- tor-dev - lists.torproject.org

Re: [tor-dev] [HTTPS-Everywhere] "darkweb everywhere" extension
by yan 03 Nov '14

03 Nov '14

+tor-dev. tl;dr: Would be nice if there were an HTTP response header that allows HTTPS servers to indicate their .onion domain names so that HTTPS Everywhere can automatically redirect to the .onion version in the future if the user chooses a "use THS when available" preference. I imagine the header semantics and processing would be similar to HSTS. It would only be noted when sent over TLS and have the max-age and include-subdomains fields. -yan yan wrote: > Hi all, > > Some people have requested for the "Darkweb Everywhere" extension [1] to > be integrated into HTTPS Everywhere. This is an extension for Tor > Browser that redirects users to the Tor Hidden Service version of a > website when possible. > > I'm supportive of the idea; however, I'm worried that since .onion > domain names are usually unrelated to a site's regular domain name, a > malicious ruleset would be hard to detect. AFAIK Darkweb Everywhere only > defends against this by publishing a doc in their Github repo that cites > evidence for each ruleset [2]. > > What if, instead, we asked website owners to send an HTTP header that > indicates the Tor Hidden Service version of their website? Then HTTPS > Everywhere could cache the result (like HSTS) and redirect to the THS > version automatically in the future if the user opts-in. > > If this is something that EFF/Tor would be willing to advocate for, I > would be happy to draft a specification for the header syntax and > intended UA behavior. > > Thanks, > Yan > > > [1] https://github.com/chris-barry/darkweb-everywhere/ > [2] > https://github.com/chris-barry/darkweb-everywhere/blob/master/doc/EVIDENCE.… > _______________________________________________ > HTTPS-Everywhere mailing list > HTTPS-Everywhere(a)lists.eff.org > https://lists.eff.org/mailman/listinfo/https-everywhere >

3 2

Call for Papers: Switzerland - International Conference on Semantic Web Business and Innovation (SWBI2015)
by Conference Updates 03 Nov '14

03 Nov '14

The International Conference on Semantic Web Business and Innovation (SWBI2015) The University of Applied Sciences and Arts Western Switzerland (HES-SO Valais-Wallis) October 7-9, 2015 http://sdiwc.net/conferences/swbi2015/ All registered papers will be included in SDIWC Digital Library ================================================================ The proposed conference on the above theme will be held at he University of Applied Sciences and Arts Western Switzerland (HES-SO Valais-Wallis) on October 7-9, 2015 which aims to enable researchers build connections between different digital applications. The conference welcomes papers on the following (but not limited to) research topics: *Semantic Web and Linked Data - Database, IR, NLP and AI technologies for the Semantic Web - Geospatial Semantic Web - Information Extraction from unstructured data - Information visualization of Semantic Web data and Linked Data - Internet of things - Languages, tools, and methodologies for representing and managing Semantic Web data - Linked open data - Management of Semantic Web data and Linked Data - Ontology engineering and ontology patterns for the Semantic Web - Ontology modularity, mapping, merging, and alignment - Ontology-based data access - Privacy and Security - Query and inference over data streams - Search, query, integration, and analysis on the Semantic Web - Semantic business process management - Semantic Sensor networks - Semantic technologies for mobile platforms - Semantic Web and Linked Data for Cloud Environments - Semantic Web, Ontologies - Social networks and processes on the Semantic Web - Supporting multi-linguality in the Semantic Web - User Interfaces and interacting with Semantic Web data and Linked Data *Business and Innovation in Semantic Web - Business Model Innovation - Business Models and E-Commerce - Business Technology Intelligence - Challenges for change in semantic services - Collaborative improvement and innovation - E-Business Applications and Software - E-commerce Technology Adoption - E-commerce, E-Business Strategies - E-tailing and Multi-Channel selling - Evolution of Business model for Semantic Web Applications - High-tech marketing - Implementation strategies for responsible innovation - Innovation for E-Business - Innovative methods and tools for products and services - Practices and Cases in E-Commerce - Production of Knowledge Economy - Technology and Business Transformation - Technology strategies - The Latest Trends in Linked Data - Web Advertising and Web Publishing - Web and Mobile Applications Researchers are encouraged to submit their work electronically. All papers will be fully refereed by a minimum of two specialized referees. Before final acceptance, all referees comments must be considered. Important Dates ============== The Submission is open Notification of Acceptance: 6 weeks from the submission date Camera Ready Submission: September 14, 2015 Registration Deadline: September 14, 2015 Conference Dates: October 7-9, 2015

1 0

On the visualization of OONI bridge reachability data
by George Kadianakis 02 Nov '14

02 Nov '14

== What is bridge reachability data? == By bridge reachability data I'm referring to information about which Tor bridges are censored in different parts of the world. The OONI project has been developing a test that allows probes in censored countries to test which bridges are blocked and which are not. The test simply takes as input a list of bridges and tests whether they work. It's also able to test obfuscated bridges with various pluggable transports (PTs). == Why do we care about this bridgability data? == A few different parties care about the results of the bridge reachability test [0]. Some examples: Tor developers and censorship researchers can study the bridge reachability data to learn which PTs are currently useful around the world, by seeing which pluggable transports get blocked and where. We can also learn which bridge distribution mechanisms are busted and which are not. Bridge operators, the press, funders and curious people, can learn which countries conduct censorship and how advanced technology they use. They can also learn how long it takes jurisdictions to block public bridges. And in general, they can get a better understanding of how well Tor is doing in censorship circumvention around the world. Finally, censored users and world travelers can use the data to learn which PTs are safe to use in a given jurisdiction. == Visualizing bridge reachability data == So let's look at the data. Currently, OONI bridge reachability reports look like this: https://ooni.torproject.org/reports/0.1/CN/bridge_reachability-2014-07-02T0… and you can retrieve them from this directory listing: https://ooni.torproject.org/reports/0.1/ That's nice, but I doubt that many people will be able to access (let alone understand) those reports. Hence, we need some kind of visualization (and better dir listing) to conveniently display the data to human beings. However, a simple x-to-y graph will not suffice: our ploblem is multidimensional. There are many use cases for the data and bridges have various characteristics (obfuscation method, distribution method, etc.) hence there are more than one useful ways to visualize this dataset. To give you an idea, I will show you two mockups of visualizations that I would find useful. Please don't pay attention to the data itself, I just made some things up while on a train. Here is one that shows which PTs are blocked in which countries: https://people.torproject.org/~asn/bridget_vis/countries_pts.jpg The list would only include countries that are blocking at least a bridge. Green is "works", red is "blocked". Also, you can imagine the same visualization, but instead of PT names for columns it has distribution methods ("BridgeDB HTTP distributor", "BridgeDB mail distributor", "Private bridge", etc.). And here is another one that shows how fast jurisdictions block the default TBB bridges: https://people.torproject.org/~asn/bridget_vis/tbb_blocked_timeline.jpg These visualizations could be helpful, but they are not the only ones. What other use cases do you imagine using this dataset for? What graphs or visualizations would you like to see? [0]: Here are some use cases: Tor developers / Researcers: *** Which pluggable transports are blocked and where? *** Do they do DPI? Or did they just block the TBB hardcoded bridges? *** Which jurisdictions are most aggressive and what blocking technology do they use? *** Do they block based on IP or on (IP && PORT)? Users: *** Which pluggable transport should I use in my jurisdiction? Bridge operators / Press / Funders / Curious people: *** Which jurisdictions conduct Tor censorship? (block pluggable transports/distribution methods) *** How quickly do jurisdictions block bridges? *** How many users/traffic (and which locations) did the blocked bridges serve? **** Can be found out through extrainfo descriptors. *** How well are Tor bridges doing in censorship circumvention?

4 6

TOR Interference??!??!?
by Liste 30 Oct '14

30 Oct '14

Sometime, of many computers, of many hidden service, the TOR's connection are interrupted, very slow, and can't connect to hidden serivce or Internet site. When i change the TOR identity all works better. Sometime into the log file i can see a message like this: * Hidden service descriptor corrupted. * Invalid hidden service descriptor. Are some hidden services under attack? I try to create some hidden service to test... After 2 or 3 days the hidden service become unavailable. But if i change the TOR identity of hidden service (server), the hidden service become available. Why??? One time, in 1-2 July, i was see the corruption of SSL connection over TOR network (all connection). What's going on? What's wrong? Test system: * Debian 7 * TAILS 1.1 * Parrot OS * Windows 7 * Debian 7 (Another as server)

1 0

GetTor development status
by ilv 30 Oct '14

30 Oct '14

Hi people. We've been working very hard to get GetTor deployed as soon as possible. Meanwhile, I'd like to tell you what we've been up to. 1) Changed from logging quite a bit of stuff, to not logging at all. GetTor actually creates log files, but they remain empty. We'll see what we need to log on the way. 2) Changed from keeping stats about the requests (os, locale, etc) to just keep a counter to know how many requests we've received so far. The only exception is with some info necessary to avoid flood, namely: the hashed user, number of requests for that user and the last time that user made a request. All of this is stored in a SQLite database. 3) For now we'll only send Dropbox links. We now use long urls with the ?dl=1 prefix to automatically download the file, instead of the old short urls used (during the revamp). You can see an example of what urls should be sent on [1]. We hope to implement other providers in the future. We'll need an official Dropbox account for this, this is one of the things we're waiting to deploy. 4) You can check a template of the message that should be sent when sending the links on [2], under the "links_msg" msgid. The interpolated info is: operating system, locale, the links (see [1] for links format). We're working on making this as usable as possible, so any thought on this is very welcome! 5) I still have pending an script to synchronize with the latest version of TBB on dist.tp.o and upload that to Dropbox. Help here is very welcome too. I think that is for now. Any comment/feedback is welcome. If you have any crazy ideas about new ways to distribute the TBB with GetTor, please tell us. I have created two files in the Github repo: providers [3] and distribution_methods [4]. Make a pull request if you're feeling inspired :) [1] https://github.com/ileiva/gettor/blob/master/providers/dropbox.links [2] https://github.com/ileiva/gettor/blob/master/lang/smtp/i18n/en/LC_MESSAGES/… [3] https://github.com/ileiva/gettor/blob/master/providers.txt [4] https://github.com/ileiva/gettor/blob/master/distribution_methods.txt happy hacking, -- 0xA456E2CE540BFC0E

1 0

Newbie Devloper Questions
by pylis＠riseup.net 30 Oct '14

30 Oct '14

Hello, I am would like to begin working on a distributed application sitting on top of TOR and am wondering if there are any existing guides providing a good starting point for this type of development. If not, what other resources might be good starting points to become familiar with the foundation concepts? Thank you

2 1

A fun graph you can make at home
by David Fifield 29 Oct '14

29 Oct '14

This is a graph of the number of simultaneous relay users for every country, one country per row. It's roughly 30 cm wide and 3 m tall. https://people.torproject.org/~dcf/graphs/relays-all.pdf It's basically the same as https://metrics.torproject.org/users.html?graph=userstats-relay-country&sta… but for every country at once. I thought it might help reveal differences and similarities. It's made with the attached R script. Run it like so: Rscript relays-all.R You can see a few interesting features. Most conspicuous is the Sefnit botnet in late 2013 that affected almost every country. Also look at Russia (ru) around June 2014 and Iran (ir) in August, to pick out some recent censorship-related examples. To generate individual pages for printing and taping together, I used the pdfposter program: pdfposter -v -p 999x1letter relays-all.pdf relays-all-paginated.pdf David Fifield

1 1

MATor: A live-monitor for anonymity guarantees
by Esfandiar Mohammadi 28 Oct '14

28 Oct '14

Hi, tl;dr: we have a CCS paper coming up about a client-based live-monitor, called MATor [1], that assesses the influence of Tor's path selection to a user's anonymity. The paper is a first step towards a useful live-monitor that assesses a user's anonymity in a provable manner. We would appreciate your feedback on our approach and the direction in general. In detail, we implemented a live-monitor that computes upper bounds of the de-anonymization probability for sender, receiver, and relationship anonymity, based on Tor consensus data and the ports that the client needs. We formalized the guarantees that the live-monitor outputs in (an extension of) the AnoA framework [2] for circuit creation against passive attackers that do not control infrastructure (ASNs or IXPs). We use safe approximations in the live-monitor to be able to efficiently (a few seconds [3]) compute upper bounds for de-anonymization. At the moment the MATor monitor is a separate tool, but we are working on integrating it into the Tor client code. We envision an integration into Tor Browser Bundle. Since MATor is an ongoing project, we would appreciate your opinion about the approach in general. Best wishes, - Sebastian & Esfandiar [1] Michael Backes, Aniket Kate, Sebastian Meiser, Esfandiar Mohammad. (Nothing else) MATor(s): Monitoring the Anonymity of Tor's Path Selection. to appear in Proceedings of 21st ACM CCS, ACM, 2014. The MATor project page (containing the paper and the implementation): http://www.infsec.cs.uni-saarland.de/projects/anonymity-guarantees/mator.ht… [2] Michael Backes, Aniket Kate, Praveen Manoharan, Sebastian Meiser, and Esfandiar Mohammadi. AnoA: A Framework For Analyzing Anonymous Communication Protocols Unified Definitions and Analyses of Anonymity Properties. Proceedings of 26th IEEE CSF, pages 163-178, IEEE, 2013. The AnoA project page (containing the paper): http://www.infsec.cs.uni-saarland.de/~meiser/paper/anoa.html [3] The running time is as follows on a MacBook Air 2GHz Intel i7 with 4GB RAM: Preparation time: 3.39 seconds For sender anonymity: 0.73 seconds For recipient anonymity: 6.07 seconds For relationship anonymity: 9.10 seconds

1 0

Link protocol version
by Владимир Мартьянов 28 Oct '14

28 Oct '14

I'm trying to understand link protocol versions, but I have some problems. I requested descriptor from the root server and it contains line "protocols Link 1 2 Circuit 1". Then I connected to the node, sent VERSIONS cell and got a responce: "00 00 07 00 04 00 03 00 04". But according to that responce, the node supports link protocol v3 and v4, not v1 and v2. Could you please explain that moment?

2 4

Using Mozilla Persona for "Helping Internet services accept anonymous users"
by isis 28 Oct '14

28 Oct '14

[pre scriptum] This email particularly concerns the people on the Tor Browser team, and to those interested in progress on Roger's "A Call To Arms: Helping Internet services accept anonymous users" blog post. [0] Hello all, While setting up a Mozilla Persona Identity Provider (IdP) server for testing ways to provide a system for anonymous users to log in to websites, I discovered some serious problems [1] which, in my opinion, make Persona unusable for our case. One of these problems [2] essentially boils down to forcing us to choose between two options for real-world deployment, due to a lack of forward compatibility in the existing Mozilla Persona deployment: 1. We could deploy a version which is compatible with the legacy Persona implementation but which has privacy issues. We would need to accept that the so-called "anonymous" users of the Tor Project IdP would be sent from the website they are trying to log into (Wikipedia, for example) to https://login.persona.org, and that the latter would speak to the Tor Project IdP. There is not even remotely a chance for even pseudonymity, if we went this route, as the https://login.persona.org server could: * Log which websites a Tor user tries to log into, * Log when a Tor user tried to log into or out of any website, * Potentially link a user's pseudonyms (yes, even if we handed out blinded signatures in our credentials), * Arbitrarily decide to block all Tor users without the consent of either Wikipedia or the Tor Project IdP, * and probably a bunch of other horrible stuff. 2. We could make a version based on the so-called "native" Persona implementation within Firefox. This would result in fewer privacy issues, however it would be incompatible with all the rest of existing Persona infrastructure. Mozilla's "native" Persona implementation is already incompatible with the legacy version currently deployed on all Persona-enabled websites and IdPs today. If we decide to go this route, and create a version of Persona which does not redirect our users through third-party IdPs, we would need to try to force every website that wants to allow anonymous users to login to source custom Javascript that we make available, [3] which is specific to allowing logins from our IdP. In addition, sites which include this Javascript would no longer be compatible with the regular (non-Tor Browser) Firefox userbase and any existing Persona infrastructure (both Persona-enabled websites and other Persona IdPs). For a more verbose explanation, please see [4]. I think we can all agree that Option #1 is unacceptable. If we were to do Option #2, we would essentially be taking over maintenance of Persona from Mozilla *and* creating an entirely new, incompatible authentication system on top of the dilapidated remains. Before going that route we should pay attention to the fact that Mozilla pulled support for the project because of lack of adoption. If our goal was to save work by using Persona for this purpose, I estimate that we would be doing more work by using Persona than if we were to build something completely from scratch. [0]: https://blog.torproject.org/blog/call-arms-helping-internet-services-accept… [1]: https://trac.torproject.org/projects/tor/ticket/12193 [2]: https://trac.torproject.org/projects/tor/ticket/12193#comment:12 [3]: https://github.com/isislovecruft/browserid-certifier/blob/master/srv/login.… [4]: https://trac.torproject.org/projects/tor/ticket/12193#comment:13 -- ♥Ⓐ isis agora lovecruft _________________________________________________________ OpenPGP: 4096R/0A6A58A14B5946ABDE18E207A3ADB67A2CDB8B35 Current Keys: https://blog.patternsinthevoid.net/isis.txt

1 0