- tor-mirrors - lists.torproject.org

Mirror in the DNS?
by Taylor Hornby 31 Mar '14

31 Mar '14

Hi, I wrote this little tool for implementing a "filesystem" in the DNS: https://github.com/defuse/dnsfs I'm sure this has been done before, but I couldn't find anything exactly like it, and it works surprisingly well. Currently you can download the Tor source code from my DNS server like this (note, this is only temporary, I may remove it in the future): for i in `seq 15394`; do host -t TXT f2p$i.dnsfs.defuse.ca | \ cut -d '"' -f 2|base64 --decode; done > /tmp/tor-0.2.4.21.tar.gz Or, if you want to try it but don't want to make *15,394* DNS requests (please respect your ISP's DNS server, the responses will be cached), here's a smaller demo that downloads and displays a text file: for i in `seq 21`; do host -t TXT f1p$i.dnsfs.defuse.ca | \ cut -d '"' -f 2|base64 --decode; done|less I wrote it just for fun, but I realized it might actually be useful for getting Tor and other things to people in censored areas like Turkey. So, my question is: Is this useful at all? Should I keep making Tor available this way? Thanks, -- Taylor Hornby

1 0

Tor Mirror Security
by Taylor Hornby 28 Mar '14

28 Mar '14

Hi, I just set up an experimental Tor mirror here: https://defuse.ca/tor-mirror/ (Please don't include it in any mirror lists yet.) I'm a little worried about security, though. The 'Configuring a Mirror' page [1] has me cloning the Tor website via rsync, which isn't a secure protocol. There are two specific risks here: 1. To the user of the mirror: A network attacker between my server and Tor could have replaced the Tor binaries with a malicious copy. 2. To the host of the mirror: A network attacker, or an evil sysadmin at Tor, could insert PHP scripts (or other things that Apache will execute) into my system, then execute by making a web request. I worked around (2) by adding "php_flag engine off" to the Directory entry in my Apache configuration, but I'm not certain that's good enough. Can the .htaccess in the Tor mirror override it? Are there other things that Apache will execute that I'm not aware of? To solve (1), how about letting users submit an SSH public key so they can rsync over SSH, or just have an account with a stupid password like "tormirror", then publish the SSH fingerprint on torproject.org? A Git repository with signed tags could be another solution. [1] https://www.torproject.org/docs/running-a-mirror.html.en Thanks, -- Taylor Hornby

2 2

ADD mirror tor-mirror-ssl.nicecon.org
by Darren Meyer 27 Mar '14

27 Mar '14

Rsynced every 4 hours, should be HTTPS-only (HTTP redirects to HTTPS): https://tor-mirror-ssl.nicecon.org Intend to keep it available for as long as Tor is blocked in Turkey (or until Turkey blocks that site as well)

1 0

Hello - new mirror
by berkay＠kslt.tk 25 Mar '14

25 Mar '14

Hello. I've opened a new mirror in Turkey, address is http://tor.kslt.tk/. If there's anything broken, please let me know. Thanks, Berkay

3 3

New Torproject Mirror
by info＠xn--externenprfung-nichtschler-7zcn.de 23 Mar '14

23 Mar '14

Hello everybody I'd like to introduce myself: My name's André Schulz and i'm currently hosting a mirror of the Tor website at http://tor.xn--externenprfung-nichtschler-7zcn.de/ and the dist is located at http://tor.xn--externenprfung-nichtschler-7zcn.de/dist/ ------------------------------------------------------------------------------ Via the .htaccess-file I activated Directory Indexing so the dist directory can be seen in public. I didn't buy an SSL-Certificate yet, so i'm only hosting in http - not https. Further information and mirror details: | Country | Organisation | Status | ftp | http dist/ | http website | https dist/ | https website | rsync dist/ | rsync website | | DE | Externenprüfung Nichtschüler | Up to date | - | http [http://tor.xn--externenprfung-nichtschler-7zcn.de/dist/] | http [http://tor.xn--externenprfung-nichtschler-7zcn.de/] | - | - | - | - | To specify the "up do date": I let a cronjob execute an .sh-script every 4 hours so my mirror is synchronized with your primary server every 4 hours ^^ Greetings, André Schulz

2 1

New Tor Mirror
by tailsgnulinux＠gmail.com 05 Mar '14

05 Mar '14

Hello, I have set up a new Tor mirror. It is located in the United States. The url is http://tor.mirrors.tailsgnulinux.org/. Timothy Anderson

4 3

New Tor Mirror, please check
by MacLemon 04 Mar '14

04 Mar '14

Hello! I've set up a new Website Mirror following the instructions from https://www.torproject.org/docs/running-a-mirror.html.en at https://tor-anonymizer.maclemon.at/ Updates are done automatically every 6h via rsync as recommended. Is there anything else I should check, double check, do before submitting it to the official list of mirror servers? Best regards MacLemon

2 1

Re: [tor-mirrors] [Tails-dev] New Tor Mirror
by tailsgnulinux＠gmail.com 02 Mar '14

02 Mar '14

I have added the warning to the top of http://www.tailsgnulinux.org/ as requested. Timothy Anderson From: intrigeri Sent: ‎Wednesday‎, ‎February‎ ‎26‎, ‎2014 ‎8‎:‎47‎ ‎AM To: tailsgnulinux(a)gmail.com Cc: tails-dev(a)boum.org Hi, Lunar wrote (26 Feb 2014 11:13:28 GMT) : > tailsgnulinux(a)gmail.com: >> I have set up a new Tor mirror. It is located in the United States. >> The url is http://tor.mirrors.tailsgnulinux.org/. > Sorry but to the best of my knowledge, the canonical URL for Tails is > <https://tails.boum.org/>. I am quite opposed to adding mirrors with > misleading domain names to the pool of Tor Project's mirrors. I'm afraid people who are looking for Tails might mistakenly believe that tailsgnulinux.org is the real thing. Could you please add a visible warning on this website, that points users to our website? Cheers, -- intrigeri | GnuPG key @ https://gaffer.ptitcanardnoir.org/intrigeri/intrigeri.asc | OTR fingerprint @ https://gaffer.ptitcanardnoir.org/intrigeri/otr.asc

1 0

ADD toric.allthatnet.com
by Tora Tora Tora 13 Feb '14

13 Feb '14

2 3

Re: [tor-mirrors] RTFM for how the mirror rotates
by Matt 11 Feb '14

11 Feb '14

On Mon, 10 Feb 2014 22:29:04 -0600 John Ricketts <john(a)quintex.com> wrote: > All, > > I see very little traffic on my mirror. is this common? > > John > QuintexSJT > _______________________________________________ > tor-mirrors mailing list > tor-mirrors(a)lists.torproject.org > https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-mirrors Which mirror are we talking about? On the Tor help desk, I often distribute mirror links to individuals who cannot access the tpo home page. I find that I usually only send links from mirror sites that use HTTPS with CA signed SSL certificiate. I find that if I send an email response linking to a mirror page that requires visitors to click through a warning, I often have to send an additional email later, expaining to the user that the site is not compromised, although all other times they see this warning in their browser, they should listen. I'm not sure if this applies to your mirror or not, but I do find that the mirrors I send individuals to the most are those with user-friendly HTTPS.

1 0