logs archiveIRC Archive / Oftc / #tor / 2009 / November / 15 / 1
nsa
or: mikeperry@seul.org committed patch by Mike Perry <mikeperry-git@fscked.org> at Sat, 14 Nov 2009 17:31:40 -0500 (EST) to torbutton/master: Fix a bug causing us to load torbutton.js twice.
StrangeCharm__
what's the correct 'distro' to use with karmic. is it sid?
Sebastian
we have karmic packages now
mib_gfcrzn
hi. i was reading about dns leaks when using tor and that using privoxy will stop this. is this correct? also will using polipo work the same way as using privoxy to stop the dns leaks?
StrangeCharm__
ooh, yay!
mib_gfcrzn
...and is using polipo recommended over using privoxy. someone here told me polipo was replacing privoxy but i dont notice anyone else mention it too much
mib_ddwe7v
hi. sorry i got disconnected. did i miss anything?
i was asking about dns leaks
and using polipo/privoxy
and if polipo > privoxy
mib_6hhbqx
hi. back again. i was asking about polipo/privoxy/'dns leaks'
i keep getting disconnected
if anyone responded, could someone paste the reply? thx
Sebastian
yes, polipo is the current choice of proxy. And yes, it will not leak dns
         

mikeperry
who here is awake and is interested in testing a google captcha reducing and ff3.5 supporting version of torbutton?
StrangeCharm
sure
the google captchas have always frustrated me
mikeperry
https://blog.torproject.org/files/torbutton-1.2.3-pre1.xpi
it has three about:config options for google captchas
if you filter about:config for 'google_cookies' you will see them
extensions.torbutton.regen_google_cookies will cause you to hit www.google.ca in the background every time you clear your cookies with tor enabled, so you have a fresh google cookie and hopefully are less likely to get 403's from google when using the firefox search box
extensions.torbutton.reset_google_cookies will copy a global set of cookies that have already solved google's captchas into your cookie set every time you clear your cookies in tor mode
the idea for that is that all tor users would share this one set of cookies
both of these two are off by default
StrangeCharm
won't google just ban those cookies?
mikeperry
they should be considered exclusive: don't turn them both on at the same time
yes
that is the concern
we don't know :/
they probably won't ban them unless spammers pick them up and start crawling with them
which might be inevitable
Sebastian
what does extensions.torbutton.xfer_google_cookies do?
StrangeCharm
it strikes me as inevitable
Sebastian
it sounds scary.
mikeperry
extensions.torbutton.xfer_google_cookies will cause torbutton to transfer cookies between all google country code domains
StrangeCharm
whatnow?
mikeperry
so pick whichever one you think sounds best of those two and enable it
Sebastian
(Action) turns on extensions.torbutton.reset_google_cookies
mikeperry
right now I'm not sure either one is a great idea
so they are off by default
Sebastian
and I have a captcha-free russian google
mikeperry
and will probably be off by default in the release unless someone gives me some really good feedback that it saves them a lot of captchas
StrangeCharm
also, might it not make more sense to have extensions.torbutton.google_cookies as a string, with rgen, reset and xfer as valid arguments?
mikeperry
possibly.. xfer is independent of regen and reset though
but maybe regen and reset should just be one pref
Sebastian
hrm. I usually don't use google with Tor, so I never have captchas...
mikeperry
but that's hard to explain to people what to put in there
Sebastian
So far, none of the exits I tested gave me a captcha.
         

mikeperry
the other thing (and probably most important thing) is for people to watch the behavior of xfer_google_cookies and make sure it is copying your cookies between the country code domains properly and also not ruining your gmail, google groups or google docs accounts
Sebastian
I cleared cookies inbetween tests
mikeperry
yeah, the reset option probably will work really well
StrangeCharm
the thing about capchas is that they take tor a long time, it's an extra page, and you have to wait for the picture
mikeperry
until google decides to 100% ban it
which will be a sad time, because then it probably won't work at all until we put out a torbutton update
StrangeCharm
you could have torbutton constantly get new cookies
mikeperry
I'm guessing regen will work less well, but may prevent you from gettting a 403 with no captcha
StrangeCharm
but anyway, i don't think that this is the way to go
mikeperry
StrangeCharm: that is what the regen option does
StrangeCharm
sorry, not what i mean. i was thinking of reset getting capcha-solved cookies. you're essentially arms-racing with google, and they can automatically ban cookies faster than we can make new ones known
mikeperry
yeah, we could create some kind of simple web server that gives you fresh captcha-solved google cookies
StrangeCharm
but then anyone could bypass googles captchas, and - more importantly - google could ban those cookies automatically
Sebastian
or ban tor
mikeperry
yah
Sebastian
also, someone has to solve all those captchas
mikeperry
give out free porn in exchange for solved google captchas? : )
Sebastian
learn from the makers of bittorrent ;P
StrangeCharm
google doesn't want to ban tor. google wants to ban robots.
Sebastian
I would like to not piss them off, though
StrangeCharm
i just don't think that this is a nicely-solvable problem
users can't really repeatedly identify themself to google. we can't give users an 'anonymous' identifier.
mikeperry
yeah. the xfer cookies option should help though
someone_
hi.
anyone up?
Sebastian
maybe
someone_
Sebastian: you know anything about dns leaks using tor?
Sebastian
well, if you ask a question someone might answer it
someone_
i was trying to find out if polipo did the same thing as privoxy to stop the dns leaks using tor
StrangeCharm
someone_, what ae the dns leaks in question?
Sebastian
both don't do anything special
they just have a sane socks implementation, that's all
StrangeCharm
a legal socks implementation, rather?
sahal
well not all socks versions do dns requests through the proxy
someone_
https://wiki.torproject.org/noreply/TheOnionRouter/Preventing_Tor_DNS_Leaks
sahal
only socks4a and above do
StrangeCharm
no, but if you're using socks4a and above *and* leaking dns, then you haven't implemented socks right
someone_
it's from the wiki
sahal
oh yes, that's true
someone_
how would i know if i'm leaking dns or not?
sahal
use a packet sniffer
someone_
and check for what?
StrangeCharm
block the dns port, and see if it breaks
sahal
or set your computers dns servers to something broken
StrangeCharm
someone_, are you using the browser bundle?
someone_
no
StrangeCharm
what browser are you using?
sahal
you can also try to connect to hidden services
Sebastian
StrangeCharm: that's not true
someone_
firefox
sahal
if they work, your app is sending dns requests through the proxy
StrangeCharm
Sebastian, wait, you can validly leak dns with socks4a?
someone_
ok. where do i find a hidden service?
Sebastian
no. But with socks6
sahal
StrangeCharm: not validly
Sebastian
5
someone_
6 o_O
sahal
wait, you can have a valid socks 5 implementation without sending requests through the proxy?
MrNaz_cic
help register
StrangeCharm
socks5 allows dns leaks?
MrNaz_cic
grr
Sebastian
sahal: yup
sahal
i didn't know that
StrangeCharm
O_O nor i
Sebastian
StrangeCharm: it depends on the implementation.
someone_
i'm using foxyproxy pointed to polipo which is pointed to tor
StrangeCharm
Sebastian, it isn't specified in the standard?
Sebastian
StrangeCharm: that's why I used the word sane
StrangeCharm
someone_, foxyproxy is not a good plan. use torbutton with an appropriate (older) version of firefox
Sebastian, sounds like someone wrote the standard wrong. is that option intentional?
someone_
StrangeCharm: why is foxyproxy bad? and why downgrade firefox? just for compatability with torbutton?
sahal
downgrading firefox will leave it vulnerable, no?
StrangeCharm
foxproxy doesn't do everything needed for tor to be effective
someone_
StrangeCharm: what is it missing? please elaborate
are you referring to scrubbing info the way torbutton does?
StrangeCharm
someone_, torbutton is developed for tor, and deals with attacks as they are developed. foxproxy is not. it is vulnerable to a variet of anonymity-breaking attacks
Sebastian
StrangeCharm: field 4: address type, 1 byte:
0x01 = IPv4 address
0x03 = Domain name
0x04 = IPv6 address
someone_
...attacks?!
Sebastian
Looks like this is intentional.
someone_
who's attacking tor?
StrangeCharm
Sebastian, well, that doesn't mean that socks allows dns leaks. it just means that it can deal with addresses outside the dns. the client application still isn't meant to do outside lookups
someone_, in general, trudy, or mallory
someone_
the 80's are kinda a blur. sry
StrangeCharm
?
someone_
wait. what are you talking about?
Sebastian
StrangeCharm: The RFC doesn't talk about whether the client is meant to do outside lookups or not
an implementation doing its own lookups doesn't violate it
(as far as I understand the rfc)
I'd be glad if you could prove me wrong
StrangeCharm
i would suggest that it's a loophole: technically passes the standard, but if you bring out an application that does outside lookups, and show it to a reasonable person, they'll hand it back to you and say 'no, that's not really doing socks5 now, is it'. like, if an application sent a random 50% of its connections through the proxy, and the other half directly, it wouldn't violate the standard, but it also certainly wouldn't be doin
g socks5 right
Sebastian
well, many applications do or did it wrong
It is crucial to realize that socks 5 is not automatically safe.
StrangeCharm
ubuntu did keygeneration wrong for a good while. doesn't mkae it right
Sebastian
I'm not trying to argue that it's ok to use such applications with Tor
StrangeCharm
i parry with 'it is crucial to have socks5 done right at the application level'
Sebastian
To be sure, you have to look yourself. That is _all_ I'm trying to say.
sahal
Sebastian: what's the easiest way for a non-technical person to do so?
in your opinion
Sebastian
get someone they trust to do it for them
sahal
lol
Sebastian
I'm serious
or, if we're talking about an application that allows you to enter some kind of URL, use one of the URLs that are Tor-recognized
and see if Tor acts upon them
or if the app gives an error
StrangeCharm
unless its malicious, in which case it might recognise those urls and look them up through the proxy.
Sebastian
of course, this doesn't catch the case where the application passes the domain on to the proxy, but still does its own dns resolve
StrangeCharm: true, additional thing to worry about
sahal
you could use a .onion url
something that's always up
StrangeCharm
though, if it's malicious, that's probably one of the least malicious things it might do
Sebastian
sahal: it actually doesn't even matter whether the hidden service is up or not
StrangeCharm
sahal, yes one of those mythical "hidden services that's always up". actually you'll get different errors if the service is down, or if the application does the lookup wrong
sahal
yeah
but a user will think, oh, an error. tor must be broken. i'm not going to use it!
Sebastian
if you're not talking about a webserver but let's say, your aim client, you won't be able to find a hidden service that provides what you need anyways
sahal
well, if your aim client supports more open protocols, you might be aable to test it through one of those
like pidgin
youcould try to connect to a hidden irc service
Sebastian
of course, but what tells you that aim isn't broken just because irc works?
as I said, get someone competent to do it for you.
sahal
yeah
StrangeCharm
it gets even worse with really complex programs. say you wanted to test a torrent client. there are all sorts of things that it could do right or wrong, getting a variety of errors.
sahal
yeah
i never even thought of that
StrangeCharm
how would you even test that it's doing dht over tor (for instance) that's something for which you can't really specify an address
sahal
is it possible on windows to route all your internet traffic thorugh a socks proxy?
StrangeCharm
sahal, there's was a post on or-talk about someone who managed to get a vpn over tor, you could start from there
Sebastian
sahal: yeah, see torvm
StrangeCharm
the other option is to own a server which you can vpn into, and which will send all the vpon traffic to tor
followd by the popular (and diametrically oposed) options of 'going totally insane in paranoia and living in a cave' and 'caring about your anonymity a little less than really prudent'
someone_
did you guys get anywhere on that leakage problem?
StrangeCharm
we never had a leakage problem. we were arguing an esoteric point
someone_
...well could dns lookups being done outside of tor compromise anonymity?
Sebastian
it will, definitely
someone_
and i was asking if using privoxy had any effect on this
StrangeCharm
compared to what?
sahal
privoxy doesn't leak dns requests
but you can only route http traffic through privoxy
someone_
the wiki and the message that tor generates say that using privoxy or socat can help with this situation
sahal: not true
i'm routing irc through 8118 right now
sahal
lol, its not optimal
privoxy is really a web filtering proxy
i guess if your irc client supports http proxies you could set it to use privoxy
someone_
but it stops the problem of any dns leaks
sahal
but i don't think you should
socat is better inthis situation
but you have to set it up for every connection
1 2 next »