tor-dev

tor-dev@lists.torproject.org

5 participants
3594 discussions

TOR Interference??!??!?
by Liste 30 Oct '14

30 Oct '14

Sometime, of many computers, of many hidden service, the TOR's connection are interrupted, very slow, and can't connect to hidden serivce or Internet site. When i change the TOR identity all works better. Sometime into the log file i can see a message like this: * Hidden service descriptor corrupted. * Invalid hidden service descriptor. Are some hidden services under attack? I try to create some hidden service to test... After 2 or 3 days the hidden service become unavailable. But if i change the TOR identity of hidden service (server), the hidden service become available. Why??? One time, in 1-2 July, i was see the corruption of SSL connection over TOR network (all connection). What's going on? What's wrong? Test system: * Debian 7 * TAILS 1.1 * Parrot OS * Windows 7 * Debian 7 (Another as server)

1 0

GetTor development status
by ilv 30 Oct '14

30 Oct '14

Hi people. We've been working very hard to get GetTor deployed as soon as possible. Meanwhile, I'd like to tell you what we've been up to. 1) Changed from logging quite a bit of stuff, to not logging at all. GetTor actually creates log files, but they remain empty. We'll see what we need to log on the way. 2) Changed from keeping stats about the requests (os, locale, etc) to just keep a counter to know how many requests we've received so far. The only exception is with some info necessary to avoid flood, namely: the hashed user, number of requests for that user and the last time that user made a request. All of this is stored in a SQLite database. 3) For now we'll only send Dropbox links. We now use long urls with the ?dl=1 prefix to automatically download the file, instead of the old short urls used (during the revamp). You can see an example of what urls should be sent on [1]. We hope to implement other providers in the future. We'll need an official Dropbox account for this, this is one of the things we're waiting to deploy. 4) You can check a template of the message that should be sent when sending the links on [2], under the "links_msg" msgid. The interpolated info is: operating system, locale, the links (see [1] for links format). We're working on making this as usable as possible, so any thought on this is very welcome! 5) I still have pending an script to synchronize with the latest version of TBB on dist.tp.o and upload that to Dropbox. Help here is very welcome too. I think that is for now. Any comment/feedback is welcome. If you have any crazy ideas about new ways to distribute the TBB with GetTor, please tell us. I have created two files in the Github repo: providers [3] and distribution_methods [4]. Make a pull request if you're feeling inspired :) [1] https://github.com/ileiva/gettor/blob/master/providers/dropbox.links [2] https://github.com/ileiva/gettor/blob/master/lang/smtp/i18n/en/LC_MESSAGES/… [3] https://github.com/ileiva/gettor/blob/master/providers.txt [4] https://github.com/ileiva/gettor/blob/master/distribution_methods.txt happy hacking, -- 0xA456E2CE540BFC0E

1 0

Newbie Devloper Questions
by pylis＠riseup.net 29 Oct '14

29 Oct '14

Hello, I am would like to begin working on a distributed application sitting on top of TOR and am wondering if there are any existing guides providing a good starting point for this type of development. If not, what other resources might be good starting points to become familiar with the foundation concepts? Thank you

2 1

A fun graph you can make at home
by David Fifield 29 Oct '14

29 Oct '14

This is a graph of the number of simultaneous relay users for every country, one country per row. It's roughly 30 cm wide and 3 m tall. https://people.torproject.org/~dcf/graphs/relays-all.pdf It's basically the same as https://metrics.torproject.org/users.html?graph=userstats-relay-country&sta… but for every country at once. I thought it might help reveal differences and similarities. It's made with the attached R script. Run it like so: Rscript relays-all.R You can see a few interesting features. Most conspicuous is the Sefnit botnet in late 2013 that affected almost every country. Also look at Russia (ru) around June 2014 and Iran (ir) in August, to pick out some recent censorship-related examples. To generate individual pages for printing and taping together, I used the pdfposter program: pdfposter -v -p 999x1letter relays-all.pdf relays-all-paginated.pdf David Fifield

1 1

MATor: A live-monitor for anonymity guarantees
by Esfandiar Mohammadi 28 Oct '14

28 Oct '14

Hi, tl;dr: we have a CCS paper coming up about a client-based live-monitor, called MATor [1], that assesses the influence of Tor's path selection to a user's anonymity. The paper is a first step towards a useful live-monitor that assesses a user's anonymity in a provable manner. We would appreciate your feedback on our approach and the direction in general. In detail, we implemented a live-monitor that computes upper bounds of the de-anonymization probability for sender, receiver, and relationship anonymity, based on Tor consensus data and the ports that the client needs. We formalized the guarantees that the live-monitor outputs in (an extension of) the AnoA framework [2] for circuit creation against passive attackers that do not control infrastructure (ASNs or IXPs). We use safe approximations in the live-monitor to be able to efficiently (a few seconds [3]) compute upper bounds for de-anonymization. At the moment the MATor monitor is a separate tool, but we are working on integrating it into the Tor client code. We envision an integration into Tor Browser Bundle. Since MATor is an ongoing project, we would appreciate your opinion about the approach in general. Best wishes, - Sebastian & Esfandiar [1] Michael Backes, Aniket Kate, Sebastian Meiser, Esfandiar Mohammad. (Nothing else) MATor(s): Monitoring the Anonymity of Tor's Path Selection. to appear in Proceedings of 21st ACM CCS, ACM, 2014. The MATor project page (containing the paper and the implementation): http://www.infsec.cs.uni-saarland.de/projects/anonymity-guarantees/mator.ht… [2] Michael Backes, Aniket Kate, Praveen Manoharan, Sebastian Meiser, and Esfandiar Mohammadi. AnoA: A Framework For Analyzing Anonymous Communication Protocols Unified Definitions and Analyses of Anonymity Properties. Proceedings of 26th IEEE CSF, pages 163-178, IEEE, 2013. The AnoA project page (containing the paper): http://www.infsec.cs.uni-saarland.de/~meiser/paper/anoa.html [3] The running time is as follows on a MacBook Air 2GHz Intel i7 with 4GB RAM: Preparation time: 3.39 seconds For sender anonymity: 0.73 seconds For recipient anonymity: 6.07 seconds For relationship anonymity: 9.10 seconds

1 0

Link protocol version
by Владимир Мартьянов 28 Oct '14

28 Oct '14

I'm trying to understand link protocol versions, but I have some problems. I requested descriptor from the root server and it contains line "protocols Link 1 2 Circuit 1". Then I connected to the node, sent VERSIONS cell and got a responce: "00 00 07 00 04 00 03 00 04". But according to that responce, the node supports link protocol v3 and v4, not v1 and v2. Could you please explain that moment?

2 4

Using Mozilla Persona for "Helping Internet services accept anonymous users"
by isis 27 Oct '14

27 Oct '14

[pre scriptum] This email particularly concerns the people on the Tor Browser team, and to those interested in progress on Roger's "A Call To Arms: Helping Internet services accept anonymous users" blog post. [0] Hello all, While setting up a Mozilla Persona Identity Provider (IdP) server for testing ways to provide a system for anonymous users to log in to websites, I discovered some serious problems [1] which, in my opinion, make Persona unusable for our case. One of these problems [2] essentially boils down to forcing us to choose between two options for real-world deployment, due to a lack of forward compatibility in the existing Mozilla Persona deployment: 1. We could deploy a version which is compatible with the legacy Persona implementation but which has privacy issues. We would need to accept that the so-called "anonymous" users of the Tor Project IdP would be sent from the website they are trying to log into (Wikipedia, for example) to https://login.persona.org, and that the latter would speak to the Tor Project IdP. There is not even remotely a chance for even pseudonymity, if we went this route, as the https://login.persona.org server could: * Log which websites a Tor user tries to log into, * Log when a Tor user tried to log into or out of any website, * Potentially link a user's pseudonyms (yes, even if we handed out blinded signatures in our credentials), * Arbitrarily decide to block all Tor users without the consent of either Wikipedia or the Tor Project IdP, * and probably a bunch of other horrible stuff. 2. We could make a version based on the so-called "native" Persona implementation within Firefox. This would result in fewer privacy issues, however it would be incompatible with all the rest of existing Persona infrastructure. Mozilla's "native" Persona implementation is already incompatible with the legacy version currently deployed on all Persona-enabled websites and IdPs today. If we decide to go this route, and create a version of Persona which does not redirect our users through third-party IdPs, we would need to try to force every website that wants to allow anonymous users to login to source custom Javascript that we make available, [3] which is specific to allowing logins from our IdP. In addition, sites which include this Javascript would no longer be compatible with the regular (non-Tor Browser) Firefox userbase and any existing Persona infrastructure (both Persona-enabled websites and other Persona IdPs). For a more verbose explanation, please see [4]. I think we can all agree that Option #1 is unacceptable. If we were to do Option #2, we would essentially be taking over maintenance of Persona from Mozilla *and* creating an entirely new, incompatible authentication system on top of the dilapidated remains. Before going that route we should pay attention to the fact that Mozilla pulled support for the project because of lack of adoption. If our goal was to save work by using Persona for this purpose, I estimate that we would be doing more work by using Persona than if we were to build something completely from scratch. [0]: https://blog.torproject.org/blog/call-arms-helping-internet-services-accept… [1]: https://trac.torproject.org/projects/tor/ticket/12193 [2]: https://trac.torproject.org/projects/tor/ticket/12193#comment:12 [3]: https://github.com/isislovecruft/browserid-certifier/blob/master/srv/login.… [4]: https://trac.torproject.org/projects/tor/ticket/12193#comment:13 -- ♥Ⓐ isis agora lovecruft _________________________________________________________ OpenPGP: 4096R/0A6A58A14B5946ABDE18E207A3ADB67A2CDB8B35 Current Keys: https://blog.patternsinthevoid.net/isis.txt

1 0

Understanding Tor and SOCKS
by spriver 27 Oct '14

27 Oct '14

Hi everyone! I am trying to understand the communication between an application and Tor (especially connecting to a hidden service). I am tracing packets on loopback between a torified netcat request to connect to a .onion address. When the connection gets granted I am getting a response from the socks server: (hex data of the tcp payload) 0x05 0x00 0x00 0x01 0x00 0x00 0x00 0x00 0x00 0x00 Regarding to the SOCKS specification this means that the request is granted. But I don't understand the 0x01 in byte no 4. It means IPv4 address in the SOCKS specification, but the following part of the destination address and port (the following 0x00's) are empty. So what does that 0x01 mean? Can someone explain me that? Thank you! Cheers, spriver

4 5

Vidalia Relay Bundle(win) Tor version, obfs4proxy package in deb.tp.o
by s7r 26 Oct '14

26 Oct '14

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 1. I have noticed that the Vidalia Relay Bundles for Windows available to download on torproject.org are using Tor 0.2.4.23, while we are on 0.2.5.10 as stable branch. I know 0.2.4.23 is still on the recommended list in the consensus, but since someone is downloading the bundles fresh from the Tor home page, I think it is expected to include the latest stable Tor version. 2. Configured some obfs4 bridges using obfs4proxy. They work very good, however it's a little bit complicated since package obfs4proxy exists in Debian sid, but not in deb.torproject.org, so you have to add sid repo to sources.list, install obfs4proxy and then make sure you edit apt preferences or comment the sid repo from the list in order not to upgrade you entire Debian system with packages from unstable/testing branch. Received couple of emails from users wanted to deploy obfs4 bridges and were confused. Is it possible to include obfs4proxy in deb.torproject.org for Debian, and while at it also make a rpm package for RHEL/CentOS? obfsproxy (python based pluggable transport) was easy to install in RHEL/CentOS using EPEL repo and `pip` but obfs4proxy should come as a rpm from deb.torproject.org. 3. Last thing, the page https://bridges.torproject.org/ does not contain obfs4 in the drop-down list where the user needs to select the pluggable transport. It only allows requests for obfs2, obfs3, scramblesuit and fteproxy bridges. Don't know about fteproxy, but shouldn't obfs2 be deprecated or is it still working/used? -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (MingW32) iQEcBAEBAgAGBQJUTRBeAAoJEIN/pSyBJlsR2zwH/2mnA2GNomxNQZI7Eeumt1sM uA6iXvlUiILJdQRG8EcHx8sfHU5MD20V5mOH774XsX7elAG47/ePL+/SKL69OfuR nl/X4IzH34CaqbMLGVHotl9Bcugfgw71fAF+Gm5nymM8VRxsdQnS51nnz7pwphon /DeeMfCE45eCYpVYyOqXZcSM4DA6Hr5bWG5TlCVJXTOl67fMr/pEBFgfpc6RIAL/ 8GXk+Cv6k/vW0AsEb/XoHBNbIzfHhOlb9O9q3giq3kGmJahMheKKLVOP5FNiEWi1 S6AhlxOYNnoAc9jhSAmNsMmJCteVVBV96c9jgeP9QOF2WtLnq6md8/uFocOelUc= =iUXk -----END PGP SIGNATURE-----

3 4

Request to expunge project 'torsocks' on Google Code
by Virgil Griffith 26 Oct '14

26 Oct '14

Sitting with David Goulet, it's problematic that when I search for "torsocks" I get the old Google Code page instead of the up-to-date page on http://gitweb.torproject.org This is problematic because people report bugs to the Google Code repository instead of the torproject repository. Jake/Robert: You are the project owners on Google Code. Could you please remove the project? Much love, -Virgil

6 8

Jump to page:

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

tor-dev