Re: [tor-talk] TOR Promotional Assets?

[JoeB]

Jay,
Never seen much. You could take screens of various logos or images used 
in TBB or from the project's site, as long as you're not "profiting" 
from them & disclosed where they're from.


I'd think there might be more interest in using images to support it.
The "onion" logo is widely recognized.  They have a new image in TBB on 
the about:home page.


On 11/27/22 16:15, Jay Salway wrote:

Are there any images and such which I can put on my website which shows my
appreciation for the project?? I've done some searches and couldn't find
any.

Thanks!

--
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

[tor-talk] TOR Promotional Assets?

[Jay Salway]

Are there any images and such which I can put on my website which shows my
appreciation for the project?? I've done some searches and couldn't find
any.

Thanks!
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Tor users from Finland jumped from 25 000 to 200 000

[David Fifield]

On Thu, Jan 13, 2022 at 11:58:22PM -0700, David Fifield wrote:
> On Fri, Jan 14, 2022 at 05:38:14AM +0200, Markus Ottela via tor-talk wrote:
> > The creation of the Onion Service uses tempfile to create a temporary
> > directory each time a new Onion Service is spin up, but as per the log
> > files, there was only 25 Onion Services created during that time.
> 
> Restarting tor multiple times with a fresh tempdir each time would make
> you appear as multiple clients. If you ran 25 copies of the script, then
> you would be counted as 25 clients, since each instance of tor would be
> making its own separate directory requests. But I don't know if that's
> enough to explain the large effect on the estimated number of users. It
> depends on how often the scripts were restarting tor. The user counts
> are built on the assumption that a tor client makes a directory request
> every 144 minutes, on average. If the script restarted tor more
> frequently than that, it would be counted as more clients than 1. But to
> count as even 10,000 clients, each of the 25 script instances would have
> to be restarting tor every 144*60*25 / 1 = 21 seconds on average.

On Thu, Jan 13, 2022 at 06:09:24PM +0200, Markus Ottela via tor-talk wrote:
> Again I'm not sure that's what this is about, but both the start time, and
> the most recent major downtime spikes match. I've killed testing, let's see
> if it returns to normal; I think there's enough data to open a ticket about
> my issue anyway.

The user counts are still elevated, with data points through 2022-01-16.
If you stopped testing on 2022-01-13, it must not have been the main
cause.

https://metrics.torproject.org/userstats-relay-country.html?start=2021-10-21=2022-01-19=fi
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Tor users from Finland jumped from 25 000 to 200 000

[David Fifield]

On Fri, Jan 14, 2022 at 05:38:14AM +0200, Markus Ottela via tor-talk wrote:
> The creation of the Onion Service uses tempfile to create a temporary
> directory each time a new Onion Service is spin up, but as per the log
> files, there was only 25 Onion Services created during that time.

Restarting tor multiple times with a fresh tempdir each time would make
you appear as multiple clients. If you ran 25 copies of the script, then
you would be counted as 25 clients, since each instance of tor would be
making its own separate directory requests. But I don't know if that's
enough to explain the large effect on the estimated number of users. It
depends on how often the scripts were restarting tor. The user counts
are built on the assumption that a tor client makes a directory request
every 144 minutes, on average. If the script restarted tor more
frequently than that, it would be counted as more clients than 1. But to
count as even 10,000 clients, each of the 25 script instances would have
to be restarting tor every 144*60*25 / 1 = 21 seconds on average.

At least, that's according to my understanding of how it works.

> As for the client-side, new requests session was created for each
> connection*. I assumed Tor would keep a tunnel open to one guard node, and
> that each new session/connection would pass through it.

I don't think the number of requests sessions matters for this. The user
count estimates do not depend on the number of streams, number of
circuits, or anything like that, as far as I know.

> *In hindsight this I should've only done the GET requests inside the loop.
> 
> Here's the script I was running:
> https://gist.github.com/maqp/0e5dcf542ebb97baf98d198115e931ea
> 
> Markus
> 
> 
> On 13.1.2022 20.34, David Fifield wrote:
> > On Thu, Jan 13, 2022 at 06:09:24PM +0200, Markus Ottela via tor-talk wrote:
> > > I've been experiencing weird behavior with Tor + Stem + Flask Onion 
> > > Services
> > > dying randomly once every 1..5 days. I wrote a script that's making
> > > connections to a test an Onion Service to see when exactly the servers
> > > disappear -- and creating logs based on that. The system spins up new
> > > requests client instance for each connection, so those might be what's
> > > appearing on the graph. I'm just puzzled why they'd appear as different
> > > users, given that the public IP has remained static. (Also the script
> > > automatically spins up new Onion Service once it's been down for an hour, 
> > > so
> > > that could explain the spikes.)
> > > 
> > > Again I'm not sure that's what this is about, but both the start time, and
> > > the most recent major downtime spikes match. I've killed testing, let's 
> > > see
> > > if it returns to normal; I think there's enough data to open a ticket 
> > > about
> > > my issue anyway.
> > That's an interesting hypothesis. The user count estimate does not use
> > IP addresses; rather it counts directory requests. See:
> > https://gitweb.torproject.org/metrics-web.git/tree/src/main/resources/doc/users-q-and-a.txt?id=6c2679ec1797976e171a68bbd3d7442a34f0a5d1
> > 
> > > Q: How is it even possible to count users in an anonymity network?
> > > A: We actually don't count users, but we count requests to the
> > > directories that clients make periodically to update their list of
> > > relays and estimate user numbers indirectly from there.
> > > Q: What if a user runs tor on a laptop and changes their IP address a
> > > few times per day?  Don't you overcount that user?
> > > A: No, because that user updates their list of relays as often as a
> > > user that doesn't change IP address over the day.
> > In your experiments, were you starting tor with an empty DataDirectory
> > and a cold directory cache each time (e.g., in a freshly initialized
> > container), or were you reusing the same DataDirectory? The former I
> > would expect to have an effect on estimated users; the latter not.
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Tor users from Finland jumped from 25 000 to 200 000

[Markus Ottela via tor-talk]

Hi David,

The creation of the Onion Service uses tempfile to create a temporary 
directory each time a new Onion Service is spin up, but as per the log 
files, there was only 25 Onion Services created during that time.


As for the client-side, new requests session was created for each 
connection*. I assumed Tor would keep a tunnel open to one guard node, 
and that each new session/connection would pass through it.


*In hindsight this I should've only done the GET requests inside the loop.

Here's the script I was running: 
https://gist.github.com/maqp/0e5dcf542ebb97baf98d198115e931ea


Markus


On 13.1.2022 20.34, David Fifield wrote:

On Thu, Jan 13, 2022 at 06:09:24PM +0200, Markus Ottela via tor-talk wrote:

I've been experiencing weird behavior with Tor + Stem + Flask Onion Services
dying randomly once every 1..5 days. I wrote a script that's making
connections to a test an Onion Service to see when exactly the servers
disappear -- and creating logs based on that. The system spins up new
requests client instance for each connection, so those might be what's
appearing on the graph. I'm just puzzled why they'd appear as different
users, given that the public IP has remained static. (Also the script
automatically spins up new Onion Service once it's been down for an hour, so
that could explain the spikes.)

Again I'm not sure that's what this is about, but both the start time, and
the most recent major downtime spikes match. I've killed testing, let's see
if it returns to normal; I think there's enough data to open a ticket about
my issue anyway.

That's an interesting hypothesis. The user count estimate does not use
IP addresses; rather it counts directory requests. See:
https://gitweb.torproject.org/metrics-web.git/tree/src/main/resources/doc/users-q-and-a.txt?id=6c2679ec1797976e171a68bbd3d7442a34f0a5d1


Q: How is it even possible to count users in an anonymity network?
A: We actually don't count users, but we count requests to the
directories that clients make periodically to update their list of
relays and estimate user numbers indirectly from there.
Q: What if a user runs tor on a laptop and changes their IP address a
few times per day?  Don't you overcount that user?
A: No, because that user updates their list of relays as often as a
user that doesn't change IP address over the day.

In your experiments, were you starting tor with an empty DataDirectory
and a cold directory cache each time (e.g., in a freshly initialized
container), or were you reusing the same DataDirectory? The former I
would expect to have an effect on estimated users; the latter not.

--
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Tor users from Finland jumped from 25 000 to 200 000

[David Fifield]

On Tue, Jan 11, 2022 at 08:06:00PM +0200, Nurmi, Juha wrote:
> In addition, there is a spike in non-direct bridge users from Finland as
> well.
> 
> https://metrics.torproject.org/userstats-bridge-country.html?start=2021-10-13=2022-01-11=fi
> 
> All this is happening only in Finland and we can easily see that from other
> countries nearby, like Denmark, Norway and Sweden, the number of connected
> users is flat stable.
>
> ...
>
> Furthermore, there was known Tor censorship in Russia in December, see
> https://blog.torproject.org/tor-censorship-in-russia/.

The increase in bridge users is not only in Finland; it closely matches
the recent dynamics in Russia, which are large enough to be visible even
in the global graph.

https://metrics.torproject.org/userstats-bridge-country.html?start=2021-10-15=2022-01-13=ru
https://metrics.torproject.org/userstats-bridge-country.html?start=2021-10-15=2022-01-13

It is possible that some IP addresses in Russia are wrongly geolocated
to Finland.
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Tor users from Finland jumped from 25 000 to 200 000

[David Fifield]

On Thu, Jan 13, 2022 at 06:09:24PM +0200, Markus Ottela via tor-talk wrote:
> I've been experiencing weird behavior with Tor + Stem + Flask Onion Services
> dying randomly once every 1..5 days. I wrote a script that's making
> connections to a test an Onion Service to see when exactly the servers
> disappear -- and creating logs based on that. The system spins up new
> requests client instance for each connection, so those might be what's
> appearing on the graph. I'm just puzzled why they'd appear as different
> users, given that the public IP has remained static. (Also the script
> automatically spins up new Onion Service once it's been down for an hour, so
> that could explain the spikes.)
> 
> Again I'm not sure that's what this is about, but both the start time, and
> the most recent major downtime spikes match. I've killed testing, let's see
> if it returns to normal; I think there's enough data to open a ticket about
> my issue anyway.

That's an interesting hypothesis. The user count estimate does not use
IP addresses; rather it counts directory requests. See:
https://gitweb.torproject.org/metrics-web.git/tree/src/main/resources/doc/users-q-and-a.txt?id=6c2679ec1797976e171a68bbd3d7442a34f0a5d1

> Q: How is it even possible to count users in an anonymity network?
> A: We actually don't count users, but we count requests to the
> directories that clients make periodically to update their list of
> relays and estimate user numbers indirectly from there.

> Q: What if a user runs tor on a laptop and changes their IP address a
> few times per day?  Don't you overcount that user?
> A: No, because that user updates their list of relays as often as a
> user that doesn't change IP address over the day.

In your experiments, were you starting tor with an empty DataDirectory
and a cold directory cache each time (e.g., in a freshly initialized
container), or were you reusing the same DataDirectory? The former I
would expect to have an effect on estimated users; the latter not.
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Tor users from Finland jumped from 25 000 to 200 000

[Markus Ottela via tor-talk]

Hi,

Yikes, I wonder if this is my fault.

I've been experiencing weird behavior with Tor + Stem + Flask Onion 
Services dying randomly once every 1..5 days. I wrote a script that's 
making connections to a test an Onion Service to see when exactly the 
servers disappear -- and creating logs based on that. The system spins 
up new requests client instance for each connection, so those might be 
what's appearing on the graph. I'm just puzzled why they'd appear as 
different users, given that the public IP has remained static. (Also the 
script automatically spins up new Onion Service once it's been down for 
an hour, so that could explain the spikes.)


Again I'm not sure that's what this is about, but both the start time, 
and the most recent major downtime spikes match. I've killed testing, 
let's see if it returns to normal; I think there's enough data to open a 
ticket about my issue anyway.


So again, apologies if this is my fault.

Markus


On 11.1.2022 20.06, Juha Nurmi wrote:

Hello,

There have been around 25 000 Tor users from Finland. The number of users
is very stable. Except right now I see a spike of 200 000 Tor users
connected from Finland. Number of users starts to increase on Tuesday
2021-12-21.

https://metrics.torproject.org/userstats-relay-country.html?start=2021-10-13=2022-01-11=fi=off

In addition, there is a spike in non-direct bridge users from Finland as
well.

https://metrics.torproject.org/userstats-bridge-country.html?start=2021-10-13=2022-01-11=fi

All this is happening only in Finland and we can easily see that from other
countries nearby, like Denmark, Norway and Sweden, the number of connected
users is flat stable. For instance, see numbers from Sweden:

https://metrics.torproject.org/userstats-relay-country.html?start=2021-10-13=2022-01-11=se=off

Someone could speculate that this is some kind of test carried out from
Finnish IP range or a bot network infecting only Finnish machines like
poorly configured home routers and installing malware communicating through
Tor. Furthermore, there was known Tor censorship in Russia in December, see
https://blog.torproject.org/tor-censorship-in-russia/.

The fact we know is the increasing number of Tor users from Finland. Do we
actually know something concrete behind this?

Regards,
Juha

--
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

[tor-talk] Tor users from Finland jumped from 25 000 to 200 000

[Nurmi, Juha]

Hello,

There have been around 25 000 Tor users from Finland. The number of users
is very stable. Except right now I see a spike of 200 000 Tor users
connected from Finland. Number of users starts to increase on Tuesday
2021-12-21.

https://metrics.torproject.org/userstats-relay-country.html?start=2021-10-13=2022-01-11=fi=off

In addition, there is a spike in non-direct bridge users from Finland as
well.

https://metrics.torproject.org/userstats-bridge-country.html?start=2021-10-13=2022-01-11=fi

All this is happening only in Finland and we can easily see that from other
countries nearby, like Denmark, Norway and Sweden, the number of connected
users is flat stable. For instance, see numbers from Sweden:

https://metrics.torproject.org/userstats-relay-country.html?start=2021-10-13=2022-01-11=se=off

Someone could speculate that this is some kind of test carried out from
Finnish IP range or a bot network infecting only Finnish machines like
poorly configured home routers and installing malware communicating through
Tor. Furthermore, there was known Tor censorship in Russia in December, see
https://blog.torproject.org/tor-censorship-in-russia/.

The fact we know is the increasing number of Tor users from Finland. Do we
actually know something concrete behind this?

Regards,
Juha
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

[tor-talk] Tor related talks/events @ rC3

[nusenu]

in chronological order:

--

title: Towards a more Trustworthy Tor Network

when: 2021-12-28, 17:00 CET
where: https://streaming.media.ccc.de/rc3/csh

primary target audience:
- Tor user
- Tor relay operators
- onion service operators
- and everyone that cares about Tor

--

title: The Tor Project - State of the Onion

when: 2021-12-28, 18:00 CET
where: https://streaming.media.ccc.de/rc3/csh

--

title: Tor relay operators meetup @ rC3
when: 2021-12-28, 22:00 CET





--
https://nusenu.github.io
--
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

[tor-talk] Tor Browser HTTPS-Only Mode

[nusenu]

Hi Matthew,

is manually enabling HTTPS-Only Mode in current Tor Browser
versions officially supported? ("Enable HTTPS-Only Mode in all windows")

kind regards,
nusenu

Matthew Finkel (2021-04-25):

When Tor Browser migrates to Firefox 91esr we will look at enabling https-only
mode for everyone, but there remains a significant concern that there are many
sites that do not support HTTPS (especially more region specific sites) and the
question of what messaging Tor Browser should use in that case.




[1] 
https://blog.mozilla.org/security/2020/11/17/firefox-83-introduces-https-only-mode/



--
https://nusenu.github.io
--
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] [tor-announce] [RELEASE] 0.3.5.17, 0.4.5.11, 0.4.6.8 and 0.4.7.2-alpha

[mick]

On Tue, 26 Oct 2021 14:23:19 -0400
David Goulet  allegedly wrote:

> > David
> > 
> > I do hope that this new forum is a supplement to, and not a
> > substitution for, the current email based Tor lists.  
> 
> It will supplement. We are working on setting up a way for the forum
> announcement to be replicated onto mailing lists.
> 
> David
> 

David

Excellent. Thanks.

Mick


-
 Mick Morgan
 gpg fingerprint: FC23 3338 F664 5E66 876B  72C0 0A1F E60B 5BAD D312
 https://baldric.net/about-trivia
-

-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] [tor-announce] [RELEASE] 0.3.5.17, 0.4.5.11, 0.4.6.8 and 0.4.7.2-alpha

[mick]

On Tue, 26 Oct 2021 11:48:54 -0400
David Goulet  allegedly wrote:
 
> The Tor Network Team will from now on do its release announcement
> through our new fancy shiny Discourse forum:
> https://forum.torproject.net
> 
> If you are interested in getting notified for each release
> announcement, you should follow this category (once you get an
> account):
> 
> https://forum.torproject.net/c/news/tor-release-announcement/28
> 
> And for todays' announcement:
> 
> https://forum.torproject.net/t/release-0-3-5-17-0-4-5-11-0-4-6-8-and-0-4-7-2-alpha/148
> 

David

I do hope that this new forum is a supplement to, and not a
substitution for, the current email based Tor lists.

Whilst a web based forum may indeed be "new, fancy and shiny" it has
distinct drawbacks, not least the need for an account, but also its
use of cookies. I suspect that many Tor users or relay admins will find
that a retrograde step, if not a distinct turn off.

Mick


-
 Mick Morgan
 gpg fingerprint: FC23 3338 F664 5E66 876B  72C0 0A1F E60B 5BAD D312
 https://baldric.net/about-trivia
-

-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Tor Browser + ALSA

[edgar]

mpan tor-1qnuaylp at mpan.pl
Tue Sep 14 13:43:23 UTC 2021

there is also a solution many people used in the interim period
between Mozilla decided to nuke ALSA and introducing it again: 
apulse.⁽²⁾


⁽¹⁾
https://github.com/archlinux/svntogit-packages/blob/6f80cdd3145436c9d1690c353f5490ad7f0098cf/trunk/PKGBUILD
⁽²⁾ https://github.com/i-rinat/apulse


Nicolas Vigier boklm at mars-attacks.org
Thu Sep 9 07:18:43 UTC 2021

And if you want to build Tor Browser, you can see this page:
https://gitlab.torproject.org/tpo/applications/tor-browser/-/wikis/Hacking/Hacking


Thank you very much to the both of you.

Does this mean that there is hope that the decision to remove ALSA (and 
not PulseAudio) in TorBrowser is reversed? is adding `ac_add_options 
--enable-alsa' in `mozconfig-*' what I would need to build TorBrowser 
with ALSA enabled?


The rationale of lower maintenance from Mozilla seems to have veered in 
a strange direction: remove ALSA and keep PulseAudio ("Make Pulse Audio 
a hard dependency on Linux so that we reduce the problems and 
maintenance associated with maintaining multiple audio backends").


Just to share (no complaint): The alternative to run `apulse' did not 
work for me. I tried to play a local mp3 file (Ritchie Valens' La 
Bamba), and it works for other browsers, but not with TorBrowser. This 
is possibly unrelated to `apulse', because the other browsers play sound 
regardless. The last commit to `apulse' was on Tue Jun 30 13:46:54 2020 
+0200, and I doubt that "maintenance" is the key word to keep using it 
as a work-around.


I really appreciate your advice. I post these for completeness regarding 
links.


https://www.linuxquestions.org/questions/linux-software-2/no-sound-in-tor-browser-on-debian-10-with-alsa-4175670325/
https://www.linuxquestions.org/questions/linux-software-2/no-sound-in-tor-browser-only-4175663745/

-
This free account was provided by VFEmail.net - report spam to ab...@vfemail.net

ONLY AT VFEmail! - Use our Metadata Mitigator to keep your email out of the 
NSA's hands!
$24.95 ONETIME Lifetime accounts with Privacy Features!  
15GB disk! No bandwidth quotas!
Commercial and Bulk Mail Options!  
--

tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] [tor-announce] [RELEASE] 0.3.5.17, 0.4.5.11, 0.4.6.8 and 0.4.7.2-alpha

[David Goulet]

On 26 Oct (18:58:53), mick wrote:
> On Tue, 26 Oct 2021 11:48:54 -0400
> David Goulet  allegedly wrote:
>  
> > The Tor Network Team will from now on do its release announcement
> > through our new fancy shiny Discourse forum:
> > https://forum.torproject.net
> > 
> > If you are interested in getting notified for each release
> > announcement, you should follow this category (once you get an
> > account):
> > 
> > https://forum.torproject.net/c/news/tor-release-announcement/28
> > 
> > And for todays' announcement:
> > 
> > https://forum.torproject.net/t/release-0-3-5-17-0-4-5-11-0-4-6-8-and-0-4-7-2-alpha/148
> > 
> 
> David
> 
> I do hope that this new forum is a supplement to, and not a
> substitution for, the current email based Tor lists.

It will supplement. We are working on setting up a way for the forum
announcement to be replicated onto mailing lists.

David

-- 
QH6XWXtrL9blSvXbw+DdZkn1Xx2UJnR2X56tf0A+EeA=


signature.asc
Description: PGP signature
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Tor Browser + ALSA

[mpan]

ALSA support was removed from firefox a few years ago:
https://bugzilla.mozilla.org/show_bug.cgi?id=1247056

There was an option to re-enable it at build time, but I don't know if
it still works.
  It works just fine. One may use Arch Linux’s PKGBUILD⁽¹⁾ as a 
reference on how to build Firefox with ALSA enabled. If it would not 
work, there is also a solution many people used in the interim period 
between Mozilla decided to nuke ALSA and introducing it again: apulse.⁽²⁾


⁽¹⁾ 
https://github.com/archlinux/svntogit-packages/blob/6f80cdd3145436c9d1690c353f5490ad7f0098cf/trunk/PKGBUILD

⁽²⁾ https://github.com/i-rinat/apulse


OpenPGP_signature
Description: OpenPGP digital signature
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Tor Browser + ALSA

[Nicolas Vigier]

On Wed, 08 Sep 2021, ed...@openmail.cc wrote:

> Hello,
> 
> Is there a way to get Tor Browser to work with ALSA? (It's not playing any
> sounds; other browsers do.) I would be willing to try the compilation
> process if needed. Thanks.

ALSA support was removed from firefox a few years ago:
https://bugzilla.mozilla.org/show_bug.cgi?id=1247056

There was an option to re-enable it at build time, but I don't know if
it still works.

And if you want to build Tor Browser, you can see this page:
https://gitlab.torproject.org/tpo/applications/tor-browser/-/wikis/Hacking/Hacking

-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

[tor-talk] Tor Browser + ALSA

[edgar]

Hello,

Is there a way to get Tor Browser to work with ALSA? (It's not playing 
any sounds; other browsers do.) I would be willing to try the 
compilation process if needed. Thanks.


-
This free account was provided by VFEmail.net - report spam to ab...@vfemail.net

ONLY AT VFEmail! - Use our Metadata Mitigator to keep your email out of the 
NSA's hands!
$24.95 ONETIME Lifetime accounts with Privacy Features!  
15GB disk! No bandwidth quotas!
Commercial and Bulk Mail Options!  
--

tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

[tor-talk] Tor Browser bookmarks

[Dave Warren]

Hey...

I'm running Tor Browser 10.5.2 on Windows, and I can't edit bookmarks. 
Is this just me or do I have something misconfigured?


If I edit the properties of an existing bookmark the Save button is 
greyed out even after changing the name or location, the Star button in 
the URL bar doesn't respond at all, and dragging the current URL to the 
bookmark bar is ignored.


Worked fine at some point in the past, not sure when it last worked or 
when it broke, I was just trying to update some bookmarks to version 3 
onion services rather than relying on redirects.


--
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Tor browser 10.5 lost all saved passwords

[bo0od]

saved logins in TB ? TB doesnt by default offer to save passwords unless 
change stuff in about:config (so what happened to you can be expected 
because its not supported by default). But if you have to save passwords 
while browsing then either use bitwarden or local password generator 
like keepassxc.


Note: adding external addons (not coming by default) is recommended 
against due to fingerprint issue which effect your anonymity.


Jerome Lille:

I just updated to version 10.5 and all the saved logins are gone!!

Can they be recovered?

/Jerome


--
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Tor browser 10.5 lost all saved passwords

[s7r]

Roger Dingledine wrote:

On Tue, Jul 06, 2021 at 10:18:54PM +0200, Jerome Lille wrote:

I just updated to version 10.5 and all the saved logins are gone!!

Can they be recovered?


Check out
https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/40506

Apparently they're not gone, they're just... inaccessible. The ticket
suggests one way to recover them. Hopefully an upcoming Tor Browser will
fix this surprise.

--Roger


We might want to put a warning out there so people don't freak out:

snowflake-client.exe is seen as a virus on Windows:

Trojan:Win32/Zpevdo.B

Hopefully it's just a false positive? Anyone else experiencing this? 
Didn't have time to check it happened on my work computer where I was 
remotely connected and Tor Browser updated itself. Given it was a 
self-auto-update I could not have possibly downloaded a "wrong" infected 
Tor so no panic.


See attached image.

-s7r


OpenPGP_signature
Description: OpenPGP digital signature
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Tor browser 10.5 lost all saved passwords

[Roger Dingledine]

On Tue, Jul 06, 2021 at 10:18:54PM +0200, Jerome Lille wrote:
> I just updated to version 10.5 and all the saved logins are gone!!
> 
> Can they be recovered?

Check out
https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/40506

Apparently they're not gone, they're just... inaccessible. The ticket
suggests one way to recover them. Hopefully an upcoming Tor Browser will
fix this surprise.

--Roger

-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

[tor-talk] Tor browser 10.5 lost all saved passwords

[Jerome Lille]

I just updated to version 10.5 and all the saved logins are gone!!

Can they be recovered?

/Jerome

-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Tor Browser certificate exception

[anan]

qorg11:
> On 21/06/29 10:34AM, anan wrote:
>> Hello!
>>
>> How can I permanently add a certificate exception in the Tor Browser?
>>
>> When visiting onion sites, it'd be nice to have some easy solution to get
>> rid of certificate warnings.
> 
> I think it's a feature. So a malicious user (with physical access to
> your computer) can't trust a malicious invalid certificate
> forever. Same thing happens when importing a new CA. Tor Browser
> simply ignores it. 
> 
Ok, thanks, but I still ask.

How can I permanently add a certificate exception in the Tor Browser?


-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Tor Browser certificate exception

[Christian Siefkes]

On 29/06/2021 20:17, qorg11 wrote:
> I think it's a feature. So a malicious user (with physical access to
> your computer) can't trust a malicious invalid certificate
> forever. Same thing happens when importing a new CA. Tor Browser
> simply ignores it. 

Well, honestly: if a malicious user has access to your computer and your
user account, you're lost anyway.

Best regards
Christian

-- 
|- Dr. Christian Siefkes - christ...@siefkes.net -
| Homepage: https://www.siefkes.net   |  Blog: https://keimform.de
| Berlin klimapositiv und gerecht machen: https://www.klimaliste-berlin.de
| Systemwandel statt Klimawandel! -> https://www.ende-gelaende.org
| Ryt Íngglish foneticlli: https://www.lytspel.org
|--- OpenPGP Key ID: 0x7155F0B5980FA6ED --
To a nail, everything looks like a hammer.
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Tor Browser certificate exception

[qorg11]

On 21/06/29 10:34AM, anan wrote:
> Hello!
> 
> How can I permanently add a certificate exception in the Tor Browser?
> 
> When visiting onion sites, it'd be nice to have some easy solution to get
> rid of certificate warnings.

I think it's a feature. So a malicious user (with physical access to
your computer) can't trust a malicious invalid certificate
forever. Same thing happens when importing a new CA. Tor Browser
simply ignores it. 

-- 
Happy Hacking!

qorg11
https://qorg11.net
https://kill-9.xyz
https://qorg.kill-9.xyz
PGP: 343F C20A 4ACA 62B9, https://qorg11.net/keys.txt 
Close the world, Open the nExt...
 ,,
/()`
\ \___   / |
/- _  `-/  '
   (/\/ \ \   /\
   / /   | `\
   O O   ) /|
   `-^--'`< '
  (_.)  _  )   /
|  | |\  | ~|~ \ / `.___/`/
|  | | \ |  |   X`-' /
`__| |  \| _|_ / \  <. __ / __   \
<|O)))==) \) /
<'`--' `.__,' \
 ||
  \   /
 __( (_  / \__
   ,'  ,-'   |\
   `--{__)\/

   _
ASCII ribbon campaign ( )
 against HTML e-mail   X
  / \


signature.asc
Description: PGP signature
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

[tor-talk] Tor Browser certificate exception

[anan]

Hello!

How can I permanently add a certificate exception in the Tor Browser?

When visiting onion sites, it'd be nice to have some easy solution to 
get rid of certificate warnings.


But in the meantime, how do I permanently add a certificate exception in 
Tor Browser?


Cheers!
--
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] tor as Onion Service (only) Wrote about "Requested exit point" in .log

[d...@foundingdocuments.org]

> On May 2, 2021, at 4:14am, Roger Dingledine  wrote:
> 
> On Fri, Apr 30, 2021 at 07:16:08PM -0400, d...@foundingdocuments.org wrote:
>> Why would tor running as an onion service write this to its log? 
>> 
>> Apr 29 02:06:22.000 [warn] {APP} Requested exit point 
>> ???$1FINGER-PRINT-XYZ*??? is not known. Closing.
> 
> It's just a terminology confusion. What Tor means is that it wanted to
> make a circuit whose last hop was XYZ, but it couldn't.
> 
> Onion services make circuits like this when, for example, they want to
> upload your onion descriptor to particular HSDir relays -- the 'exit'
> is the HSDir it's trying to end its circuit at.

Excellent, thank you. 

> Among other stuff, the torrc contains: 
>> SOCKSPolicy reject *
>> SocksPort 0
>> ExitRelay 0 
>> ExitPolicy reject *:*  
> 
> All of those are fine. I wonder why you have ExitRelay and ExitPolicy
> set if you don't have ORPort set though -- if there's no ORPort, you're
> not a relay, so then your exit policy doesn't matter.

It contained even more embarrassing stuff like 
ExitPolicy reject *4:* # No IPv4 exits allowed
ExitPolicy reject *6:* # No IPv6 exits allowed
underneath the ExitPolicy reject *:*  line. 

That’s cruft from when I first started exploring tor’s configuration file. I 
studied the man page and put in things I was sure I wanted, then tested. I knew 
some line items were redundant but figured it wouldn’t hurt (based on docs), as 
well as leaving some vocab in front of me to help me memorize things. I’ve also 
been accused of being overly cautious at times. 

In related news, I had another look at the man page a few months ago compared 
to a few years ago and I was very glad it got some love. I was just too new to 
start figuring out how to change it and send my opinions on how to improve it. 
Not that it was bad before, but now it’s even better! :-) And time for me to 
make another pass over it and my script that writes the torrc.


>> In case it???s related, I see about an hour earlier there was a large number 
>> of dirservers that rejected an HS descriptor as invalid. In the past I???d 
>> seen a line or two or three of similar [warn] {REND} errors, but near the 
>> time below, there were 40 such lines. All within the span on one minute; 32 
>> rejected in one second. I don???t think I???d seen that many at once before. 
>> 
>> Apr 29 00:50:25.000 [warn] {REND} Uploading hidden service descriptor: http 
>> status 400 ("Invalid HS descriptor. Rejected.") response from dirserver 
>> [IPv4**]:9001. Malformed hidden service descriptor?
> 
> Are you sure these are v3 onion services, and not v2 onion services?

I decided to skip v2 entirely since I was just starting out. 

> You shouldn't be getting descriptor upload failures from v3 onion
> services. 

Interesting. 
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] tor as Onion Service (only) Wrote about "Requested exit point" in .log

[Roger Dingledine]

On Fri, Apr 30, 2021 at 07:16:08PM -0400, d...@foundingdocuments.org wrote:
> Why would tor running as an onion service write this to its log? 
> 
> Apr 29 02:06:22.000 [warn] {APP} Requested exit point 
> ???$1FINGER-PRINT-XYZ*??? is not known. Closing.

It's just a terminology confusion. What Tor means is that it wanted to
make a circuit whose last hop was XYZ, but it couldn't.

Onion services make circuits like this when, for example, they want to
upload your onion descriptor to particular HSDir relays -- the 'exit'
is the HSDir it's trying to end its circuit at.

> Among other stuff, the torrc contains: 
> 
> SOCKSPolicy reject *
> SocksPort 0
> ExitRelay 0 
> ExitPolicy reject *:*  

All of those are fine. I wonder why you have ExitRelay and ExitPolicy
set if you don't have ORPort set though -- if there's no ORPort, you're
not a relay, so then your exit policy doesn't matter.

> In case it???s related, I see about an hour earlier there was a large number 
> of dirservers that rejected an HS descriptor as invalid. In the past I???d 
> seen a line or two or three of similar [warn] {REND} errors, but near the 
> time below, there were 40 such lines. All within the span on one minute; 32 
> rejected in one second. I don???t think I???d seen that many at once before. 
> 
> Apr 29 00:50:25.000 [warn] {REND} Uploading hidden service descriptor: http 
> status 400 ("Invalid HS descriptor. Rejected.") response from dirserver 
> [IPv4**]:9001. Malformed hidden service descriptor?

Are you sure these are v3 onion services, and not v2 onion services?

You shouldn't be getting descriptor upload failures from v3 onion
services. If you are, please make an account on gitlab.torproject.org
and file a ticket in the 'Tor' component:
https://gitlab.torproject.org/tpo/core/tor/-/issues
and provide as many details (ways to reproduce it) as you can.

Whereas if they're actually v2 onion services, failures are going
to become more and more normal as relays upgrade:
https://blog.torproject.org/v2-deprecation-timeline

--Roger

-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

[tor-talk] tor as Onion Service (only) Wrote about "Requested exit point" in .log

[d...@foundingdocuments.org]

Why would tor running as an onion service write this to its log? 

Apr 29 02:06:22.000 [warn] {APP} Requested exit point ‘$1FINGER-PRINT-XYZ*’ is 
not known. Closing.

Among other stuff, the torrc contains: 

SOCKSPolicy reject *
SocksPort 0
ExitRelay 0 
ExitPolicy reject *:*  

In case it’s related, I see about an hour earlier there was a large number of 
dirservers that rejected an HS descriptor as invalid. In the past I’d seen a 
line or two or three of similar [warn] {REND} errors, but near the time below, 
there were 40 such lines. All within the span on one minute; 32 rejected in one 
second. I don’t think I’d seen that many at once before. 

Apr 29 00:50:25.000 [warn] {REND} Uploading hidden service descriptor: http 
status 400 ("Invalid HS descriptor. Rejected.") response from dirserver 
[IPv4**]:9001. Malformed hidden service descriptor?

FYI Currently I have about 15 v3.onion sites that are nearly entirely idle; 
they’re for my education as I learn more. I don’t do anything wild & crazy or 
try to break stuff; I’m just trying to wrap my head around a lot of things. 

On another tor instance, on the same machine, that hosts 4 v3.onion services, 
at that exact time there is just 1 of those [warn] {REND} lines. 

But what has me most puzzled is, why would tor that only runs onion services 
and rejects SOCKS input, be ~ “requesting an exit point.” 

(I’m guessing the reason for it being unknown is my local cache of tor network 
documents included a relay/exit node that had since been ejected from the tor 
network.)

* & ** removed.
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

[tor-talk] Tor 0.4.6.2-alpha is released

[Nick Mathewson]

Hi, all!

There's a new alpha Tor release! Because it's an alpha, you should
only run it if you're ready to find more bugs than usual, and report
them on gitlab.torproject.org.

The source code is available from the download page at
https://www.torproject.org/download/tor/ ; if you build Tor from
source, why not give it a try? And if you don't build Tor from source,
packages should be ready over the coming days, with a Tor Browser
alpha release likely some time next week.

Here's what's new:

Changes in version 0.4.6.2-alpha - 2021-04-15
  Tor 0.4.6.2-alpha is the second alpha in its series. It fixes several
  small bugs in previous releases, and solves other issues that had
  enabled denial-of-service attacks and affected integration with
  other tools.

  o Minor features (client):
- Clients now check whether their streams are attempting to re-enter
  the Tor network (i.e. to send Tor traffic over Tor), and close
  them preemptively if they think exit relays will refuse them for
  this reason. See ticket 2667 for details. Closes ticket 40271.

  o Minor features (command line):
- Add long format name "--torrc-file" equivalent to the existing
  command-line option "-f". Closes ticket 40324. Patch by
  Daniel Pinto.

  o Minor features (dormant mode):
- Add a new 'DormantTimeoutEnabled' option to allow coarse-grained
  control over whether the client ever becomes dormant from
  inactivity. Most people won't need this. Closes ticket 40228.

  o Minor features (fallback directory list):
- Regenerate the list of fallback directories to contain a new set
  of 200 relays. Closes ticket 40265.

  o Minor features (geoip data):
- Update the geoip files to match the IPFire Location Database, as
  retrieved on 2021/04/13.

  o Minor features (logging):
- Edit heartbeat log messages so that more of them begin with the
  string "Heartbeat: ". Closes ticket 40322; patch
  from 'cypherpunks'.

  o Minor bugfixes (bridge, pluggable transport):
- Fix a regression that made it impossible start Tor using a bridge
  line with a transport name and no fingerprint. Fixes bug 40360;
  bugfix on 0.4.5.4-rc.

  o Minor bugfixes (channel, DoS):
- Fix a non-fatal BUG() message due to a too-early free of a string,
  when listing a client connection from the DoS defenses subsystem.
  Fixes bug 40345; bugfix on 0.4.3.4-rc.

  o Minor bugfixes (compilation):
- Fix a compilation warning about unused functions when building
  with a libc that lacks the GLOB_ALTDIRFUNC constant. Fixes bug
  40354; bugfix on 0.4.5.1-alpha. Patch by Daniel Pinto.

  o Minor bugfixes (configuration):
- Fix pattern-matching for directories on all platforms when using
  %include options in configuration files. This patch also fixes
  compilation on musl libc based systems. Fixes bug 40141; bugfix
  on 0.4.5.1-alpha.

  o Minor bugfixes (relay):
- Move the "overload-general" line from extrainfo to the server
  descriptor. Fixes bug 40364; bugfix on 0.4.6.1-alpha.

  o Minor bugfixes (testing, BSD):
- Fix pattern-matching errors when patterns expand to invalid paths
  on BSD systems. Fixes bug 40318; bugfix on 0.4.5.1-alpha. Patch by
  Daniel Pinto.

  o Documentation (manual):
- Move the ServerTransport* options to the "SERVER OPTIONS" section.
  Closes issue 40331.
- Indicate that the HiddenServiceStatistics option also applies to
  bridges. Closes ticket 40346.
- Move the description of BridgeRecordUsageByCountry to the section
  "STATISTICS OPTIONS". Closes ticket 40323.
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Tor 0.4.6.1-alpha is released

[Roman Mamedov]

On Fri, 19 Mar 2021 19:07:38 +0100
Markus Reichelt  wrote:

> * Nick Mathewson  wrote:
> 
> > There's a new alpha Tor release!  Because it's an alpha, you should
> > only run it if you're ready to find more bugs than usual, and
> > report them on gitlab.torproject.org.
> 
> it isnt mentioned in the changelog, but this is rather important:
> 
> Mar 19 18:57:00.911 [warn] Onion services version 2 are obsolete. Please see 
> https://blog.torproject.org/v2-deprecation-timeline for more details and for 
> instructions on how to transition to version 3.
> 
> tor 0.4.6.1-alpha refuses to start if 
> 
> HiddenServiceVersion 2
> 
> is present in torrc.

F

Let me belatedly share my joy of getting http://version6savanize.onion/, just
as this starts to go away :)

V3 names don't have a mathematical chance of getting legible, so there needs
to be some kind of decentralized DNS for them.

Not planning to run a V3 service once V2 gets shut down.

-- 
With respect,
Roman
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Tor 0.4.6.1-alpha is released

[Markus Reichelt]

* Nick Mathewson  wrote:

> There's a new alpha Tor release!  Because it's an alpha, you should
> only run it if you're ready to find more bugs than usual, and
> report them on gitlab.torproject.org.

it isnt mentioned in the changelog, but this is rather important:

Mar 19 18:57:00.911 [warn] Onion services version 2 are obsolete. Please see 
https://blog.torproject.org/v2-deprecation-timeline for more details and for 
instructions on how to transition to version 3.

tor 0.4.6.1-alpha refuses to start if 

HiddenServiceVersion 2

is present in torrc.

-- 
left blank, right bald
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

[tor-talk] tor 0.4.4.7 Checking for OpenSSL Version Numbers

[d...@foundingdocuments.org]

Before tor 0.4.4.7 I was able to build tor with the latest versions of this 
software: zlib, libressl, libevent. Each of which I built as a static library. 
x86_64-apple-darwin15.6.0 (I tried static tor a long time ago and failed, and 
haven’t tried since.)

Now, after much testing I find the only way I can now successfully build tor is 
like this: zlib (static), openssl 1.1.1i (shared, with deprecated APIs enabled, 
libevent 2.1.12 (static), then tor 0.4.4.7. 

My very limited tests and plain old use of tor <= 0.4.4.6 built with static: 
zlib, libressl, and libevent indicated it worked fine. 

Based on trying to build tor 0.4.4.7 with static and shared libressl, static & 
shared openssl, etc... lead to varied errors which I would be glad to share and 
try to help fix to the extent I can. 

Some homework reveals the change is most likely on this page. 
https://gitlab.torproject.org/tpo/core/tor/-/commit/c6fb26695b1b84b287cc641f7bfaaaba32b67cde

Thank you.



p.s. here is the point of failure during make. Using the software in the first 
sentence. 

  CC   src/lib/tls/libtor_tls_a-tortls_openssl.o
In file included from src/lib/tls/tortls_openssl.c:48:
In file included from /custom/usr/local/include/openssl/ssl.h:150:
In file included from /custom/usr/local/include/openssl/hmac.h:67:
In file included from /custom/usr/local/include/openssl/evp.h:67:
In file included from /custom/usr/local/include/openssl/bio.h:69:
/custom/usr/local/include/openssl/crypto.h:335:35: error: too many
  arguments provided to function-like macro invocation
unsigned long OpenSSL_version_num(void);
  ^
./src/lib/crypt_ops/compat_openssl.h:37:9: note: macro 'OpenSSL_version_num' 
defined here
#define OpenSSL_version_num() SSLeay()
^
In file included from src/lib/tls/tortls_openssl.c:48:
In file included from /custom/usr/local/include/openssl/ssl.h:150:
In file included from /custom/usr/local/include/openssl/hmac.h:67:
In file included from /custom/usr/local/include/openssl/evp.h:67:
In file included from /custom/usr/local/include/openssl/bio.h:69:
/custom/usr/local/include/openssl/crypto.h:335:15: warning: no previous
  extern declaration for non-static variable 'OpenSSL_version_num' 
[-Wmissing-variable-declarations]
unsigned long OpenSSL_version_num(void);

-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

[tor-talk] Tor 0.4.5.5-rc is released

[Nick Mathewson]

Hi, all!

There's a new Tor release candidate! We think this will be the last
one before 0.4.5.x is stable.

The source code is available from the download page at
https://www.torproject.org/download/tor/ ; if you build Tor from
source, why not give it a try? And if you don't build Tor from source,
packages should be ready over the coming days, with a Tor Browser
alpha release likely in the coming week.

Here's what's new:

Changes in version 0.4.5.5-rc - 2021-02-01
  Tor 0.4.5.5-rc is the third release candidate in its series. We're
  coming closer and closer to a stable release series. This release
  fixes an annoyance with address detection code, and somewhat mitigates
  an ongoing denial-of-service attack.

  We anticipate no more code changes between this and the stable
  release, though of course that could change.

  o Major feature (exit):
- Re-entry into the network is now denied at the Exit level to all
  relays' ORPorts and authorities' ORPorts and DirPorts. This change
  should help mitgate a set of denial-of-service attacks. Closes
  ticket 2667.

  o Minor bugfixes (relay, configuration):
- Don't attempt to discover our address (IPv4 or IPv6) if no ORPort
  for it can be found in the configuration. Fixes bug 40254; bugfix
  on 0.4.5.1-alpha.
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Tor Browser for advanced users on Android

[Nathan Freitas]

On 10/11/20 9:47 AM, Jonathan Marquardt wrote:
> For example, 
> Orbot is already quite battery-hungry as it is, but running two Orbot 
> instances all the time for browsing while torifying some other things really 
> ain't that great on a smartphone.

This is definitely something we've been talking about awhile, between
the Guardian Project and Tor Browser team.

The good news is that with recent improvements of Tor "idle" features,
there should be very little battery consumption when tor is not in use.
No longer is the daemon constantly creating new circuits if you aren't
asking for them, for instance.

Similarly, with Tor Browser, you really only need the Tor service
instance running when the browser itself is in the foreground. Work is
underway and continues so that tor can bootstrap more quickly, so that
the user doesn't perceive any delay if tor has been shutdown when you
leave the browser.

Lastly, Hans from the Guardian Project team, continues to work on a more
invisible "Tor Service" daemon, that could be installed much like
"Google Play Services", and used by any app or service in a safe, shared
way. We have more work to do here on security risks and threats for
sure, but it is a promising direction.

Best,

  Nathan




signature.asc
Description: OpenPGP digital signature
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

[tor-talk] Tor Browser for advanced users on Android

[Jonathan Marquardt]

I get that Tor Browser by default is supposed to be friendly for the average 
user and it does this on Android and on a PC with the default settings quite 
well.

However, people who know what they're doing can really tweak TBB on a desktop 
to their specific needs, like using a system-wide Core Tor instance or saving 
browsing history.

Are there any plans to bring some features like this to TBB for Android? Or 
are there even ways to do these things that I'm not aware of? For example, 
Orbot is already quite battery-hungry as it is, but running two Orbot 
instances all the time for browsing while torifying some other things really 
ain't that great on a smartphone.

Thanks!
-- 
https://www.parckwart.de/
0x47BC7DE83D462E8BED18AA861224DBD299A4F5F3


signature.asc
Description: PGP signature
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Tor Bridge and Logs Settings in TBB

[Troy Airheart]

> You could add a bookmark to the following URL to get to the Tor settings with 
> one click:
> 
> about:preferences#tor

Jonathan, you are a delight. I never thought of this! :D Thank you so much. One 
problem solved!

Now, all that remains is the tiny custom bridge address box.
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

[tor-talk] Tor 0.4.4.3-alpha is released

[Nick Mathewson]

Hi, all!

There's a new alpha Tor release! Because it's an alpha, you should
only run it if you're ready to find more bugs than usual, and report
them on trac.torproject.org.

The source code is available from the download page at
https://www.torproject.org/download/tor/ ; if you build Tor from
source, why not give it a try? And if you don't build Tor from source,
packages should be ready over the coming days, with a Tor Browser
alpha release likely by mid-August.

Here's what's new:

Changes in version 0.4.4.3-alpha - 2020-07-27
  Tor 0.4.4.3-alpha fixes several annoyances in previous versions,
  including one affecting NSS users, and several affecting the Linux
  seccomp2 sandbox.

  o Major features (fallback directory list):
- Replace the 148 fallback directories originally included in Tor
  0.4.1.4-rc (of which around 105 are still functional) with a list
  of 144 fallbacks generated in July 2020. Closes ticket 40061.

  o Major bugfixes (NSS):
- When running with NSS enabled, make sure that NSS knows to expect
  nonblocking sockets. Previously, we set our TCP sockets as
  nonblocking, but did not tell NSS, which in turn could lead to
  unexpected blocking behavior. Fixes bug 40035; bugfix
  on 0.3.5.1-alpha.

  o Minor bugfixes (linux seccomp2 sandbox):
- Fix a regression on sandboxing rules for the openat() syscall. The
  fix for bug 25440 fixed the problem on systems with glibc >= 2.27
  but broke with versions of glibc. We now choose a rule based on
  the glibc version. Patch from Daniel Pinto. Fixes bug 27315;
  bugfix on 0.3.5.11.
- Makes the seccomp sandbox allow the correct syscall for opendir
  according to the running glibc version. This fixes crashes when
  reloading torrc with sandbox enabled when running on glibc 2.15 to
  2.21 and 2.26. Patch from Daniel Pinto. Fixes bug 40020; bugfix
  on 0.3.5.11.

  o Minor bugfixes (relay, usability):
- Adjust the rules for when to warn about having too many
  connections to other relays. Previously we'd tolerate up to 1.5
  connections per relay on average. Now we tolerate more connections
  for directory authorities, and raise the number of total
  connections we need to see before we warn. Fixes bug 33880; bugfix
  on 0.3.1.1-alpha.

  o Documentation:
- Replace most http:// URLs in our code and documentation with
  https:// URLs. (We have left unchanged the code in src/ext/, and
  the text in LICENSE.) Closes ticket 31812. Patch from Jeremy Rand.

  o Removed features:
- Our "check-local" test target no longer tries to use the
  Coccinelle semantic patching tool parse all the C files. While it
  is a good idea to try to make sure Coccinelle works on our C
  before we run a Coccinelle patch, doing so on every test run has
  proven to be disruptive. You can still run this tool manually with
  "make check-cocci". Closes ticket 40030.
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

[tor-talk] Tor Bridge and Logs Settings in TBB

[Troy Airheart]

I have to click Edit-->Preferences-->Tor to get to the area where custom 
bridges may manually be added. However, I find the box for the custom bridges 
to be too small and there is no way to resize it. I would appreciate it if you 
could enable resizing of the custom bridges list window or at least make it 
larger so it's easier to use.

Getting to the Logs Settings in TBB is also annoying. I have to click about 4 
times and scroll down to get to the logs button results. I would appreciate it 
of you could make it an icon which can be added to the Menu Bar.  By doing so, 
it would only require one click to access Tor logs.

Perhaps making one icon for the Menu Bar to access the Tor settings page in 
general would be the wiser way of doing things?
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Tor Bridge and Logs Settings in TBB

[Jonathan Marquardt]

On Sun, Jul 26, 2020 at 01:00:38AM +0200, Troy Airheart wrote:
> Getting to the Logs Settings in TBB is also annoying. I have to click about 
> 4 times and scroll down to get to the logs button results. I would 
> appreciate it of you could make it an icon which can be added to the Menu 
> Bar.  By doing so, it would only require one click to access Tor logs.

You could add a bookmark to the following URL to get to the Tor settings with 
one click:

about:preferences#tor
-- 
OpenPGP Key: 47BC7DE83D462E8BED18AA861224DBD299A4F5F3
 https://www.parckwart.de/pgp_key


signature.asc
Description: PGP signature
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Tor Browser Issue

[joebtfsplk]

On 7/9/20 8:35 AM, disrupt_the_flow wrote:


Στις 9 Ιουλίου 2020 3:02:32 μ.μ. EEST, ο/η Rodrigo Fachada 
 έγραψε:

Hello,

My name is João and I'm in need of guidance with an issue with Tor
Browser.



Sometimes that window doesn't even open, other times I don't get a
chance
to click the options.

I have no anti-virus other than Windows defender and I looked online
for
answers and found none corresponding to this issue.

Thank you for your attention to this matter,

João.
--
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Maybe Windows Security is blocking it for whatever reason. Probably a false positive. Try adding 
TBB as an exclusion by going Start > Settings > Update & Security > Windows 
Security. Then under Virus & threat protection settings click on Manage settings. Under 
Exclusions  select Add or remove exclusions. Now select the proper folders or process or 
anything.
Source 
https://support.microsoft.com/en-us/help/4028485/windows-10-add-an-exclusion-to-windows-security

You don't say which Windows version, which Tor Browser (TBB) version,
what country (unless mentioning your country could be dangerous - that
all might be important.
I haven't used Windows in a long time, but there may be logged data
showing the events of trying to install TBB, or it not being allowed
internet access.

"Disrupt-the-flow's" right.  Try disabling the Windows AV & possibly its
Firewall - long enough to test accessing internet.
When you installed TBB, it never got past the point of asking how you
connect to the internet?

Also, you can verify the checksum of the downloaded package (unless this
was an upgrade of already installed TBB).  I don't see checksums listed
on the Tor Project download page or on individual platform pages.

All I saw was a mention in
https://tb-manual.torproject.org/downloading/, in "GetTor is a service"
section, if you use that, it will include the checksum for your TBB version.

Now days, DON'T download "free" software from almost ANY site, unless
you thoroughly check the site's & software package's (current)
reputation.  Many download sites or the developers' add "extras" to
software that unsuspecting users REALLY don't want. That's not just my
opinion.

Or you could try D/L TBB again & check the bytes in each package or use
a free utility to calculate the checksum of each package. Windows may
have a builtin checksum utility.  If not, Here's a Microsoft download
center checksum utility:
https://www.microsoft.com/en-us/download/details.aspx?id=11533.
NOTE: USING CHECKSUMS only verifies there were no download errors.

To verify that no one tampered w/ a package on a server, you must verify
the "authenticity" of packages you download are identical to the
developers' final version.
See this for simple how to:
https://support.torproject.org/en/tbb/how-to-verify-signature/

Make sure you got the correct TBB version for your Windows OS - 32 or
64bit.
In the old days, Windows kept a "system log" of events.  I think they
called it Event Viewer or Event Log, etc. (ask / search or look for
posts on a windows / computer forum about that type of log).

In the past, it would've shown an application failing to start or not
allowed internet access & almost anything - good or bad, that went on. 
Sometimes the messages are confusing, didn't give names of applications.
--
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Tor Browser Issue

[disrupt_the_flow]

Στις 9 Ιουλίου 2020 3:02:32 μ.μ. EEST, ο/η Rodrigo Fachada 
 έγραψε:
>Hello,
>
>My name is João and I'm in need of guidance with an issue with Tor
>Browser.
>
>I tried to install it and reinstall it about 5 times now. As soon as I
>try
>to run Tor it opens a window with 2 options "Connect" and "Configure".
>I
>can click on both but that window will crash with no error message nor
>any
>information about the issue.
>
>Sometimes that window doesn't even open, other times I don't get a
>chance
>to click the options.
>
>I have no anti-virus other than Windows defender and I looked online
>for
>answers and found none corresponding to this issue.
>
>Thank you for your attention to this matter,
>
>João.
>--
>tor-talk mailing list - tor-talk@lists.torproject.org
>To unsubscribe or change other settings go to
>https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Maybe Windows Security is blocking it for whatever reason. Probably a false 
positive. Try adding TBB as an exclusion by going Start > Settings > Update & 
Security > Windows Security. Then under Virus & threat protection settings 
click on Manage settings. Under Exclusions  select Add or remove exclusions. 
Now select the proper folders or process or anything.
Source 
https://support.microsoft.com/en-us/help/4028485/windows-10-add-an-exclusion-to-windows-security
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

[tor-talk] Tor Browser Issue

[Rodrigo Fachada]

Hello,

My name is João and I'm in need of guidance with an issue with Tor Browser.

I tried to install it and reinstall it about 5 times now. As soon as I try
to run Tor it opens a window with 2 options "Connect" and "Configure". I
can click on both but that window will crash with no error message nor any
information about the issue.

Sometimes that window doesn't even open, other times I don't get a chance
to click the options.

I have no anti-virus other than Windows defender and I looked online for
answers and found none corresponding to this issue.

Thank you for your attention to this matter,

João.
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

[tor-talk] Tor 0.4.4.1-alpha is released

[Nick Mathewson]

Hi, all!

There's a new alpha Tor release! Because it's an alpha, you should
only run it if you're ready to find more bugs than usual, and report
them on the bugtracker (or here, while we're getting the new
bugtracker working).

The source code is available from the download page on
www.torproject.org; if you build Tor from source, why not give it a
try? And if you don't build Tor from source, packages should be ready
over the coming days, with a Tor Browser alpha release likely by early
July.

Here's what's new:

Changes in version 0.4.4.1-alpha - 2020-06-16
  This is the first alpha release in the 0.4.4.x series.  It improves
  our guard selection algorithms, improves the amount of code that
  can be disabled when running without relay support, and includes numerous
  small bugfixes and enhancements.  It also lays the ground for some IPv6
  features that we'll be developing more in the next (0.4.5) series.

  Here are the changes since 0.4.3.5.

  o Major features (Proposal 310, performance + security):
- Implements Proposal 310, "Bandaid on guard selection". Proposal
  310 solves load-balancing issues with older versions of the guard
  selection algorithm, and improves its security. Under this new
  algorithm, a newly selected guard never becomes Primary unless all
  previously sampled guards are unreachable. Implements
  recommendation from 32088. (Proposal 310 is linked to the CLAPS
  project researching optimal client location-aware path selections.
  This project is a collaboration between the UCLouvain Crypto Group,
  the U.S. Naval Research Laboratory, and Princeton University.)

  o Major features (IPv6, relay):
- Consider IPv6-only EXTEND2 cells valid on relays. Log a protocol
  warning if the IPv4 or IPv6 address is an internal address, and
  internal addresses are not allowed. But continue to use the other
  address, if it is valid. Closes ticket 33817.
- If a relay can extend over IPv4 and IPv6, and both addresses are
  provided, it chooses between them uniformly at random. Closes
  ticket 33817.
- Re-use existing IPv6 connections for circuit extends. Closes
  ticket 33817.
- Relays may extend circuits over IPv6, if the relay has an IPv6
  ORPort, and the client supplies the other relay's IPv6 ORPort in
  the EXTEND2 cell. IPv6 extends will be used by the relay IPv6
  ORPort self-tests in 33222. Closes ticket 33817.

  o Major features (v3 onion services):
- Allow v3 onion services to act as OnionBalance backend instances,
  by using the HiddenServiceOnionBalanceInstance torrc option.
  Closes ticket 32709.

  o Minor feature (developer tools):
- Add a script to help check the alphabetical ordering of option
  names in the manual page. Closes ticket 9.

  o Minor feature (onion service client, SOCKS5):
- Add 3 new SocksPort ExtendedErrors (F2, F3, F7) that reports back
  new type of onion service connection failures. The semantics of
  these error codes are documented in proposal 309. Closes
  ticket 32542.

  o Minor feature (onion service v3):
- If a service cannot upload its descriptor(s), log why at INFO
  level. Closes ticket 33400; bugfix on 0.3.2.1-alpha.

  o Minor feature (python scripts):
- Stop assuming that /usr/bin/python exists. Instead of using a
  hardcoded path in scripts that still use Python 2, use
  /usr/bin/env, similarly to the scripts that use Python 3. Fixes
  bug 33192; bugfix on 0.4.2.

  o Minor features (client-only compilation):
- Disable more code related to the ext_orport protocol when
  compiling without support for relay mode. Closes ticket 33368.
- Disable more of our self-testing code when support for relay mode
  is disabled. Closes ticket 33370.

  o Minor features (code safety):
- Check for failures of tor_inet_ntop() and tor_inet_ntoa()
  functions in DNS and IP address processing code, and adjust
  codepaths to make them less likely to crash entire Tor instances.
  Resolves issue 33788.

  o Minor features (compilation size):
- Most server-side DNS code is now disabled when building without
  support for relay mode. Closes ticket 33366.

  o Minor features (continuous integration):
- Run unit-test and integration test (Stem, Chutney) jobs with
  ALL_BUGS_ARE_FATAL macro being enabled on Travis and Appveyor.
  Resolves ticket 32143.

  o Minor features (control port):
- Return a descriptive error message from the 'GETINFO status/fresh-
  relay-descs' command on the control port. Previously, we returned
  a generic error of "Error generating descriptor". Closes ticket
  32873. Patch by Neel Chauhan.

  o Minor features (developer tooling):
- Refrain from listing all .a files that are generated by the Tor
  build in .gitignore. Add a single wildcard *.a entry that covers
  all of them for present and future. Closes ticket 

Re: [tor-talk] Tor Post-Quantum Cryptography

[Nick Mathewson]

On Sun, May 3, 2020 at 6:42 PM bo0od  wrote:
>
> I wonder if Tor has a roadmap for applying pqc into their design, great
> to see that some projects trying to add it for experimental state:
>

Hi!  There are several proposals for this:

https://gitweb.torproject.org/torspec.git/tree/proposals/263-ntru-for-pq-handshake.txt
https://gitweb.torproject.org/torspec.git/tree/proposals/269-hybrid-handshake.txt
https://gitweb.torproject.org/torspec.git/tree/proposals/270-newhope-hybrid-handshake.txt

We don't have a current implementation timeline for these.  Step one
in any one of them would be implementing:

https://gitweb.torproject.org/torspec.git/tree/proposals/249-large-create-cells.txt

or something similar such as:

https://github.com/nmathewson/walking-onions-wip/blob/master/other-proposals/xxx-wide-everything.md

hth,
-- 
Nick
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

[tor-talk] Tor Post-Quantum Cryptography

[bo0od]

I wonder if Tor has a roadmap for applying pqc into their design, great 
to see that some projects trying to add it for experimental state:


- OpenSSH  https://www.openssh.com/releasenotes.html

"* ssh(1), sshd(8): Add experimental quantum-computing resistant
   key exchange method, based on a combination of Streamlined NTRU
   Prime 4591^761 and X25519."

- Wireguard 
https://www.wireguard.com/protocol/#Key_Exchange_and_Data_Packets


- TLS:

Benchmarking post-quantum cryptography in TLS: 
https://www.douglas.stebila.ca/research/papers/PQCrypto-PaqSteTam20/


Hybrid key exchange in TLS 1.3: 
https://www.douglas.stebila.ca/research/papers/draft-ietf-tls-hybrid-design/


- C library: https://github.com/open-quantum-safe/liboqs

--
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Tor browser 9.0.7 is broken

[Nicolas Vigier]

On Tue, 24 Mar 2020, Robin Lee wrote:

> Hi
> 
> I just updated to Tor browser 9.0.7 and now any site that I've given
> javascript permission to no longer works! For example I go to 
> https://protonirockerxow.onion and the website says I should enable
> javascript, but I already added this site to the ones that can send
> javascript and Tor browser tells me that it has blocked 0 items.

Tor Browser 9.0.7 is now disabling javascript completely when selecting
the Safest security level, which also prevents using noscript to allow
some javascript to run:
https://blog.torproject.org/new-release-tor-browser-907

The reason we did this change is that a bug in Firefox ESR might allow
bypassing Noscript. Although Noscript now includes some workarounds to
prevent that from happenning, but we don't know if that is enough.

If you want to allow javascript on a specific website, I think there
are two main options:

 - set javascript.enabled and use noscript configuration to allow
   javascript on some specific website, and accept the risk that some
   other website might be able to bypass noscript.

 - change the security level before visiting the website where you want
   javascript. But also remember that the security level applies to all
   open tabs, so you should not forget to change it back to Safest
   before visiting other websites.

-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

[tor-talk] Tor browser 9.0.7 is broken

[Robin Lee]

Hi

I just updated to Tor browser 9.0.7 and now any site that I've given
javascript permission to no longer works! For example I go to 
https://protonirockerxow.onion and the website says I should enable
javascript, but I already added this site to the ones that can send
javascript and Tor browser tells me that it has blocked 0 items.

How can I downgrade to resolve this quickly?

-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

[tor-talk] Tor Browser without Tor

[proc...@riseup.net]

Whonix now provides a hardened vanilla Debian spin (no Tor used) that
ships a version of Tor Browser that is exactly this. It is rebranded so
people are not confused about what it does.

-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

[tor-talk] Tor Speculated Broken by FBI Etc - Freedom Hosting, MITTechReview - Magneto

[proc...@riseup.net]

FYI, we now deploy Tor Vanguards in Whonix GW as of the latest release.

-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] [tor-relays] Would you place your secrets or in worst case make your life

[grarpamp]

>> On 13 Feb 2020, at 22:05, zwiebeln  wrote:
>> Would you place your secrets or in worst case make your life
>> depended on a network that is 21 percent controlled by a single person
>> that you don't know?
>>
>> https://nusenu.github.io/OrNetStats/allexitfamilies
>>
>> I think we should start an open debate on that fact, best ending up with
>> giving some recommendations. I am sure that question is relevant to
>> torproject.org as well.

Given an overlay network offering certain degrees of
say security / bandwidth / latency can be comparatively
inverse degree to clearnet...

> "Let's encourage people to run more relays."

Depending what is sought, that can be of limited help. See
traffic analysis of gravity wells, the voids and densities between.
Nor are people validating "people", so Sybil abounds.

> Or ask for help improving your consensus weight?

Manual central / "decentral" manipulation, over unknowns,
by unknowns, can be of of limited trust... compare to
distributed random chance.

> It's also important to keep network risks in perspective:
> * 99% of relays run Linux, and a significant number of those are Debian
>   https://metrics.torproject.org/platforms.html

If an overlay wants to steer diversity there, its community
should be working ports to other non-Linux OS kernels,
and informing selection for that via notes in highly user
visible places about it.

There was a BSD group that grew and reported success
some years ago. It is a great platform that could easily
be ramped up.

> * there is 1 bridge authority (100%), 6 bandwidth authorities (17%),
>   and 9 directory authorities (11%)

Users don't see them, so they have no oppurtunity to consider
trust them over say distributed design that transforms
most central management into selectable subscriptions model
users can choose from and contribute to. A lot of potential
models there aren't really explored by projects due to central
being default think, easier, cheaper, faster, and distributed
often being roughly equivalent in similar areas.

>   * the consensus algorithm tries to limit the risks of one directory
> authority influencing large parts of the tor network, and manual
> bridge distribution limits the impact of the bridge authority

> * the largest ASes have:

Physical control of machines and traffic data.
Overlay communities must effort to shop for hosts if they want
to diversify that, and run nodes at home where comfortable.

And beware of Tier-1 default path rollup. Interesting approach
would be overlays deploying peering path aware modular router
into nodes, integration of radio and physical mesh networks, etc.

Global telecoms are not your friends. At least not hardly until
they start encrypting their links, publicly fighting "requests"
and lobbying vocally for you.

Better off to start building physical p2p networks around them.
Same idea as cryptocurrency.

>   https://metrics.torproject.org/

Yes things like this are not only handy and interesting
good work and research areas, but offer food for thought
to the entire network overlay space as it pursues whatever
current work and future designs may come.
Hopefully all projects in the space can contribute their own
research and find and take each others into consideration
where useful.

> There are all kinds of risks that happen when a large part of the
> network has a similar setup:

...

> I'll also ask our new Network Health team to consider the risk of
> large operators and large ASes.

Not a new problem, been analysed by the space since years.

> But ultimately, if we doubled tor's exit bandwidth, this issue would
> go away. That's the best solution to this problem.

Not necessarily. OP generally alluded to selection gravity wells
and the way that relates to trust, adversary, analysis aspects.
More nodes of particular bandwidth could flatten distribution
and performance, while affecting network analysis properties
in some not so good ways.
Simply adding more bandwidth and or relays under the
current design and operation will not much change those
elements and interactions.
Weighting for "busy nodes good" also a bit of assumptive
dance bet around *PA traffic analysis and Sybil problems.
It's fine to chase diminishing returns there if desired.

Yet also perhaps time for at least a good portion of the researchers
and projects in overlay space to form and renew efforts around both
dormant old and novel new work towards attacking those
two problems directly in new design and operation models.



[Moving to tor-talk as not strictly relay topic]
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Tor Speculated Broken by FBI Etc - Freedom Hosting, MITTechReview - Magneto

[Mirimir]

On 02/09/2020 12:19 PM, Felix wrote:
> Hi everybody
> 
> Am 2020-02-09 um 12:40 PM schrieb grarpamp:
>> Given the variety of known weaknesses, exploits, categories
>> of papers, and increasing research efforts against tor and
>> overlay networks in general, and the large number of these
>> "mystery gaps" type of articles (some court cases leaving hardly
>> any other conclusion with fishy case secrecy, dismissals, etc)...
>> the area of speculative brokeness and parallel construction
>> seems to deserve serious investigative fact finding project of
>> global case collation, interview, analysis to better characterize.
> ...
>> Early on August 2 or 3, 2013, some of the users noticed “unknown
>> Javascript” hidden in websites running on Freedom Hosting. Hours
>> later, as panicked chatter about the new code began to spread, the
>> sites all went down simultaneously. The code had attacked a Firefox
>> vulnerability that could target and unmask Tor users—even those using
>> it for legal purposes such as visiting Tor Mail—if they failed to
>> update their software fast enough.
>>
>> While in control of Freedom Hosting, the agency then used malware that
>> probably touched thousands of computers. The ACLU criticized the FBI
>> for indiscriminately using the code like a “grenade.”
>>
>> The FBI had found a way to break Tor’s anonymity protections, but the
>> technical details of how it happened remain a mystery.
> 
> https://www.wired.com/threatlevel/2013/09/freedom-hosting-fbi/
> 
> A malicious route around Tor was/is solvable by keeping the system
> updated or by the use of techniques like Whonix or Tails.
> 
> -- 
> Cheers, Felix

That depends.

Whonix would protect users against malware that bypasses Tor browser.
Perhaps Tails would as well, given its iptables rules, but arguably not
as well as Whonix does. Because in Whonix, Tor client and apps are in
separate VMs, and there's no forwarding from the workstation VM, just
SocksPorts exposed to it on the gateway VM.

And onion services could also use Whonix, or at least the basic concept
of Whonix, implemented in KVM or VBox VMs on the server. Onion services
on Tails would be harder, but probably doable.

However, neither Whonix or Tails would protect users or onion services
against attacks that manipulate Tor clients into using malicious guards.
And once an adversary controls the guard, it knows the IP address of the
user or server. Tails might even be more vulnerable, because it picks
new guards at each boot.

As far as I know, there just two ways to defend against attacks via
malicious guards. One is using vanguards.[0,1] The other is simply
hiding the user's or server's IP address from the guard, using a VPN
service, or a nested VPN chain.

0) https://github.com/mikeperry-tor/vanguards/
1) https://lists.torproject.org/pipermail/tor-dev/2020-February/014156.html


-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Tor Speculated Broken by FBI Etc - Freedom Hosting, MITTechReview - Magneto

[Felix]

Hi everybody

Am 2020-02-09 um 12:40 PM schrieb grarpamp:

Given the variety of known weaknesses, exploits, categories
of papers, and increasing research efforts against tor and
overlay networks in general, and the large number of these
"mystery gaps" type of articles (some court cases leaving hardly
any other conclusion with fishy case secrecy, dismissals, etc)...
the area of speculative brokeness and parallel construction
seems to deserve serious investigative fact finding project of
global case collation, interview, analysis to better characterize.

...

Early on August 2 or 3, 2013, some of the users noticed “unknown
Javascript” hidden in websites running on Freedom Hosting. Hours
later, as panicked chatter about the new code began to spread, the
sites all went down simultaneously. The code had attacked a Firefox
vulnerability that could target and unmask Tor users—even those using
it for legal purposes such as visiting Tor Mail—if they failed to
update their software fast enough.

While in control of Freedom Hosting, the agency then used malware that
probably touched thousands of computers. The ACLU criticized the FBI
for indiscriminately using the code like a “grenade.”

The FBI had found a way to break Tor’s anonymity protections, but the
technical details of how it happened remain a mystery.


https://www.wired.com/threatlevel/2013/09/freedom-hosting-fbi/

A malicious route around Tor was/is solvable by keeping the system
updated or by the use of techniques like Whonix or Tails.

--
Cheers, Felix
--
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

[tor-talk] Tor Speculated Broken by FBI Etc - Freedom Hosting, MITTechReview

[grarpamp]

https://www.technologyreview.com/s/615163/a-dark-web-tycoon-pleads-guilty-but-how-was-he-caught
https://twitter.com/techreview/status/1226212530856611840
https://www.courtlistener.com/recap/gov.uscourts.mdd.451238/gov.uscourts.mdd.451238.57.0.pdf
https://www.courtlistener.com/recap/gov.uscourts.mdd.247657/gov.uscourts.mdd.247657.13.1.pdf
https://arstechnica.com/tech-policy/2017/03/doj-drops-case-against-child-porn-suspect-rather-than-disclose-fbi-hack/
http://darknetq7skv7hgo.onion/

Given the variety of known weaknesses, exploits, categories
of papers, and increasing research efforts against tor and
overlay networks in general, and the large number of these
"mystery gaps" type of articles (some court cases leaving hardly
any other conclusion with fishy case secrecy, dismissals, etc)...
the area of speculative brokeness and parallel construction
seems to deserve serious investigative fact finding project of
global case collation, interview, analysis to better characterize.


Feb 8, 2020
A dark web tycoon pleads guilty. But how was he caught?
The FBI found Eric Marques by breaking the famed anonymity service
Tor, and officials won’t reveal if a vulnerability was used. That has
activists and lawyers concerned.

When the enterprising cybercriminal Eric Eoin Marques pleaded guilty
in an American court this week, it was meant to bring closure to a
seven-year-long international legal struggle centered on his dark web
empire.

In the end, it did anything but.

Marques faces up to 30 years in jail for running Freedom Hosting,
which temporarily existed beyond reach of the law and ended up being
used to host drug markets, money-laundering operations, hacking
groups, and millions of images of child abuse. But there is still one
question that police have yet to answer: How exactly were they able to
catch him? Investigators were somehow able to break the layers of
anonymity that Marques had constructed, leading them to locate a
crucial server in France. This discovery eventually led them to
Marques himself, who was arrested in Ireland in 2013.

Marques was the first in a line of famous cybercriminals to be caught
despite believing that using the privacy-shielding anonymity network
Tor would make them safe behind their keyboards. The case demonstrates
that government agencies can trace suspects through networks that were
designed to be impenetrable.

Marques has blamed the American NSA’s world-class hackers, but the FBI
has also been building up its efforts since 2002. And, some observers
say, they often withhold key details of their investigations from
defendants and judges alike—secrecy that could have wide-ranging
cybersecurity implications across the internet.

“The overarching question is when are criminal defendants entitled to
information about how law enforcement located them?” asks Mark Rumold,
a staff attorney at the Electronic Frontier Foundation, an
organization that promotes online civil liberties. “It does a
disservice to our criminal justice system when the government hides
techniques of investigation from public and criminal defendants.
Oftentimes the reason they do this kind of obscuring is because the
technique they use is questionable legally or might raise questions in
the public’s mind about why they were doing it. While it’s common for
them to do this, I don’t think it benefits anyone.”

Freedom Hosting was an anonymous and illicit cloud computing company
running what some estimated to be up to half of all dark web sites in
2013. The operation existed entirely on the anonymity network Tor and
was used for a wide range of illegal activity, including the hacking
and fraud forum HackBB and money-laundering operations including the
Onion Bank. It also maintained servers for the legal email service Tor
Mail and the singularly strange encyclopedia Hidden Wiki.

But it was the hosting of sites used for photos and videos of child
exploitation that attracted the most hostile government attention.
When Marques was arrested in 2013, the FBI called him the “largest
facilitator” of such images “on the planet.”

Early on August 2 or 3, 2013, some of the users noticed “unknown
Javascript” hidden in websites running on Freedom Hosting. Hours
later, as panicked chatter about the new code began to spread, the
sites all went down simultaneously. The code had attacked a Firefox
vulnerability that could target and unmask Tor users—even those using
it for legal purposes such as visiting Tor Mail—if they failed to
update their software fast enough.

While in control of Freedom Hosting, the agency then used malware that
probably touched thousands of computers. The ACLU criticized the FBI
for indiscriminately using the code like a “grenade.”

The FBI had found a way to break Tor’s anonymity protections, but the
technical details of how it happened remain a mystery.

“Perhaps the greatest overarching question related to the
investigation of this case is how the government was able to pierce
Tor’s veil of anonymity and 

Re: [tor-talk] Tor and sources.list

[Roger Dingledine]

On Tue, Feb 04, 2020 at 11:14:14PM -, mimb...@danwin1210.me wrote:
> I ran the commands from the Ubuntu section of
> https://2019.www.torproject.org/docs/debian.html.en and it updated to
> 0.4.2.6.

Yep. The Tor 0.4.2.6 debs have now arrived in Debian as well as
deb.torproject.org.

I talked to the maintainer and he said they were held up due to a bug
in the arm64 builder (arm as in the cpu architecture, not arm as in the
deprecated tor controller). The packages should be all set now.

> Also, my /etc/torrc file (for tor not for the TBB) says:
> 
> ## Configuration file for a typical Tor user
> ## Last updated 9 October 2013 for Tor 0.2.5.2-alpha.
> ## (may or may not work for much older or much newer versions of Tor.)
> 
> All entries are ##'d out. Is it outdated? Do I need to do anything?
> 
> Thanks again.

It should be fine.

We try to change /etc/tor/torrc as infrequently as possible, because
every time we make even a tiny change, every single person who upgrades
and has modified their torrc file gets presented with a "how do you want
to handle this diff" question, and it's easy to make the wrong choice
and end up confused.

--Roger

-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Tor and sources.list

[mimble9]

I ran the commands from the Ubuntu section of
https://2019.www.torproject.org/docs/debian.html.en and it updated to
0.4.2.6.

Also, my /etc/torrc file (for tor not for the TBB) says:

## Configuration file for a typical Tor user
## Last updated 9 October 2013 for Tor 0.2.5.2-alpha.
## (may or may not work for much older or much newer versions of Tor.)

All entries are ##'d out. Is it outdated? Do I need to do anything?

Thanks again.


On Mon, February 3, 2020 8:04 am, Roger Dingledine wrote:
> On Mon, Feb 03, 2020 at 02:02:54AM -, mimb...@danwin1210.me wrote:
>
>> In my /etc/apt/sources.list I have:
>>
>>
>> deb https://deb.torproject.org/torproject.org bionic main deb-src
>> https://deb.torproject.org/torproject.org bionic main
>>
>>
>> My version of tor is 0.4.2.5. Am I correct that, at some point, it will
>>  automatically update to 0.4.2.6 thanks to the above entries in
>> sources.list?
>
> I'm expecting it to work this way, yes. Or at least, I've been patiently
> waiting for my 0.4.2.6 deb too. :)
>
> I expect that the workflow involves the real Tor deb going through the
> general Debian process, and then once it is available in the real Debian
> repositories (even if it's just the unstable ones), then the packages get
> mirrored onto deb.torproject.org.
>
> So, give it a couple of days and hopefully it will appear.
>
>
> --Roger
>
>
> --
> tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or
> change other settings go to
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
>
>


-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Tor Browser without Tor

[Jason Evans]

On 2/3/20 11:38 AM, Roger Dingledine wrote

You should really avoid making exceptions to the proxy rules for Tor
Browser. If you let your browser connect to local services, that opens
the door for remote websites, which you access over Tor, to give you
instructions (e.g. via javascript, but not only via javascript) to make
local connections and then send that info back to the website.


Hi Roger,

Thanks for the info. I have passed it on to Stack Exchange. 
https://tor.stackexchange.com/questions/20854/exclude-ip-addresses-where-has-it-gone/20868


Jason
--
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Tor Browser without Tor

[d...@foundingdocuments.org]

For best practices sake, I found it a good idea to double check my settings; 
since the GUI in the Preferences is no longer there. 

Typing “about:config” in the address bar, then typing “proxy.n” was the fastest 
way to bring up that option. 

Context-click/Right-click on that line, a menu pops up, choose Reset. This 
cleared the Value field. 

Also, I tested changing the IP Address CIDR notation to “/0" (zero), and that 
worked too.  
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Tor Browser without Tor

[Roger Dingledine]

On Sun, Feb 02, 2020 at 01:16:24PM +0100, Jason Evans wrote:
> A similar question that was asked recently is, "how can I connect to local
> IPs with the Tor Browser?". For example, my home SAN is on 192.168.1.X and
> it's not reachable with the Tor Browser.
>[...]
>  Firefox still has an "No proxy for"
> section on its proxy page. However Tor Browser no longer has that section. Do
> you know of any way to use that functionality or is that just gone now?

You should really avoid making exceptions to the proxy rules for Tor
Browser. If you let your browser connect to local services, that opens
the door for remote websites, which you access over Tor, to give you
instructions (e.g. via javascript, but not only via javascript) to make
local connections and then send that info back to the website.

In the most benign case, you're setting yourself up with a tracking marker
("there's that weird person who allowed connections to 192.168.1.1
again"). In worse cases, you're opening yourself up to permissions
surprises and attacks that start with the word "cross-site" or
"cross-protocol".

For an early example of a similar bug that bit Tor users, see
https://lists.torproject.org/pipermail/tor-announce/2007-September/78.html

All of that said, if you still want to shoot your feet off: in
about:config, there's a network.proxy.no_proxies_on option that you
can set.

For even more details, new in ESR68, there is now a
network.proxy.allow_hijacking_localhost option, which we needed to fix
for Tor Browser:
https://bugs.torproject.org/31065

Good luck!
--Roger

-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Tor Browser without Tor

[Jason Evans]

On 2/3/20 8:29 AM, Mirimir wrote:

Cheers,
Open about:config, and search "extensions.torlauncher".

Set "extensions.torlauncher.prompt_at_startup" to false.

Set "extensions.torlauncher.start_tor" to false.

Now Tor browser won't start Tor.


Thanks for the reply!

Any idea about the second question? Firefox still has an "No proxy for" 
section on its proxy page. However Tor Browser no longer has that 
section. Do you know of any way to use that functionality or is that 
just gone now?


Jason

--
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Tor and sources.list

[Roger Dingledine]

On Mon, Feb 03, 2020 at 02:02:54AM -, mimb...@danwin1210.me wrote:
> In my /etc/apt/sources.list I have:
> 
> deb https://deb.torproject.org/torproject.org bionic main
> deb-src https://deb.torproject.org/torproject.org bionic main
> 
> My version of tor is 0.4.2.5. Am I correct that, at some point, it will
> automatically update to 0.4.2.6 thanks to the above entries in
> sources.list?

I'm expecting it to work this way, yes. Or at least, I've been patiently
waiting for my 0.4.2.6 deb too. :)

I expect that the workflow involves the real Tor deb going through the
general Debian process, and then once it is available in the real Debian
repositories (even if it's just the unstable ones), then the packages
get mirrored onto deb.torproject.org.

So, give it a couple of days and hopefully it will appear.

--Roger

-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Tor and sources.list

[Mirimir]

On 02/02/2020 07:02 PM, mimb...@danwin1210.me wrote:
> In my /etc/apt/sources.list I have:
> 
> deb https://deb.torproject.org/torproject.org bionic main
> deb-src https://deb.torproject.org/torproject.org bionic main
> 
> My version of tor is 0.4.2.5. Am I correct that, at some point, it will
> automatically update to 0.4.2.6 thanks to the above entries in
> sources.list?
> 
> Thanks!

You also need apt-transport-https and the Tor repo's gpg key. Plus
deb.torproject.org-keyring to keep the key current.

The full instructions are here:
https://2019.www.torproject.org/docs/debian.html.en
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Tor Browser without Tor

[Mirimir]

On 02/02/2020 04:12 PM, Jeremy Rand wrote:
> Jason Evans:
>> Hi all,
>>
>> This is a question that we get from time to time in the Stack Exchange
>> group. Can I use Tor Browser without without actually using the  Tor
>> network? For example, I want to use the browser for checking my back
>> account but I can't because my bank doesn't allow traffic from exit nodes.
>>
>> A similar question that was asked recently is, "how can I connect to
>> local IPs with the Tor Browser?". For example, my home SAN is on
>> 192.168.1.X and it's not reachable with the Tor Browser.
>>
>> Thanks!
>>
>> Jason
> 
> Tor Browser, last I checked, has a transproxy mode (enabled via an
> environment variable) that I suspect would make it work fine without
> Tor.  No idea if it's documented properly; I've only seen it mentioned
> on the Whonix wiki (in the "disable stream isolation" docs).
> 
> Cheers,

Open about:config, and search "extensions.torlauncher".

Set "extensions.torlauncher.prompt_at_startup" to false.

Set "extensions.torlauncher.start_tor" to false.

Now Tor browser won't start Tor.
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

[tor-talk] Tor and sources.list

[mimble9]

In my /etc/apt/sources.list I have:

deb https://deb.torproject.org/torproject.org bionic main
deb-src https://deb.torproject.org/torproject.org bionic main

My version of tor is 0.4.2.5. Am I correct that, at some point, it will
automatically update to 0.4.2.6 thanks to the above entries in
sources.list?

Thanks!

-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Tor Browser without Tor

[Jeremy Rand]

Jason Evans:
> Hi all,
> 
> This is a question that we get from time to time in the Stack Exchange
> group. Can I use Tor Browser without without actually using the  Tor
> network? For example, I want to use the browser for checking my back
> account but I can't because my bank doesn't allow traffic from exit nodes.
> 
> A similar question that was asked recently is, "how can I connect to
> local IPs with the Tor Browser?". For example, my home SAN is on
> 192.168.1.X and it's not reachable with the Tor Browser.
> 
> Thanks!
> 
> Jason

Tor Browser, last I checked, has a transproxy mode (enabled via an
environment variable) that I suspect would make it work fine without
Tor.  No idea if it's documented properly; I've only seen it mentioned
on the Whonix wiki (in the "disable stream isolation" docs).

Cheers,
-- 
-Jeremy Rand
Lead Application Engineer at Namecoin
Mobile email: jeremyrandmob...@airmail.cc
Mobile OpenPGP: 2158 0643 C13B B40F B0FD 5854 B007 A32D AB44 3D9C
Send non-security-critical things to my Mobile with OpenPGP.
Please don't send me unencrypted messages.
My business email jer...@veclabs.net is having technical issues at the
moment.



signature.asc
Description: OpenPGP digital signature
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

[tor-talk] Tor Browser without Tor

[Jason Evans]

Hi all,

This is a question that we get from time to time in the Stack Exchange 
group. Can I use Tor Browser without without actually using the  Tor 
network? For example, I want to use the browser for checking my back 
account but I can't because my bank doesn't allow traffic from exit nodes.


A similar question that was asked recently is, "how can I connect to 
local IPs with the Tor Browser?". For example, my home SAN is on 
192.168.1.X and it's not reachable with the Tor Browser.


Thanks!

Jason

--
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Tor vs Tor Browser

[Roger Dingledine]

On Sat, Jan 18, 2020 at 07:01:07AM +, Jason Long wrote:
> Hello,In the Tor Browser, we have some options like "Security Level". How 
> about Tor in CLI? How can I define it?

The "security slider" in Tor Browser is about disabling pieces of browser
functionality, to reduce surface area. Another name for it that might
give a better intuition would be "functionality filter". It is entirely
about stuff inside the browser, like whether it renders certain image
formats, whether it runs scripts, etc.

There is no equivalent of that "disabling application level pieces" idea
for the program called Tor: Tor just moves bytes back and forth for you,
and aims to give you good security by default.

(You will find advice on random websites out there, to add fifty new
lines to your torrc or something. Those guides are usually bad ideas.
Tor's defaults aim to keep most people safe, and since anonymity loves
company, you are probably better off blending in with the crowds.)

--Roger

-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

[tor-talk] Tor vs Tor Browser

[Jason Long]

Hello,In the Tor Browser, we have some options like "Security Level". How about 
Tor in CLI? How can I define it?
Thank you.
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

[tor-talk] Tor 0.4.2.4-rc is released

[Nick Mathewson]

Hi, all!

There's a new Tor release candidate! Because it's a release candidate,
we'd really like to know about any remaining bugs in it, so we can try
to fix them before calling the series stable.  As usual you can report
bugs on trac.torproject.org.

The source code is available from the usual place at
https://www.torproject.org/download/tor/; if you build Tor from
source, why not give it a try? And if you don't build Tor from source,
packages should be ready over the coming days, with a Tor Browser
alpha release likely by December 3.

Here's what's new:

Changes in version 0.4.2.4-rc - 2019-11-15
  Tor 0.4.2.4-rc is the first release candidate in its series. It fixes
  several bugs from earlier versions, including a few that would result in
  stack traces or incorrect behavior.

  o Minor features (build system):
- Make pkg-config use --prefix when cross-compiling, if
  PKG_CONFIG_PATH is not set. Closes ticket 32191.

  o Minor features (geoip):
- Update geoip and geoip6 to the November 6 2019 Maxmind GeoLite2
  Country database. Closes ticket 32440.

  o Minor bugfixes (client, onion service v3):
- Fix a BUG() assertion that occurs within a very small race window
  between when a client intro circuit opens and when its descriptor
  gets cleaned up from the cache. The circuit is now closed early,
  which will trigger a re-fetch of the descriptor and continue the
  connection. Fixes bug 28970; bugfix on 0.3.2.1-alpha.

  o Minor bugfixes (code quality):
- Fix "make check-includes" so it runs correctly on out-of-tree
  builds. Fixes bug 31335; bugfix on 0.3.5.1-alpha.

  o Minor bugfixes (configuration):
- Log the option name when skipping an obsolete option. Fixes bug
  32295; bugfix on 0.4.2.1-alpha.

  o Minor bugfixes (crash):
- When running Tor with an option like --verify-config or
  --dump-config that does not start the event loop, avoid crashing
  if we try to exit early because of an error. Fixes bug 32407;
  bugfix on 0.3.3.1-alpha.

  o Minor bugfixes (directory):
- When checking if a directory connection is anonymous, test if the
  circuit was marked for close before looking at its channel. This
  avoids a BUG() stacktrace if the circuit was previously closed.
  Fixes bug 31958; bugfix on 0.4.2.1-alpha.

  o Minor bugfixes (shellcheck):
- Fix minor shellcheck errors in the git-*.sh scripts. Fixes bug
  32402; bugfix on 0.4.2.1-alpha.
- Start checking most scripts for shellcheck errors again. Fixes bug
  32402; bugfix on 0.4.2.1-alpha.

  o Testing (continuous integration):
- Use Ubuntu Bionic images for our Travis CI builds, so we can get a
  recent version of coccinelle. But leave chutney on Ubuntu Trusty,
  until we can fix some Bionic permissions issues (see ticket
  32240). Related to ticket 31919.
- Install the mingw OpenSSL package in Appveyor. This makes sure
  that the OpenSSL headers and libraries match in Tor's Appveyor
  builds. (This bug was triggered by an Appveyor image update.)
  Fixes bug 32449; bugfix on 0.3.5.6-rc.
- In Travis, use Xcode 11.2 on macOS 10.14. Closes ticket 32241.
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

[tor-talk] Tor 0.4.2.3-alpha is released

[Nick Mathewson]

Hi, all!

There's a new alpha Tor release! Because it's an alpha, you should
only run it if you're ready to find more bugs than usual, and report
them on trac.torproject.org.

The source code is available from the usual place on
www.torproject.org; if you build Tor from source, why not give it a
try? And if you don't build Tor from source, packages should be ready
over the coming days, with a Tor Browser alpha release likely in a
couple of weeks.

Here's what's new:

Changes in version 0.4.2.3-alpha - 2019-10-24
  This release fixes several bugs from the previous alpha release, and
  from earlier versions of Tor.

  o Major bugfixes (relay):
- Relays now respect their AccountingMax bandwidth again. When
  relays entered "soft" hibernation (which typically starts when
  we've hit 90% of our AccountingMax), we had stopped checking
  whether we should enter hard hibernation. Soft hibernation refuses
  new connections and new circuits, but the existing circuits can
  continue, meaning that relays could have exceeded their configured
  AccountingMax. Fixes bug 32108; bugfix on 0.4.0.1-alpha.

  o Major bugfixes (v3 onion services):
- Onion services now always use the exact number of intro points
  configured with the HiddenServiceNumIntroductionPoints option (or
  fewer if nodes are excluded). Before, a service could sometimes
  pick more intro points than configured. Fixes bug 31548; bugfix
  on 0.3.2.1-alpha.

  o Minor feature (onion services, control port):
- The ADD_ONION command's keyword "BEST" now defaults to ED25519-V3
  (v3) onion services. Previously it defaulted to RSA1024 (v2).
  Closes ticket 29669.

  o Minor features (testing):
- When running tests that attempt to look up hostnames, replace the
  libc name lookup functions with ones that do not actually touch
  the network. This way, the tests complete more quickly in the
  presence of a slow or missing DNS resolver. Closes ticket 31841.

  o Minor features (testing, continuous integration):
- Disable all but one Travis CI macOS build, to mitigate slow
  scheduling of Travis macOS jobs. Closes ticket 32177.
- Run the chutney IPv6 networks as part of Travis CI. Closes
  ticket 30860.
- Simplify the Travis CI build matrix, and optimise for build time.
  Closes ticket 31859.
- Use Windows Server 2019 instead of Windows Server 2016 in our
  Appveyor builds. Closes ticket 32086.

  o Minor bugfixes (build system):
- Interpret "--disable-module-dirauth=no" correctly. Fixes bug
  32124; bugfix on 0.3.4.1-alpha.
- Interpret "--with-tcmalloc=no" correctly. Fixes bug 32124; bugfix
  on 0.2.0.20-rc.
- Stop failing when jemalloc is requested, but tcmalloc is not
  found. Fixes bug 32124; bugfix on 0.3.5.1-alpha.
- When pkg-config is not installed, or a library that depends on
  pkg-config is not found, tell the user what to do to fix the
  problem. Fixes bug 31922; bugfix on 0.3.1.1-alpha.

  o Minor bugfixes (connections):
- Avoid trying to read data from closed connections, which can cause
  needless loops in Libevent and infinite loops in Shadow. Fixes bug
  30344; bugfix on 0.1.1.1-alpha.

  o Minor bugfixes (error handling):
- Always lock the backtrace buffer before it is used. Fixes bug
  31734; bugfix on 0.2.5.3-alpha.

  o Minor bugfixes (mainloop, periodic events, in-process API):
- Reset the periodic events' "enabled" flag when Tor is shut down
  cleanly. Previously, this flag was left on, which caused periodic
  events not to be re-enabled when Tor was relaunched in-process
  with tor_api.h after a shutdown. Fixes bug 32058; bugfix
  on 0.3.3.1-alpha.

  o Minor bugfixes (process management):
- Remove overly strict assertions that triggered when a pluggable
  transport failed to launch. Fixes bug 31091; bugfix
  on 0.4.0.1-alpha.
- Remove an assertion in the Unix process backend. This assertion
  would trigger when we failed to find the executable for a child
  process. Fixes bug 31810; bugfix on 0.4.0.1-alpha.

  o Minor bugfixes (testing):
- Avoid intermittent test failures due to a test that had relied on
  inconsistent timing sources. Fixes bug 31995; bugfix
  on 0.3.1.3-alpha.
- When testing port rebinding, don't busy-wait for tor to log.
  Instead, actually sleep for a short time before polling again.
  Also improve the formatting of control commands and log messages.
  Fixes bug 31837; bugfix on 0.3.5.1-alpha.

  o Minor bugfixes (tls, logging):
- Log bugs about the TLS read buffer's length only once, rather than
  filling the logs with similar warnings. Fixes bug 31939; bugfix
  on 0.3.0.4-rc.

  o Minor bugfixes (v3 onion services):
- Fix an implicit conversion from ssize_t to size_t discovered by
  Coverity. Fixes bug 31682; bugfix on 0.4.2.1-alpha.
- Fix a memory leak in an 

Re: [tor-talk] Tor Browser missing from github

[Hiro]

On 10/4/19 5:06 PM, bo0od wrote:
> Hi There,
>
> in this section https://github.com/TheTorProject/gettorbrowser there was
> Tor Browser releases now its missing so any idea why is that ? is there
> new website shifted to it?

hi,

I had an issue with quota while uploading the new releases that we are
trying to solve.

Here are other places where you can find Tor Browser releases

- gitlab: 
https://gitlab.com/thetorproject/gettorbrowser/tree/torbrowser-releases

- Internet Archive: https://archive.org/details/@gettor

- Google Drive folder: 
https://drive.google.com/open?id=13CADQTsCwrGsIID09YQbNz2DfRMUoxUU

Talk soon,
-hiro

-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

[tor-talk] Tor 0.4.2.2-alpha is released

[Nick Mathewson]

Hi, all!

There's a new alpha Tor release! Because it's an alpha, you should
only run it if you're ready to find more bugs than usual, and report
them on trac.torproject.org.

The source code is available from the usual place at
https://www.torproject.org/download/tor/; if you build Tor from
source, why not give it a try? And if you don't build Tor from source,
packages should be ready over the coming days, with a Tor Browser
alpha release likely in the next couple of weeks.

Here's what's new:

Changes in version 0.4.2.2-alpha - 2019-10-07
  This release fixes several bugs from the previous alpha release, and
  from earlier versions. It also includes a change in authorities, so
  that they begin to reject the currently unsupported release series.

  o Major features (directory authorities):
- Directory authorities now reject relays running all currently
  deprecated release series. The currently supported release series
  are: 0.2.9, 0.3.5, 0.4.0, 0.4.1, and 0.4.2. Closes ticket 31549.

  o Major bugfixes (embedded Tor):
- Avoid a possible crash when restarting Tor in embedded mode and
  enabling a different set of publish/subscribe messages. Fixes bug
  31898; bugfix on 0.4.1.1-alpha.

  o Major bugfixes (torrc parsing):
- Stop ignoring torrc options after an %include directive, when the
  included directory ends with a file that does not contain any
  config options (but does contain comments or whitespace). Fixes
  bug 31408; bugfix on 0.3.1.1-alpha.

  o Minor features (auto-formatting scripts):
- When annotating C macros, never generate a line that our check-
  spaces script would reject. Closes ticket 31759.
- When annotating C macros, try to remove cases of double-negation.
  Closes ticket 31779.

  o Minor features (continuous integration):
- When building on Appveyor and Travis, pass the "-k" flag to make,
  so that we are informed of all compilation failures, not just the
  first one or two. Closes ticket 31372.

  o Minor features (geoip):
- Update geoip and geoip6 to the October 1 2019 Maxmind GeoLite2
  Country database. Closes ticket 31931.

  o Minor features (maintenance scripts):
- Add a Coccinelle script to detect bugs caused by incrementing or
  decrementing a variable inside a call to log_debug(). Since
  log_debug() is a macro whose arguments are conditionally
  evaluated, it is usually an error to do this. One such bug was
  30628, in which SENDME cells were miscounted by a decrement
  operator inside a log_debug() call. Closes ticket 30743.

  o Minor features (onion services v3):
- Assist users who try to setup v2 client authorization in v3 onion
  services by pointing them to the right documentation. Closes
  ticket 28966.

  o Minor bugfixes (Appveyor continuous integration):
- Avoid spurious errors when Appveyor CI fails before the install
  step. Fixes bug 31884; bugfix on 0.3.4.2-alpha.

  o Minor bugfixes (best practices tracker):
- When listing overbroad exceptions, do not also list problems, and
  do not list insufficiently broad exceptions. Fixes bug 31338;
  bugfix on 0.4.2.1-alpha.

  o Minor bugfixes (controller protocol):
- Fix the MAPADDRESS controller command to accept one or more
  arguments. Previously, it required two or more arguments, and
  ignored the first. Fixes bug 31772; bugfix on 0.4.1.1-alpha.

  o Minor bugfixes (logging):
- Add a missing check for HAVE_PTHREAD_H, because the backtrace code
  uses mutexes. Fixes bug 31614; bugfix on 0.2.5.2-alpha.
- Disable backtrace signal handlers when shutting down tor. Fixes
  bug 31614; bugfix on 0.2.5.2-alpha.
- Rate-limit our the logging message about the obsolete .exit
  notation. Previously, there was no limit on this warning, which
  could potentially be triggered many times by a hostile website.
  Fixes bug 31466; bugfix on 0.2.2.1-alpha.
- When initialising log domain masks, only set known log domains.
  Fixes bug 31854; bugfix on 0.2.1.1-alpha.

  o Minor bugfixes (logging, protocol violations):
- Do not log a nonfatal assertion failure when receiving a VERSIONS
  cell on a connection using the obsolete v1 link protocol. Log a
  protocol_warn instead. Fixes bug 31107; bugfix on 0.2.4.4-alpha.

  o Minor bugfixes (modules):
- Explain what the optional Directory Authority module is, and what
  happens when it is disabled. Fixes bug 31825; bugfix
  on 0.3.4.1-alpha.

  o Minor bugfixes (multithreading):
- Avoid some undefined behaviour when freeing mutexes. Fixes bug
  31736; bugfix on 0.0.7.

  o Minor bugfixes (relay):
- Avoid crashing when starting with a corrupt keys directory where
  the old ntor key and the new ntor key are identical. Fixes bug
  30916; bugfix on 0.2.4.8-alpha.

  o Minor bugfixes (tests, SunOS):
- Avoid a map_anon_nofork test failure due to a signed/unsigned
 

[tor-talk] Tor Browser missing from github

[bo0od]

Hi There,

in this section https://github.com/TheTorProject/gettorbrowser there was
Tor Browser releases now its missing so any idea why is that ? is there
new website shifted to it?
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

[tor-talk] tor-browser with system tor, "authentication cookie with wrong length"

[matheu]

Hi!

I tried to use Debian system tor, instead of the bundled TBB tor.

(NOTE: I know it's not supported, won't take it hard if I do not get
much support. However, it's in the script below...)

First source for my experiments was the canonical start-tor-browser
script in tor-browser_en-US.
Followed it, and created this file:

-rw-r--r-- 1 nym nym 658 2018-03-29 10:07
tor-browser_en-US/Browser/TorBrowser/Data/Browser/profile.default/user.js
// as per start-tor-browser
user_pref("network.security.ports.banned", "9050,9051");
user_pref("network.proxy.socks", "127.0.0.1");
user_pref("network.proxy.socks_port", 9050);
user_pref("extensions.torbutton.inserted_button", true);
user_pref("extensions.torbutton.launch_warning", false);
user_pref("extensions.torbutton.loglevel", 2);
user_pref("extensions.torbutton.logmethod", 0);
user_pref("extensions.torlauncher.control_port", 9051);
user_pref("extensions.torlauncher.loglevel", 2);
user_pref("extensions.torlauncher.logmethod", 0);
user_pref("extensions.torlauncher.prompt_at_startup", false);
user_pref("extensions.torlauncher.start_tor", false);

Second (major) source was:
https://trac.torproject.org/projects/tor/wiki/TorBrowserBundleSAQ

The user nym is memeber of group debian-tor:

$ groups nym
nym : nym mail cdrom floppy sudo audio [...] debian-tor [...]
(and I did not just log out and log in, I even rebooted, in vain hope...
so far... )

And also (but it's probably extra since the user.js does the same, I did
set the export lines from the "Seldom Asked Questions" above:

nym@ymous:~/tor-browser_en-US/Browser$ echo $TOR_CONTROL_COOKIE_AUTH_FILE
/run/tor/control.authcookie
nym@ymous:~/tor-browser_en-US/Browser$ echo $TOR_SOCKS_PORT
9050
nym@ymous:~/tor-browser_en-US/Browser$ echo $TOR_CONTROL_PORT
9051
nym@ymous:~/tor-browser_en-US/Browser$ echo $TOR_SKIP_LAUNCH
1
nym@ymous:~/tor-browser_en-US/Browser$

And, temporarily (the SafeLogging and the debug line), this is the:

$ cat /etc/tor/torrc
# This file was generated by Tor; if you edit it, comments will not be
preserved
# The old torrc file was renamed to torrc.orig.1 or similar, and Tor
will ignore it

SocksPort 9050 IPv6Traffic PreferIPv6 KeepAliveIsolateSOCKSAuth
ControlPort 9051
ExcludeExitNodes {??}
Log debug file /var/log/tor/log
SafeLogging 0
LogTimeGranularity 50

Launching Tor browser with

nym@ymous:~/tor-browser_en-US/Browser$ ./start-tor-browser

got me an all-in-red Tor browser window telling:

Something went wrong. (in huge print)
Tor is not working in this browser.

The lines that I got in the /var/log/tor/log and which correspond to the
failure are:

Aug 01 11:24:52.500 [notice] New control connection opened from 127.0.0.1.
Aug 01 11:24:52.500 [debug] connection_add_impl(): new conn type
Control, socket 12, address 127.0.0.1, n_conns 5.
Aug 01 11:24:52.850 [debug] conn_read_callback(): socket 12 wants to read.
Aug 01 11:24:52.850 [debug] read_to_chunk(): Read 43 bytes. 43 on inbuf.
Aug 01 11:24:52.850 [warn] Got authentication cookie with wrong length (8)
Aug 01 11:24:52.850 [debug] conn_close_if_marked(): Cleaning up
connection (fd 12).
Aug 01 11:24:52.850 [info] conn_close_if_marked(): Conn (addr
"127.0.0.1", fd 12, type Control, state 2) marked, but wants to flush 67
bytes. (Marked at ../src/feature/control/control.c:1622)

And a little later:


Aug 01 11:24:54.000 [debug] connection_handle_listener_read():
Connection accepted on socket 13 (child of fd 8).
Aug 01 11:24:54.000 [notice] New control connection opened from 127.0.0.1.
Aug 01 11:24:54.000 [debug] connection_add_impl(): new conn type
Control, socket 13, address 127.0.0.1, n_conns 6.
Aug 01 11:24:54.000 [debug] conn_read_callback(): socket 13 wants to read.
Aug 01 11:24:54.000 [debug] read_to_chunk(): Read 1 bytes. 1 on inbuf.
Aug 01 11:24:54.000 [debug] conn_read_callback(): socket 13 wants to read.
Aug 01 11:24:54.000 [debug] read_to_chunk(): Read 1 bytes. 2 on inbuf.
Aug 01 11:24:54.000 [debug] conn_read_callback(): socket 13 wants to read.
Aug 01 11:24:54.000 [debug] read_to_chunk(): Read 1 bytes. 3 on inbuf.
Aug 01 11:24:54.000 [debug] conn_read_callback(): socket 13 wants to read.
Aug 01 11:24:54.000 [debug] read_to_chunk(): Read 1 bytes. 4 on inbuf.
Aug 01 11:24:54.000 [debug] conn_read_callback(): socket 13 wants to read.
Aug 01 11:24:54.000 [debug] read_to_chunk(): Read 1 bytes. 5 on inbuf.
Aug 01 11:24:54.000 [debug] conn_read_callback(): socket 13 wants to read.
Aug 01 11:24:54.000 [debug] read_to_chunk(): Read 1 bytes. 6 on inbuf.
Aug 01 11:24:54.000 [debug] conn_read_callback(): socket 13 wants to read.
Aug 01 11:24:54.000 [debug] read_to_chunk(): Read 1 bytes. 7 on inbuf.
Aug 01 11:24:54.000 [debug] conn_read_callback(): socket 13 wants to read.
Aug 01 11:24:54.000 [debug] read_to_chunk(): Read 1 bytes. 8 on inbuf.
Aug 01 11:24:54.000 [debug] conn_read_callback(): socket 13 wants to read.
Aug 01 11:24:54.050 [debug] read_to_chunk(): Read 1 bytes. 9 on inbuf.
Aug 01 11:24:54.050 [debug] conn_read_callback(): socket 13 wants 

[tor-talk] Tor 0.4.1.4-rc is released

[Nick Mathewson]

Hi!

There's a new alpha Tor release! Because it's an alpha, you should
only run it if you're ready to find more bugs than usual, and report
them on trac.torproject.org.

The source code is available at
https://www.torproject.org/download/tor/; if you build Tor from
source, why not give it a try? And if you don't build Tor from source,
packages should be ready over the coming days, with a Tor Browser
alpha release likely in the next month.

Here's what's new:


Changes in version 0.4.1.4-rc - 2019-07-25
  Tor 0.4.1.4-rc fixes a few bugs from previous versions of Tor, and
  updates to a new list of fallback directories. If no new bugs are
  found, the next release in the 0.4.1.x serious should be stable.

  o Major bugfixes (circuit build, guard):
- When considering upgrading circuits from "waiting for guard" to
  "open", always ignore circuits that are marked for close. Otherwise,
  we can end up in the situation where a subsystem is notified that
  a closing circuit has just opened, leading to undesirable
  behavior. Fixes bug 30871; bugfix on 0.3.0.1-alpha.

  o Minor features (continuous integration):
- Our Travis configuration now uses Chutney to run some network
  integration tests automatically. Closes ticket 29280.

  o Minor features (fallback directory list):
- Replace the 157 fallbacks originally introduced in Tor 0.3.5.6-rc
  in December 2018 (of which ~122 were still functional), with a
  list of 148 fallbacks (70 new, 78 existing, 79 removed) generated
  in June 2019. Closes ticket 28795.

  o Minor bugfixes (circuit padding):
- On relays, properly check that a padding machine is absent before
  logging a warning about it being absent. Fixes bug 30649; bugfix
  on 0.4.1.1-alpha.
- Add two NULL checks in unreachable places to silence Coverity (CID
  144729 and 1447291) and better future-proof ourselves. Fixes bug
  31024; bugfix on 0.4.1.1-alpha.

  o Minor bugfixes (crash on exit):
- Avoid a set of possible code paths that could try to use freed
  memory in routerlist_free() while Tor was exiting. Fixes bug
  31003; bugfix on 0.1.2.2-alpha.

  o Minor bugfixes (logging):
- Fix a conflict between the flag used for messaging-domain log
  messages, and the LD_NO_MOCK testing flag. Fixes bug 31080; bugfix
  on 0.4.1.1-alpha.

  o Minor bugfixes (memory leaks):
- Fix a trivial memory leak when parsing an invalid value from a
  download schedule in the configuration. Fixes bug 30894; bugfix
  on 0.3.4.1-alpha.

  o Code simplification and refactoring:
- Remove some dead code from circpad_machine_remove_token() to fix
  some Coverity warnings (CID 1447298). Fixes bug 31027; bugfix
  on 0.4.1.1-alpha.
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] [tor-onions] Presentation on Onion Networking at the BCS

[grarpamp]

On 7/22/19, Alec Muffett  wrote:
> "Why & How you should start using Onion Networking"
> https://www.youtube.com/watch?v=pebRZyg_bh8

A fine introduction.

Yet how do people, including those involved with or using other
projects in the space, compare contrast and evaluate this with
"Why and how start using" and writing for... Onion, I2P, CJDNS,
MaidSafe, IPFS and all the other overlay networks out there
and forthcoming, all in their respective "non-exit" modes?

Whether it be for protocol layer capabilities HTTPS/TCP/UDP/IPv6,
or to achieve application layer... messaging, storage, web-ish, etc.

And how does each's lack or presence of whatever API
interfaces, UDP, broadcast, name layers, or other potential
transport and programming models, lend themselves to app
development and widespread eventual adoption and use?

And how, without offering IPv6 or the ultimately better all
encompassingly wide and modular, even cryptographic,
AF_OVERLAY interface that all networks could plug into,
does anyone expect to get everything interoperable and
working together?


[Note that comparing "traction" re all other nets
accessing facebook is false since those nets simply
do not offer a simple exit mode to do so as tor does.
What would be fair is if facebook had CJDNS, I2P, Onion,
etc interfaces, and then comparing those access stats,
scaled relative to each respective project estimates of
number of users, project advertising funding impact,
project *Browser availability, etc.]
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] TOR Browser safety practices

[Notopygos]

On Sat, 20 Jul 2019 19:07:09 -0700
npdflr  wrote:

> What is the worst case that could happen if a malicious script
> (Javascript, XHR, other) or a malicious cookie runs?

afaik javascript exploits are rare and you already have noscript
enabled which makes it more unlikely, also if there exist an exploit
then why would someone use it on very small percentage of internet
users? If Tor Browser is affected then probably firefox is also
affected, they would use it on the internet and not some intranet (Tor
network).

You are thinking too much!

~Notopygos
--
1C24 ED06 365A 6045 C128
A1C0 FB0E 5321 5307 6E7D


pgp_IxL4ZeL4i.pgp
Description: OpenPGP digital signature
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] TOR Browser safety practices

[npdflr]

Tor browser already contains a NoScript addon allowing user to prevent certain 
scripts from running.

What is the worst case that could happen if a malicious script (Javascript, 
XHR, other) or a malicious cookie runs?
Apart from username, password which could be stolen, can other data be 
stolen/corrupted? Data like:-
1. Bookmarks
2. Browser storage: IndexedDB, DOM Storage
3. Files in TOR download folder
4. Data in the hard disk apart from the folders used by TOR. 
(Tor by design does not write any browsing activity like history, session etc 
to disk. So I think data in other parts of hard disk should be safe.)
5. Current data held in RAM

-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

[tor-talk] Tor 0.4.1.3-alpha is released

[Nick Mathewson]

Hi, all!

There's a new alpha Tor release! Because it's an alpha, you should
only run it if you're ready to find more bugs than usual, and report
them on trac.torproject.org.

The source code is available from the usual place at
https://www.torproject.org/download/tor/ ; if you build Tor from
source, why not give it a try? And if you don't build Tor from source,
packages should be ready over the coming days, with a Tor Browser
alpha release likely in the next two weeks.

Here's what's new:

Changes in version 0.4.1.3-alpha - 2019-06-25
  Tor 0.4.1.3-alpha resolves numerous bugs left over from the previous
  alpha, most of them from earlier release series.

  o Major bugfixes (Onion service reachability):
- Properly clean up the introduction point map when circuits change
  purpose from onion service circuits to pathbias, measurement, or
  other circuit types. This should fix some service-side instances
  of introduction point failure. Fixes bug 29034; bugfix
  on 0.3.2.1-alpha.

  o Minor features (geoip):
- Update geoip and geoip6 to the June 10 2019 Maxmind GeoLite2
  Country database. Closes ticket 30852.

  o Minor features (logging):
- Give a more useful assertion failure message if we think we have
  minherit() but we fail to make a region non-inheritable. Give a
  compile-time warning if our support for minherit() is incomplete.
  Closes ticket 30686.

  o Minor bugfixes (circuit isolation):
- Fix a logic error that prevented the SessionGroup sub-option from
  being accepted. Fixes bug 22619; bugfix on 0.2.7.2-alpha.

  o Minor bugfixes (continuous integration):
- Allow the test-stem job to fail in Travis, because it sometimes
  hangs. Fixes bug 30744; bugfix on 0.3.5.4-alpha.
- Skip test_rebind on macOS in Travis, because it is unreliable on
  macOS on Travis. Fixes bug 30713; bugfix on 0.3.5.1-alpha.
- Skip test_rebind when the TOR_SKIP_TEST_REBIND environment
  variable is set. Fixes bug 30713; bugfix on 0.3.5.1-alpha.

  o Minor bugfixes (directory authorities):
- Stop crashing after parsing an unknown descriptor purpose
  annotation. We think this bug can only be triggered by modifying a
  local file. Fixes bug 30781; bugfix on 0.2.0.8-alpha.

  o Minor bugfixes (pluggable transports):
- When running as a bridge with pluggable transports, always publish
  pluggable transport information in our extrainfo descriptor, even
  if ExtraInfoStatistics is 0. This information is needed by
  BridgeDB. Fixes bug 30956; bugfix on 0.4.1.1-alpha.

  o Documentation:
- Mention URLs for Travis/Appveyor/Jenkins in ReleasingTor.md.
  Closes ticket 30630.
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] [tor-dev] Cryptocurrency: Total Energy Analysis - Crypto Uses Less Than Fiat

[grarpamp]

Expanding from...
https://lists.torproject.org/pipermail/tor-dev/2019-June/013890.html

On 6/17/19, Hans-Christoph Steiner  wrote:
> I was an early proponent of crypto currencies, but now it is clear to me
> that they do more harm than good by a long shot.

Lacks specifics.

> And this is really off topic for this list.

Energy hardly off topic for Tor in general though...

If people suggest PoW to solve some Tor thing, and others
then claim something or some generic about its applicability,
others are free to further qualify what they introduced.

Cryptocurrency is actually quite green, renewable, clean
and efficient.. it must be in order to compete long term, it is
also naturally incentivized to do so, Fiat has no such care at all.

Media is well known to spew biased FUD and anti about energy,
and they link to non-comparative non-visionary research as the
whole gospel when it's clearly not.

DYOR: Even the crudest of Fermi Estimates, and lowest of
effort searches will start to turn up info therein leading to
searching out a more complete picture...

https://twitter.com/C_Bendiksen/status/1136641061298876417

PoW can take many forms, from mechanical turk captcha brainwork,
to protein folding and other research computing, to serving dual role
as heating etc, yes even to simplistic brute force where needed.

There are many potential PoW choices and libraries out there
and coming in the future. Some hardly "damaging" or rendering
of all land, sea, and civilization to dust.

To just say "PoW bad for Tor" is a bit off, though yes if it
could be a solve, then indeed survey the choices therein.

BTW, you know there are now [PoW] cryptocurrencies and blockchains
that use operate and transport over Tor in various modes... some
exclusively within onions, others split horizon, others well documented
on how to use exits. Same with I2P and other overlay networks.

Is Tor to censor block the "non green" uses?
What about the "illicit" "harmful" uses that are in fact
less volume and incidence than even Fiat sees?

One must also know that Tor nodes and all its infrastructures from
physical to human... consumes many tanker loads of power too.
Yet who has given any open redpill non hypocritical or at least equal
finger pointing thought to analysis on any solar renewable green or
even nextgen nuke sensibility therein?

Where is the Tor relay node selection screen that lets users
select their personal choice to path only through "green" nodes?
How do users even identify and fund those nodes?
Where are the "I run / support green relay" t-shirts for those wishing
to virtue signal?
The onions used to be green, now they're purple,
purple is a strange color in nature, some hesitate on it.

Green pathing would fit right in with the overall "Anti-Sybil relay metadata,
operator WoT, badexit, and DA" research projects, choice and subscription
tool for users that has yet to be explored.

What about Tor declining money from non green, non brutal force,
and even non Proof of Bad Stake... sources and forms? Such as those
from Governments and Banks creating their Fiats for their tax inflation
theft murder war lies ops corruption and manipulation.

Given tor nodes splay across global DC's, biz, and home instead
of some of the more focused, even intentionally green, placement
of cryptocurrency nodes... an actual net analysis of an averaged 1MW
of tor versus 1MW of cryptocurrency, is likely to show Tor as "worse"...
such that betting some cyptocurrency on that would be a win.

Things, ways to create solve and live, all use energy.
Tor uses energy... watts... buildings, cars, food, services, money.

One really needs to start breaking it down to understand it all.

Thankfully cryptocurrency is forcing humanity to break it down,
and to think about and change many of the hardest walls, forces
and energies ever built and expended against them... from physical
to monetary to philosophical to political to mind control and more.

And distributed strong privacy cryptocurrency coins and
privacy networks are helping to make that happen.

Don't be afraid to burn a few watts therein.
And to design out, save, and recycle some where you can.
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Tor-Browser and CLI.

[Damon H. (TheDcoder)]

Yes, the Tor browser UI went under some design changes once Firefox
Quantum (onwards version 57) was adopted in TBB, before that there
wasn't much UI integration with Tor related settings with the rest of
the browser, I believe this was due to the "Torbutton" being restricted
to an extension, so all of the options were available via the onion icon
in beside the address bar.

Take my technical opinion with a pinch of salt as I am just guessing.

On 13/06/19 11:23 PM, Jason Long wrote:
> Redesign?
>
> Sent from Yahoo Mail on Android 
>  
>   On Thu, Jun 13, 2019 at 9:02 PM, Damon H. 
> (TheDcoder) wrote:   Ah! Thanks for pointing it out, I 
> vaguely recall finding it initially
> after the redesign of Tor browser, but I had forgotten about it.
>
> On 12/06/19 3:47 PM, Nicolas Vigier wrote:
>> On Tue, 11 Jun 2019, Damon H. (TheDcoder) wrote:
>>
>>> Tor browser used to have this option to refresh the circuits but it
>>> seems to be removed in the current version as I cannot find it now
>>> (correct me if I am wrong).
>> You can still ask Tor Browser to use a new circuit for a site, if you
>> click on the left of the URL bar.
>>
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Tor-Browser and CLI.

[Jason Long]

Redesign?

Sent from Yahoo Mail on Android 
 
  On Thu, Jun 13, 2019 at 9:02 PM, Damon H. (TheDcoder) 
wrote:   Ah! Thanks for pointing it out, I vaguely recall finding it initially
after the redesign of Tor browser, but I had forgotten about it.

On 12/06/19 3:47 PM, Nicolas Vigier wrote:
> On Tue, 11 Jun 2019, Damon H. (TheDcoder) wrote:
>
>> Tor browser used to have this option to refresh the circuits but it
>> seems to be removed in the current version as I cannot find it now
>> (correct me if I am wrong).
> You can still ask Tor Browser to use a new circuit for a site, if you
> click on the left of the URL bar.
>
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
  
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Tor-Browser and CLI.

[Damon H. (TheDcoder)]

Ah! Thanks for pointing it out, I vaguely recall finding it initially
after the redesign of Tor browser, but I had forgotten about it.

On 12/06/19 3:47 PM, Nicolas Vigier wrote:
> On Tue, 11 Jun 2019, Damon H. (TheDcoder) wrote:
>
>> Tor browser used to have this option to refresh the circuits but it
>> seems to be removed in the current version as I cannot find it now
>> (correct me if I am wrong).
> You can still ask Tor Browser to use a new circuit for a site, if you
> click on the left of the URL bar.
>
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Tor-Browser and CLI.

[Jason Long]

 No, I want to do it via CLI because I need it in a bash script.
On Wednesday, June 12, 2019, 3:04:10 PM GMT+4:30, Nicolas Vigier 
 wrote:  
 
 On Tue, 11 Jun 2019, Damon H. (TheDcoder) wrote:

> Tor browser used to have this option to refresh the circuits but it
> seems to be removed in the current version as I cannot find it now
> (correct me if I am wrong).

You can still ask Tor Browser to use a new circuit for a site, if you
click on the left of the URL bar.

-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
  
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Tor-Browser and CLI.

[Nicolas Vigier]

On Tue, 11 Jun 2019, Damon H. (TheDcoder) wrote:

> Tor browser used to have this option to refresh the circuits but it
> seems to be removed in the current version as I cannot find it now
> (correct me if I am wrong).

You can still ask Tor Browser to use a new circuit for a site, if you
click on the left of the URL bar.

-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Tor-Browser and CLI.

[Jason Long]

 Thanks, but I'm using Tor-Browser.
On Tuesday, June 11, 2019, 3:06:52 PM GMT+4:30, Damon H. (TheDcoder) 
 wrote:  
 
  
Tor browser used to have this option to refresh the circuits but it seems to be 
removed in the current version as I cannot find it now (correct me if I am 
wrong).
 
If you are using Tor directly, you will need to use a controller to instruct 
Tor to form new circuits. Nyx seems to be the most popular option :)
 
 On 11/06/19 11:37 AM, Jason Long wrote:
  
 Hello.When Tor-Browser launched then how can I work with Tor deamon via CLI? 
Something like, renew IP address via CLI.
Thanks.
 
   
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Tor-Browser and CLI.

[Damon H. (TheDcoder)]

Tor browser used to have this option to refresh the circuits but it
seems to be removed in the current version as I cannot find it now
(correct me if I am wrong).

If you are using Tor directly, you will need to use a controller to
instruct Tor to form new circuits. Nyx 
seems to be the most popular option :)

On 11/06/19 11:37 AM, Jason Long wrote:
> Hello.When Tor-Browser launched then how can I work with Tor deamon via CLI? 
> Something like, renew IP address via CLI.
> Thanks.
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

[tor-talk] Tor-Browser and CLI.

[Jason Long]

Hello.When Tor-Browser launched then how can I work with Tor deamon via CLI? 
Something like, renew IP address via CLI.
Thanks.
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Tor Browser Android 8.5.1 obfs4 Bridges Problem

[Matthew Finkel]

On Mon, Jun 10, 2019 at 10:02 AM Georg Koppen  wrote:
>
> Lotta Kallio:
> > Yes, i tried. It is not working. If someone can interest with this issue we 
> > would be appreciated in here.
>
> It is weird that those bridges are working for you on desktop and not on
> mobile. Are you on the same network when it is working on desktop and
> not on mobile? If so, could you file a ticket in our bug tracker at
> https://trac.torproject.org/projects/tor ?
>

There was a chat about this on IRC. The current thought is this relates to
one of the recent bridge bugs, like
https://trac.torproject.org/projects/tor/ticket/29875

I'm most confused because the notice-level logs and CIRC events show
the client successfully established a connection with the bridges, but tor
does not mark them as usable. I haven't looked at the referenced ticket,
so maybe there's a reasonable explanation how they're all related.
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Tor Browser Android 8.5.1 obfs4 Bridges Problem

[Georg Koppen]

Lotta Kallio:
> Yes, i tried. It is not working. If someone can interest with this issue we 
> would be appreciated in here.

It is weird that those bridges are working for you on desktop and not on
mobile. Are you on the same network when it is working on desktop and
not on mobile? If so, could you file a ticket in our bug tracker at
https://trac.torproject.org/projects/tor ?

Georg

>> 
>> From: Georg Koppen 
>> Sent: Fri Jun 07 09:29:00 CEST 2019
>> To: 
>> Subject: Re: [tor-talk] Tor Browser Android 8.5.1 obfs4 Bridges Problem
>>
>>
>> Lotta Kallio:
>>> Dear Tor Volunteers and Engineers,
>>>
>>> Hope you are fine.
>>>
>>> You know i had wrote an email about TB Android's built-in bridges and few 
>>> days later you released new build with new changes. I installed TB 8.5.1 
>>> and tried again. I waited for minutes but no luck. Respectfully nothing is 
>>> changed. I captured two (2) screenshots of TB Android. I attached those and 
>>> also uploaded.
>>>
>>> https://share.riseup.net/#XPnjRD_0eeveNMVq_XO9eQ
>>> https://share.riseup.net/#87nFB3buzwydBx9MF3kmDQ
>>
>> Do you have a desktop machine and can confirm that none of the bridges
>> that are failing on Android is working on desktop either?
>>
>> Georg
>>
> 
> 
> -- 
> Sent with https://mailfence.com
> Secure and private email
> 




signature.asc
Description: OpenPGP digital signature
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Tor Browser Android 8.5.1 obfs4 Bridges Problem

[Lotta Kallio]

Yes, i tried. It is not working. If someone can interest with this issue we 
would be appreciated in here.

> 
> From: Georg Koppen 
> Sent: Fri Jun 07 09:29:00 CEST 2019
> To: 
> Subject: Re: [tor-talk] Tor Browser Android 8.5.1 obfs4 Bridges Problem
> 
> 
> Lotta Kallio:
> > Dear Tor Volunteers and Engineers,
> > 
> > Hope you are fine.
> > 
> > You know i had wrote an email about TB Android's built-in bridges and few 
> > days later you released new build with new changes. I installed TB 8.5.1 
> > and tried again. I waited for minutes but no luck. Respectfully nothing is 
> > changed. I captured two (2) screenshots of TB Android. I attached those and 
> > also uploaded.
> > 
> > https://share.riseup.net/#XPnjRD_0eeveNMVq_XO9eQ
> > https://share.riseup.net/#87nFB3buzwydBx9MF3kmDQ
> 
> Do you have a desktop machine and can confirm that none of the bridges
> that are failing on Android is working on desktop either?
> 
> Georg
> 


-- 
Sent with https://mailfence.com
Secure and private email
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Tor Browser Android 8.5.1 obfs4 Bridges Problem

[Georg Koppen]

Lotta Kallio:
> Dear Tor Volunteers and Engineers,
> 
> Hope you are fine.
> 
> You know i had wrote an email about TB Android's built-in bridges and few 
> days later you released new build with new changes. I installed TB 8.5.1 and 
> tried again. I waited for minutes but no luck. Respectfully nothing is 
> changed. I captured two (2) screenshots of TB Android. I attached those and 
> also uploaded.
> 
> https://share.riseup.net/#XPnjRD_0eeveNMVq_XO9eQ
> https://share.riseup.net/#87nFB3buzwydBx9MF3kmDQ

Do you have a desktop machine and can confirm that none of the bridges
that are failing on Android is working on desktop either?

Georg



signature.asc
Description: OpenPGP digital signature
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

[tor-talk] Tor Browser Android 8.5.1 obfs4 Bridges Problem

[Lotta Kallio]

Dear Tor Volunteers and Engineers,

Hope you are fine.

You know i had wrote an email about TB Android's built-in bridges and few days 
later you released new build with new changes. I installed TB 8.5.1 and tried 
again. I waited for minutes but no luck. Respectfully nothing is changed. I 
captured two (2) screenshots of TB Android. I attached those and also uploaded.

https://share.riseup.net/#XPnjRD_0eeveNMVq_XO9eQ
https://share.riseup.net/#87nFB3buzwydBx9MF3kmDQ

Thank you in advance.

Kind Regards,

Lotta
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] TOR Browser safety practices

[npdflr]

Thanks Wallichii and Conrad for your replies.



 On Fri, 24 May 2019 09:18:19 -0700 Wallichii  
wrote 



On Fri, 24 May 2019 08:28:37 -0700 
npdflr  wrote: 
 
> 1. Is downloading files safe via TOR Browser? 
 
Yes, downloading files with Tor browser should be as safe as downloading 
them with firefox. You can open that pdf file safely on any computer 
that is not connected to the internet. 
 
> 2. Viewing insecure HTTP sites: 
> 
> Any suggestion which insecure HTTP sites one can visit even if one 
> gets the warning: 
> 
> "HTTPS 
>  Everywhere noticed you were navigating to a non-HTTPS page, and 
> tried to send you to the HTTPS version instead. The HTTPS version is 
> unavailable. ." 
 
You can visit any website, it should be safe. When your traffic is 
routed through Tor it exits from someone else's computer so if you are 
visiting a website that doesn't start with https://, it can be 
monitored or even altered by that exit computer. If you are visiting 
websites that start with https:// then the exit computer cannot alter 
the contents of the website. 


> 3. Should one proceed when a website has an error like "invalid 
> certificate error"? 
 
Normally you shouldn't do that on websites that you don't control/host. 
Let's say I am hosting a website and I setup tls on server myself and 
noted down the fingerprint. Now in this case I can proceed if I forget 
to renew the certificate because I've noted down the fingerprint and as 
long as I verify it everytime, it should be pretty safe. (AFAIK) 
 
You can proceed but remember to treat that connection as http 
connection and you should assume that everything you 
enter/submit/request can be altered/monitored by the exit computer 
(more like every computer which routes the traffic). 
 
Simple answer: No, inform the operators and visit it after they fix 
this issue. 
 
> 4. I am able to open ftp sites without using TLS (only ftp not ftps) 
> 
> So, is it advisable to open sites having protocols such as ftp, smtp 
> etc but are not wrapped inside TLS? 
 
If its not encrypted in any form then your userid and password goes in 
plain text, it can be altered/monitored by any computer your traffic 
goes through. In this case the exit computer can save your plain text 
password and use it for malicious purpose. 





    

    >> So, for the questions 2. 3. and 4 if a user is just visiting the website

    >> for the purpose of viewing it not transferring any personal/sensitive 
data 

    >> then the exit computer can/may be able to alter/monitor the traffic but 
the

    >> user's browser data (excluding the current session with the website) and 

    >> the hard disk data should be safe, I hope I am right?





@Conrad: I am aware of the Tails operating system. I haven't used it yet.

I will use it soon but even when I would be using Tails, I should be aware of

some technical details of using TOR so that no sensitive data is stolen during

online activties.
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] TOR Browser safety practices

[Wallichii]

On Fri, 24 May 2019 08:28:37 -0700
npdflr  wrote:

> 1. Is downloading files safe via TOR Browser?

Yes, downloading files with Tor browser should be as safe as downloading
them with firefox. You can open that pdf file safely on any computer
that is not connected to the internet.

> 2. Viewing insecure HTTP sites:
> 
> Any suggestion which insecure HTTP sites one can visit even if one
> gets the warning:
> 
> "HTTPS
>  Everywhere noticed you were navigating to a non-HTTPS page, and
> tried to send you to the HTTPS version instead. The HTTPS version is 
> unavailable. ."

You can visit any website, it should be safe. When your traffic is
routed through Tor it exits from someone else's computer so if you are
visiting a website that doesn't start with https://, it can be
monitored or even altered by that exit computer. If you are visiting
websites that start with https:// then the exit computer cannot alter
the contents of the website.

> 3. Should one proceed when a website has an error like "invalid
> certificate error"?

Normally you shouldn't do that on websites that you don't control/host.
Let's say I am hosting a website and I setup tls on server myself and
noted down the fingerprint. Now in this case I can proceed if I forget
to renew the certificate because I've noted down the fingerprint and as
long as I verify it everytime, it should be pretty safe. (AFAIK)

You can proceed but remember to treat that connection as http
connection and you should assume that everything you
enter/submit/request can be altered/monitored by the exit computer
(more like every computer which routes the traffic).

Simple answer: No, inform the operators and visit it after they fix
this issue.
 
> 4. I am able to open ftp sites without using TLS (only ftp not ftps)
> 
> So, is it advisable to open sites having protocols such as ftp, smtp
> etc but are not wrapped inside TLS?

If its not encrypted in any form then your userid and password goes in
plain text, it can be altered/monitored by any computer your traffic
goes through. In this case the exit computer can save your plain text
password and use it for malicious purpose.

-- 
Wallichii 
0731 FCC1 D00B 2069 1F23
4D22 2032 F592 A338 B781


pgpF6wxH42AsK.pgp
Description: OpenPGP digital signature
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] TOR Browser safety practices

[Conrad Rockenhaus]

Hello,

Sorry for top posting, but I can’t help but to ask, since you seem overtly 
cautious about your security, why don’t you utilize a solution such as booting 
Tails from a USB key (Higher degree of confidence of anonymity and prevention 
of leakage) or use Tails in a VirtualBox VM? (High degree of confidence of 
anonymity and prevention of leakage). I know it’s not directly Tor Browser, but 
it’s Tor Browser integrated into an isolated bootable Operating System for your 
security.

https://tails.boum.org/

Thanks,

Conrad

> On May 24, 2019, at 10:28 AM, npdflr  wrote:
> 
> I would like to ask for some safe practices to maximize security while using 
> TOR browser.
> 
> 
> 
> I understand some of the basics and have gone through the FAQ on pages 
> https://support.torproject.org/#faq and 
> https://2019.www.torproject.org/docs/faq.html.en
> 
> 
> 
> Here are some questions:
> 
> 1. Is downloading files safe via TOR Browser?
> 
> I got the follownig warning while downloading a PDF file:
> 
> "Tor Browser cannot display this file. You will need to open it with another 
> application.
> 
> Some types of files can cause applications to connect to the Internet without 
> using Tor.
> 
> To be safe, you should only open downloaded files while offline, or use a Tor 
> Live CD such as Tails."
> 
> 
> 
> 2. Viewing insecure HTTP sites:
> 
> Any suggestion which insecure HTTP sites one can visit even if one gets the 
> warning:
> 
> "HTTPS
> Everywhere noticed you were navigating to a non-HTTPS page, and tried 
> to send you to the HTTPS version instead. The HTTPS version is 
> unavailable. ."
> 
> 
> 
> 3. Should one proceed when a website has an error like "invalid certificate 
> error"?
> 
> 
> 
> 4. I am able to open ftp sites without using TLS (only ftp not ftps)
> 
> So, is it advisable to open sites having protocols such as ftp, smtp etc but 
> are not wrapped inside TLS?
> 
> 
> 
> Thank you.
> -- 
> tor-talk mailing list - tor-talk@lists.torproject.org
> To unsubscribe or change other settings go to
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

[tor-talk] TOR Browser safety practices

[npdflr]

I would like to ask for some safe practices to maximize security while using 
TOR browser.



I understand some of the basics and have gone through the FAQ on pages 
https://support.torproject.org/#faq and 
https://2019.www.torproject.org/docs/faq.html.en



Here are some questions:

1. Is downloading files safe via TOR Browser?

I got the follownig warning while downloading a PDF file:

"Tor Browser cannot display this file. You will need to open it with another 
application.

Some types of files can cause applications to connect to the Internet without 
using Tor.

To be safe, you should only open downloaded files while offline, or use a Tor 
Live CD such as Tails."



2. Viewing insecure HTTP sites:

Any suggestion which insecure HTTP sites one can visit even if one gets the 
warning:

"HTTPS
 Everywhere noticed you were navigating to a non-HTTPS page, and tried 
to send you to the HTTPS version instead. The HTTPS version is 
unavailable. ."



3. Should one proceed when a website has an error like "invalid certificate 
error"?



4. I am able to open ftp sites without using TLS (only ftp not ftps)

So, is it advisable to open sites having protocols such as ftp, smtp etc but 
are not wrapped inside TLS?



Thank you.
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

[tor-talk] Tor 0.4.1.1-alpha is released

[Nick Mathewson]

Hi, all!

There's a new alpha Tor release! Because it's an alpha, you should
only run it if you're ready to find more bugs than usual, and report
them on trac.torproject.org.

The source code is available from the usual place at
https://www.torproject.org/download/tor/; if you build Tor from
source, why not give it a try? And if you don't build Tor from source,
packages should be ready over the coming days, with a Tor Browser
alpha release likely in the next couple of weeks.

Here's what's new:

Changes in version 0.4.1.1-alpha - 2019-05-22
  This is the first alpha in the 0.4.1.x series. It introduces
  lightweight circuit padding to make some onion-service circuits harder
  to distinguish, includes a new "authenticated SENDME" feature to make
  certain denial-of-service attacks more difficult, and improves
  performance in several areas.

  o Major features (circuit padding):
- Onion service clients now add padding cells at the start of their
  INTRODUCE and RENDEZVOUS circuits, to make those circuits' traffic
  look more like general purpose Exit traffic. The overhead for this
  is 2 extra cells in each direction for RENDEZVOUS circuits, and 1
  extra upstream cell and 10 downstream cells for INTRODUCE
  circuits. This feature is only enabled when also supported by the
  circuit's middle node. (Clients may specify fixed middle nodes
  with the MiddleNodes option, and may force-disable this feature
  with the CircuitPadding torrc.) Closes ticket 28634.

  o Major features (code organization):
- Tor now includes a generic publish-subscribe message-passing
  subsystem that we can use to organize intermodule dependencies. We
  hope to use this to reduce dependencies between modules that don't
  need to be related, and to generally simplify our codebase. Closes
  ticket 28226.

  o Major features (controller protocol):
- Controller commands are now parsed using a generalized parsing
  subsystem. Previously, each controller command was responsible for
  parsing its own input, which led to strange inconsistencies.
  Closes ticket 30091.

  o Major features (flow control):
- Implement authenticated SENDMEs as detailed in proposal 289. A
  SENDME cell now includes the digest of the traffic that it
  acknowledges, so that once an end point receives the SENDME, it
  can confirm the other side's knowledge of the previous cells that
  were sent, and prevent certain types of denial-of-service attacks.
  This behavior is controlled by two new consensus parameters: see
  the proposal for more details. Fixes ticket 26288.

  o Major features (performance):
- Our node selection algorithm now excludes nodes in linear time.
  Previously, the algorithm was quadratic, which could slow down
  heavily used onion services. Closes ticket 30307.

  o Major features (performance, RNG):
- Tor now constructs a fast secure pseudorandom number generator for
  each thread, to use when performance is critical. This PRNG is
  based on AES-CTR, using a buffering construction similar to
  libottery and the (newer) OpenBSD arc4random() code. It
  outperforms OpenSSL 1.1.1a's CSPRNG by roughly a factor of 100 for
  small outputs. Although we believe it to be cryptographically
  strong, we are only using it when necessary for performance.
  Implements tickets 29023 and 29536.

  o Major bugfixes (onion service v3):
- Fix an unreachable bug in which an introduction point could try to
  send an INTRODUCE_ACK with a status code that Trunnel would refuse
  to encode, leading the relay to assert(). We've consolidated the
  ABI values into Trunnel now. Fixes bug 30454; bugfix
  on 0.3.0.1-alpha.
- Clients can now handle unknown status codes from INTRODUCE_ACK
  cells. (The NACK behavior will stay the same.) This will allow us
  to extend status codes in the future without breaking the normal
  client behavior. Fixes another part of bug 30454; bugfix
  on 0.3.0.1-alpha.

  o Minor features (circuit padding):
- We now use a fast PRNG when scheduling circuit padding. Part of
  ticket 28636.
- Allow the padding machine designer to pick the edges of their
  histogram instead of trying to compute them automatically using an
  exponential formula. Resolves some undefined behavior in the case
  of small histograms and allows greater flexibility on machine
  design. Closes ticket 29298; bugfix on 0.4.0.1-alpha.
- Allow circuit padding machines to hold a circuit open until they
  are done padding it. Closes ticket 28780.

  o Minor features (compile-time modules):
- Add a "--list-modules" command to print a list of which compile-
  time modules are enabled. Closes ticket 30452.

  o Minor features (continuous integration):
- Remove sudo configuration lines from .travis.yml as they are no
  longer needed with current Travis 

Re: [tor-talk] TOR problem with onion service setup

[Wallichii]

On Wed, 15 May 2019 19:09:13 +0300
xxx  wrote:

> May 15 19:01:11.007 [warn] Directory /var/lib/tor/hidden_service/
> cannot be read: Permission denied

that directory should be read/write/access for tor user. so on my
system it is user: tor and group: tor, maybe its something else on your
system.

-- 
Wallichii 
0731 FCC1 D00B 2069 1F23
4D22 2032 F592 A338 B781


pgpeveW_SFq13.pgp
Description: OpenPGP digital signature
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk