservers?

and what happens if you use dig alone to talk directly to tor? something like "dig -p torport hostname +tcp" (see man dig) On Wed, Oct 25, 2017 at 4:42 PM, Rob van der Hoeven wrote: > Hi Folks, > > I'm testing a small single-program transproxy program that I wrote (not

Re: [tor-talk] Need a stable .onion address hosted by the Tor project.

-25 at 08:50 -0400, Allen wrote: >> As long as you keep the tor processing running on your web server, >> the >> response should be relatively quick. If you shutdown the tor process >> on your web server and then restart it, it might take a few minutes >> for machines

Re: [tor-talk] Need a stable .onion address hosted by the Tor project.

As long as you keep the tor processing running on your web server, the response should be relatively quick. If you shutdown the tor process on your web server and then restart it, it might take a few minutes for machines on the tor network to find your server again. You can restart the http

Re: [tor-talk] help - some site DE-anonymize me

> Might just be the language setting in your browser. You'll find out by > setting it to some other language and try again. That makes sense, too. I see my browser says Accept-language: en-US,en;q=0.5 See http://request.urih.com/ -- tor-talk mailing list - tor-talk@lists.torproject.org To

Re: [tor-talk] help - some site DE-anonymize me

zalmos is webproxy. According to GeoIP, its servers are located in France. So when you visit another website such as google.com thru zalmos, the other website (google.com) is probably giving you content and ads that are appropriate for the country in which the zalmos proxy server is located

Re: [tor-talk] privacy of hidden services

From the discussion and studying the specs, my understanding is that: The HS directory servers receive the HS public key aka onion address. The information leakages are: (1) through various HSdir enumeration techniques, the world at large can discover the HS public key and onion address; (2) the

Re: [tor-talk] Self-deleting scripts in http connections

http://www.digitaltrends.com/computing/firefox-tor-vulnerability/ On Wed, Dec 21, 2016 at 3:09 PM, Joe Btfsplk wrote: > > > On 12/8/2016 7:10 AM, Jonathan Marquardt wrote: >> >> >> Such an attacker could insert some JS or cookies etc. to track a user >> around >> the web or

Re: [tor-talk] privacy of hidden services

distributed to authorized users. On Wed, Dec 21, 2016 at 3:06 PM, Flipchan <flipc...@riseup.net> wrote: > Limit access for unwanted registerd like he says have A page and use > /jdjenwlsishdjshdysoalwjdbebs instead of /login > > Allen <allen...@gmail.com> skrev: (21 december 2016

Re: [tor-talk] privacy of hidden services

> So yes, ideally encrypt your Introduction Points (basic) and obfuscate > identity keys (stealth) [this also encrypts sets of IPs]. Non-ideally, > use random slugs in URLs as OnionShare does (if you're doing web). ok, I'm not sure I completely understand. If my HS uses stealth auth, what data

[tor-talk] privacy of hidden services

I have a question about the privacy of hidden services. Let's say I create a tor hidden service and privately send the onion address to only two other people. Would anyone outside of myself and those two people be able to determine the onion address or monitor activity related to the hidden

Re: [tor-talk] Not comfortable with the new single-hop system merged into Tor

Alex, that is inappropriate language and behavior for a public discussion list. You have demeaned yourself greatly with that outburst, and only succeeding in damaging the Tor project. Please stop. Second, as someone who firmly believes in Murphy's Law, I share the concerns that have been

Re: [tor-talk] Massive Bandwidth Onion Services

16 at 10:40 AM, Alec Muffett <alec.muff...@gmail.com> wrote: > On 19 December 2016 at 14:04, Allen <allen...@gmail.com> wrote: > >> AFAIK, HiddenServiceNumIntroductionPoints >= 3 is also for the benefit >> of the client, so if intro point #1 doesn't work for t

Re: [tor-talk] Massive Bandwidth Onion Services

AFAIK, HiddenServiceNumIntroductionPoints >= 3 is also for the benefit of the client, so if intro point #1 doesn't work for the client, it can try to connect at intro point #2, and then finally at intro point #3 before giving up. So let's say my Tor client looks up your Tor hidden service

Re: [tor-talk] Firefox OS - B2G support ?

ng system ? > I've tried to find Tor Browser in the Marketplace, but sadly it's not here. > > It can be so nice to use this browser with this OS everyday ;) > Is it planned ? > Thx! > > > -- Allen Gunn Executive Director, Aspiration +1.415.216.7252 www.aspirationte

Re: [tor-talk] Connect Tor to socks4a proxy

P.S., socks4a is described at http://www.openssh.com/txt/socks4a.protocol . See also https://en.wikipedia.org/wiki/SOCKS#SOCKS4a On Sat, Sep 17, 2016 at 7:26 AM, Allen <allen...@gmail.com> wrote: > You can open a TCP connection to the tor proxy port (by default 9050 > or 9150 on t

Re: [tor-talk] Connect Tor to socks4a proxy

You can open a TCP connection to the tor proxy port (by default 9050 or 9150 on the localhost), send a command string, then read the reply. If the reply indicates a successful connection, you then send and receive bytes from the proxy port just like it was connected to the final end point. The

Re: [tor-talk] Tor 0.2.9.2-alpha is released

or-for-win32/ > > That said, and official way to compile it on Windows (or cross-compile > from Linux) using a manual guide or scripts would be nice. > > On 2016-08-24 at 21:14, Allen wrote: > > On Wed, Aug 24, 2016 at 2:55 PM, Nick Mathewson <ni...@torproject.org> > > wrote

Re: [tor-talk] Tor 0.2.9.2-alpha is released

On Wed, Aug 24, 2016 at 2:55 PM, Nick Mathewson wrote: > Hi, all! There is a new alpha release of the Tor source code, with > fixes for several important bugs, and numerous other updates. > It would be really helpful for both users and the Tor project if there were

Re: [tor-talk] Tor Project Corporate Document FOI Request

> # TOR SOLUTIONS CORPORATION, For Profit, 25 shares > http://corp.sec.state.ma.us/CorpWeb/CorpSearch/CorpSummary.aspx?FEIN= > 001055985 > > I don't think you've actually looked at any of the information the Tor Project provides to the public on its website. Because if you had looked at it,

Re: [tor-talk] Tor protocol classification

> > 1. Can anyone give me a description of what Tor is doing during the > following stages of bootstrapping: > https://gitweb.torproject.org/torspec.git/tree/ > The reason I picked these stages of bootstrapping is because they’re the > places where Tor is recognized and blocked by DPI equipment

Re: [tor-talk] Why so may exit node IP addresses in the TBB?

>>> It used to be that, if you opened five sites in TBB, all five would use >>> the same exit node. Now it appears that each of the five sites has >>> the IP address of a different exit node. It started on the alpha development of 4.5[1]: > > "This release features [...] isolation for circuit

Re: [tor-talk] Tor Project Corporate Document FOI Request

> > One can request anything. > For starters, you can't legally request that someone assassinate the President, send you child pornography, provide you with weapons of mass destruction, etc. So definitely not anything. And while you can make some requests, you can only make an FOI request of a

Re: [tor-talk] Tor Project Corporate Document FOI Request

On Thu, Jul 21, 2016 at 6:40 AM, grarpamp wrote: > Please post links to the following documents as they existed > covering the most recent portion of FY 2015 up to October 1 2015. > In addition, post both the oldest and current version of such > documents. > > - Articles Of

Re: [tor-talk] How to include Tor in my application

> > >> Is there a way to provide Tor in a ready to use format along with > >> my application? > > I'm starting with Windows. > Step 1 Option A Download and install torbrowser, and copy from the installation the two folders named "Tor". Those should contain everything you need. Step 1 Option B

Re: [tor-talk] How to include Tor in my application

> > Is there a way to provide Tor in a ready to use format along > with my application? > windoze app? -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Recent news stories regarding Tor

> > > If it were up to me, I would vote at this point to ban grarpamp from this > > list for at least a month for keeping this topic alive. While being a > > frequent contributor may have its privileges, the line has been crossed. > > So make your own ban list. It's trivially easy to send

Re: [tor-talk] Recent news stories regarding Tor

On Wed, Jun 29, 2016 at 1:19 PM, grarpamp wrote: > The post does *not* say anything on the topics, nor have, > rather it specifically refers interested people to offsite journalism > and participation models *away* from email here. > It would also be embarassingly foolish and

Re: [tor-talk] Recent news stories regarding Tor

Can we please stop with this topic? Done. Fini. Banned. Banished. Barred. Excluded. No more. Thank you. On Tue, Jun 28, 2016 at 11:12 PM, grarpamp wrote: > FYI, for those interested in alternative formats other than > noisy email here or online print rags, there's a

Re: [tor-talk] US Federal Court: The Fourth Amendment Does Not Protect Your Home Computer

On Fri, Jun 24, 2016 at 2:19 AM, grarpamp wrote: > https://www.eff.org/files/2016/06/23/matish_suppression_edva.pdf > > The judge's logic is pretty

Re: [tor-talk] Reminder to stay on-topic

Let's move on from this finally. It's starting to get annoying. -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Tor-Friendly Two-Factor Authentication?

On Fri, Jun 10, 2016 at 9:58 PM, Scott Arciszewski wrote: > * FIDO U2F requires users to purchase separate hardware devices which, > while cheap, aren't already in the arsenal of most netizens > How about developing a simple 2FA app for a smartphone? Maybe a smartphone

Re: [tor-talk] Firefox add-on tells when website on clearnet has .onion

On Fri, Jun 10, 2016 at 3:56 PM, Lucas Teixeira wrote: > The table pointing associating clearnet domains with .onion addresses is > maintained on a .csv on a git repo. Why not ask the websites to add an "X-onionurl" header to their https responses? Then you wouldn't

Re: [tor-talk] Browserprint fingerprinting website

> > This is very interesting. It's worth looking into whether Tor Browser > should disable these types of behaviors (since it could identify the user's > OS). It'll take time but I think updates to stop the fingerprinting > techniques in the mentioned website are possible. > Several already have

Re: [tor-talk] A possible solution to traffic correlation attacks,

> > So randomizing the times that traffic enters the network and exits the > network wouldn't work? Like it enters a note and 30 ms after received or > another random delay couldn't it exit. It would be harder to correlate the > traffic right? IMO, the packets would probably need to be randomly

Re: [tor-talk] Tor (and other nets) probably screwed by Traffic Analysis by now

> > Fixed packet sizes seem to help. > another alternative would be random packet sizes, ie, the packet size transmitted to the next hop would not be the same as the size received -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to

Re: [tor-talk] MITM attack: How to see Tor Messenger's exit node?

> Are there any other explanations than MITM? A software bug. But given that your desired opsec is to be resistant to MitM attacks, you should always perform the required authentication steps regardless. Note that in any reasonable software, you shouldn't have to compare fingerprints every

Re: [tor-talk] Supreme Court Gives FBI More Hacking Power

I read the order you cited, and I see no rule that says what you claim. What I do see is a rather modest addition to the Federal Rules of Criminal Procedure, Rule 41, which gives any magistrate jurisdiction to issue a warrant in cases where law enforcement is unable to determine where a crime is

Re: [tor-talk] Tor for everyone; introducing Eccentric Authentication

> > Secondly, with the requirement that nickn...@sitename.tld to be unique, > I could write that nickname on a business card and hand it out. People > could verify at a verification service that there is only one > certificate (and public key) for that name and be sure to have gotten > *my* public

Re: [tor-talk] Tor for everyone; introducing Eccentric Authentication

I don't understand. If a message is associated with an identity, then it is not anonymous, it is at best pseudo-anonymous. Which are you proposing, truly anonymous messages that have no identity associated with them, or pseudo-anonymous messages that have a pseudo-anonymous identity associated

Re: [tor-talk] Tor ain't working or pulling up....

> Can some one help me Tor says "Copy Tor Log To Clipboard" why and how come why won't it boot up I have no > proxy...what is wrong with it ...even trid re-downloading it what in sam's hill is wrong with Tor it's been this way > 4-5 days now Try rebooting your machine, delete the contents

[tor-talk] torpoxy support for forced https

> > To get all the ways in which web browsers threat https differently > from http: mixed content warnings, cookie policies etc. pp. > Browsers won't special-case .onion as 'like https', and should not > because whether they actually are depends on things outside the > browser. > I suggest

[tor-talk] regression in torproxy 2.7.4?

I have a webservice that runs as a tor hidden service. The client connects to torproxy using a random socks4 username (which results in fresh circuit) and sends a short string to the server. The server sends a response from a few bytes to a few kilobytes in size, then gracefully closes the

Re: [tor-talk] ru news

> To correlate Tor traffic you need to control a majority of nodes. If > both Russia and NSA try to control them, both fail. > In all fairness, AFAIK if someone controls one entry guard and one exit node, they can correlate all traffic that uses those two nodes for entry and exit. If there are

Re: [tor-talk] ru news

> Do you honestly let a snakeoil company read all your emails and let them > fingerprint every email you send? Somehow they sneeked that in the last upgrade. I'm not amused either. Hopefully it is now disabled. -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change

Re: [tor-talk] ru news

> NSA can't listen to traffic inside Russia and vice versa. You don't know that it all. Either country could have taps inside the backbone infrastructure of the other, or control parts of the Tor network used by people in the other country. You shouldn't mislead people with claims that neither

Re: [tor-talk] MITM attack on TLS

> > > SSH is probably more dangerous than OBFS4 because it coulee be detected > with a DPI fingerprint. They might question that. I think Tor with > transports is good. > > On that paranioa level OBFS4 is as dangerous as SSH - it doesn't matter > if they see traffic they can fingerprint as ssh

Re: [tor-talk] MITM attack on TLS

If your IT department allows outgoing SSH, then spin up a micro Linux EC2 instance on Amazon Web Services (which costs only 1.3 cents per hour), then SSH into the EC2 instance and setup an SSH tunnel. Assuming your local machine is running Windows, you can use Putty as the SSH client. If you

Re: [tor-talk] MITM attack on TLS

> You should remove these CAs Or they might fire you. IMO, you want to stay under the radar of your IT department. Much better if you can to let them have their MiTM certs and go around them using SSH or some other protocol. -- tor-talk mailing list - tor-talk@lists.torproject.org To

Re: [tor-talk] Islamic State

> > How can I help out in the war against ISIS? > Refuse to be terrorized. If we all do that, then we have won the war. -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Bear Bonds - a new cryptocurrency that uses Tor

And details on "directory servers", "witnesses", "trusted party transaction servers". A lot of that is explained in the technical documentation. Briefly, the directory servers function like torrent trackers. The network nodes contact one or more directory servers, register their own onion

[tor-talk] Bear Bonds - a new cryptocurrency that uses Tor

and try out the wallet simulation script. We welcome any comments and questions. Thank you, Allen -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Server / Browser html PGP Encryption

n be > easily configured to use them. > > > > On 24 Sep 2015, at 2:58 PM, Darren Allen <darreneal...@gmail.com> wrote: > > > > Once a user has joined an Onion web server, they download the servers PGP > > Public Key, and upload their own PGP Public K

[tor-talk] Server / Browser html PGP Encryption

, are likewise encrypted using the Onion sites Public Key, and decrypted by the server. This would require altering the Tor Broswer, and web-hosting software, but would essentially allow SSL encryption for the Tor network. Regards, Darren Allen -- tor-talk mailing list - tor-talk@lists.torproject.org

Re: [tor-talk] Hidden Service and exit circuit questions?

can an exit node initiate contact with my HS without ever going through a rendezvous No, there is a handshake process needed to establish a Tor connection between the two machines, and that handshake only works through the rendezvous point. See

Re: [tor-talk] Hidden Service and exit circuit questions?

Since there is already an established circuit between the machine running the Tor service and an exit node, I'm thinking that the exit node may be able to use the existing circuit to access the HS port over the 3-hop circuit without ever going through the normal 6-hop rendezvous? You could check

Re: [tor-talk] OnionBalance 0.1.1 Alpha released - Hidden Service Load Balancing

Looks promising (although I have not yet tested it). With regard to the planned Complex mode, the most important feature IMO is to provide maximum protection for the onion service permanent key which currently resides on the Management Server, because it that is compromised, no amount of load

Re: [tor-talk] Hidden Service and exit circuit questions?

Since the hidden service (HS) does not need an exit node, I thought to try eliminating all exit circuits. You could also try -SOCKSPort 0 if you don't plan to make outgoing connections. See https://www.torproject.org/docs/tor-manual.html.en -- tor-talk mailing list -

Re: [tor-talk] Recommended private key management and recovery

there's talk about migrating to blockchain-based cryptoledgers, but a sticking point for management is how to reliably recover from theft of private keys. IMO, this discussion would be more suitable for a cryptocurrency mailing list. I think you will find though that the only way to recover

Re: [tor-talk] Hidden Service Scaling Summer of Privacy Project

FYI, we just discovered that this morning: https://trac.torproject.org/projects/tor/ticket/16381 Thanks. The ticket mentions a client-side expiration test that is not working correctly. That corresponds to the messages I'm seeing in the log file (and that tipped off to the problem): We

Re: [tor-talk] Hidden Service Scaling Summer of Privacy Project

on the hidden server remembers its introduction points so it can pick them back up when it restarts. Thanks, Allen -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Blocking of Tor relay IP address

It seems that if you run a Tor relay for long enough your IP address ends up in blocklists maintained by various services. You could try running Tor with ExitRelay = 0. Then your server will only relay traffic inside the Tor network and not from the Tor network to external sites (like Akamai).

[tor-talk] isolating multiple server requests

I have a client application that Tor to communicate with several servers. For privacy reasons, it is important that after each request, the client starts with a fresh slate so the server is not able to tell that the next request is coming from the same client. (Note that after the client restarts

Re: [tor-talk] isolating multiple server requests

Thanks. I take it IsolateClientAddr refers only to the source IP address, not the port binding? IsolateDestAddr looks useful, but I'm not sure in what circumstances IsolateClientAddr would be useful. -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other

Re: [tor-talk] What is being detected to alert upon?

I didn't see an answer to this question, but I did compare the TLS Hello's from Firefox and the Tor binary distributed by torproject.org and there are lots of differences (see the two files attached), so I'm not sure this is worth worrying about... -Original Message- From: Allen

Re: [tor-talk] What is being detected to alert upon?

a connection to a Tor bridge looks kind of like regular TLS traffic. Question: I recompiled OpenSSL to remove a bunch of features that look unnecessary and might present a security risk, such as SSL2, SSL3 and DTLS. (In case it matters, it is OpenSSL v1.0.2a and the specific configure options

Re: [tor-talk] Full integration with bitcoin (suggestion / feature request)

If you want anonymous transactions then you want a blind-signing based currency like Taler Surely you jest... From http://www.taler.net/governments Taler is an electronic payment system that was built with the goal of supporting taxation. With Taler, the receiver of any form of payment is

Re: [tor-talk] Clarification of Tor's involvement with DARPA's Memex

More wanking = fewer wars, so that is a need, IMO, along with food, water, shelter and medical care. Beyond that, define need. Privacy and freedom from government and corporate surveillance are fundamental rights, IMO. Keeping your internet activity private from your ISP and the world-at-large

[tor-talk] hidden service with only one authorized client

As far as I can tell from testing and from deconstructing the spec at https://gitweb.torproject.org/torspec.git/tree/rend-spec.txt , if I have a hidden service with only one authorized client, there is no functional difference between using basic auth (rend-spec section 2.1) and stealth auth

Re: [tor-talk] McAfee warns of vulnerability in Mozilla encryption

the updates. - -- Allen Gunn Executive Director, Aspiration +1.415.216.7252 www.aspirationtech.org Aspiration: Better Tools for a Better World Read our Manifesto: http://aspirationtech.org/publications/manifesto Follow us: Facebook: www.facebook.com/aspirationtech Twitter: www.twitter.com

Re: [tor-talk] William was raided for running a Tor exit node. Please help if you can.

On 11/30/12 5:15 PM, Naslund, Steve wrote: Well, in that case I am really worried that the cops might charge me with a crime. They took my computers and are looking at them. I did not do anything wrong but just in case they decide to charge me with a crime, please send me some money. As