logs archiveIRC Archive / Oftc / #tor / 2009 / November / 28 / 1
Sebastian
AstralStorm: the guard flag is assigned by the authorities, if that is what you mean
Rss
i'm trying to use tor with ftp
I set it manually in firefox
and when I try and use it, it whines about not being a http proxy
am trying a ftp://user:pass@ftp
so it's not http anyway
the ftp supports passive mode
also you guys really should implement HTTPS support in tor
takes like two lines of code
just need to support the CONNECT method, is easier than socks4 and 5
dr|z3d
Rss: You need to specify a socks proxy, not http.
Rss
i did
127.0.0.1:9050
btw
your guys socks5 code is bugged
in tor
keb
Rss what do you mean
dr|z3d
keb: I think he means he hasn't had time to fully appraise himself with the fm. :)
s/with/of
Furthermore, he would appear not to be using Torbutton. So, lots of reading ahead :)
Rss
uhh privoxy is a http proxy and doesn't support ftp. While you were busy flooding the channel with your dis/reconnects I stated taht
<Rss> uhh privoxy is a http proxy and doesn't support ftp. While you were busy flooding the channel with your dis/reconnects I stated taht
I also stated I manually set firefox to point to tor for ftp and socks only
and it still whines about http
I got this to work via regular ftp client though
keb
if you point firefox 3.5.5 at the socks5 proxy only, it works
Rss
for ftp?
ftp supports passive btw
         

keb
of course, passive only. because active requires a return port
Rss
well I just tested it, and it didn't
not the active thing, I know that, the passive ftp server and the scenario I just said above
keb
hmm lemme see
Rss
it's fine though regular ftp client fixed it
keb
yeah browsers are not good ftp clients
nsa
or: hanru committed revision 21033 (/website/trunk): Several updates from yfdyh000
Rss
is ftp safe with tor?
The XeroBank network routes traffic through at least two multi-jurisdictional hops. In contrast to Tor, the XeroBank network is immune to 3rd-party traffic injection, supports both TCP and UDP protocols, and performs channel multiplexing for low observability
keb
can you prove that XeroBank network isnt pwned by a spy agency
Rss
can you prove tor isn't?
tor's 50% gov funded
and more popular
keb
i dont trust anyone who does things for profit
Rss
I was just curious how they stopped traffic injection
and how come tor doesn't support udp
phobos
xb uses ssh tunnels, not tor
Rss
how come no udp?
phobos
lots of reasons
dr|z3d
Not least of which is that it hasn't yet been implemented. Non-trivial. Etc.
phobos
tls over tcp is well tested
tls over udp is unique and no one does it
Rss
well a lot of protocols and applications use udp, it helps speed things up, the only threat is provides is possible packet loss
which can be addressed
so saying tls isn't tested over udp, tls itself being a new version of ssl is silly
keb
whats silly about a fact
Rss
who cares it hasn't been tested? udp isn't new
phobos
you're missing the point
read the spec, it states why tcp was chosen
         

Rss
i'm not saying remove tcp support
i'm saying add udp
phobos
we're working on it
it's not trivial
and your comment above about 50% govt funded is irrelevant as to who funds tor
everything we do is public and transparent
don't trust tor the non-profit
Rss
<keb> can you prove that XeroBank network isnt pwned by a spy agency
phobos
read the code, read the specs, read the research
Rss
was a response to taht
keb
http://archives.seul.org/or/talk/Mar-2007/msg00069.html
phobos
https://wiki.torproject.org/noreply/TheOnionRouter/TorFAQ#TransportIPnotTCP
Rss
i've read this stuff
phobos
well, that's why we don't do udp yet
Rss
most tor exit nodes is germany, germany is infamous for strict cyber laws and monitoring
does that fit to you?
doesn't to me
phobos
germany is full of people who distrust their govt
and full of people who run tor nodes to add noise to the data stream
Rss
yes but if their goverment is spying at the isp level, how does them basically powering tor by themselves
phobos
germany also has a strict set of privacy laws
so doe sthe US, China, Russia, Sweden, Finland
keb
er the US China and Russia are not known for obeying their own laws
phobos
if you feel better using xb, use xb
WiresAP
Hi - I just installed Tor and am trying it out - I have a quick question, however, about my configuration.
I'm running Tor on Mac OS X through Vidalia and TorButton in FireFox, both default installations. I'm also using Skype alongside FF. I wish to only encrypt my Firefox connection, and not my Skype connection. Given no further setup, is this what is happening?
phobos
yes
WiresAP
sweet
phobos
torbutton in ff will point ff at tor
you have to specifically configure your other apps to use tor
WiresAP
brilliant
phobos
if you haven't done this extra config step, then you're all set
WiresAP
thank you very much
phobos
if you configure the osx system proxy to use tor, some apps may use it, some may not
it's up to the app
and how it was developed
WiresAP
that's mildly frustrating, I would imagine
phobos
welcome to os x
;)
WiresAP
hey now, I like my system!
Rss
I like windows
WiresAP
I tried running Ubuntu, but the lack of Skype was a deal-breaker
*nix for the win!
thanks very much phobos!
g'night everyone
phobos
skype exists for ubuntu's, but whatever
use what you know
Rss
google voice gonna make skype obsolete
they tend to do that, get into big markets,then release similar completely free
should be illegal
:(
phobos
it's called competition, but this is #not-tor
Rss
I rather like the word compensation myself
keb
thats capitalism ;) skype is driving phone companies out of business too. #nottor etc
whereis #not-tor
scream
I just read the buffer...
What is this xb?
keb
https://xerobank.com/
it isnt tor so it is #nottor
scream
sure... I was just curious
keb, see #nottor wherein I comment on the xb privacy policy I just scanned.
keb
thanks for the literate referral
scream
Thus far my "call for volunteers" has not elicited anything. I'm going to write a quick and dirty tutorial.
phobos
why do we want ssl mirrors with fake certs?
or, i can respond on list
either way
keb
why not certify the mirrors yourself
*the mirror certificates
that way people only need to store the tor CA
phobos
how would we certify them?
and storing the tor ca is probably beyond most users
and then we're a man-in-the-browser waiting for attack
or, cacert ;)
keb
true, a new vector
emanon
old one, but why?
scream
The function of a fake cert, is of no real consequence here...
keb
well who else should say a mirror is good except the original site
phobos
but it will possibly freak out users with the typical scary cert warning
scream
We only want to guarantee encryption between the mirror and the enduser, yes? The validity of the identity of that cert, matters not, no?
phobos
vs, they should verify the cert
err, verify the gpg sig for the packages
keb
yeah
nickm
scream: If you are using a self-signed unauthenticated cert, you are not guaranteeing encryption between the mirror and the user; you are only guaranteeing encryption between _something that you hope is the mirror_ and the user. ;)
scream
My tutorial aims to address... http://archives.seul.org/tor/mirrors/Nov-2009/msg00001.html
nickm, correct. :) the packages are signed
I'll of course defer to you and phobos on the necessity of a tutorial however.
phobos
believe me, i'm the first to say the current ssl world is a crock of snakeoil vendors
emanon
so the bottom line is..use source don't trust packages from mirrors
scream
I did not desire to encourage mirror operators to /have/ to publicly identify.
phobos
verify signatures of the packages
nickm
Hm. Do PGP signatures authenticate the filename, or only the contents?
phobos
contents
scream
mirrors *are* trusted, if the signatures verify the contents.
keb
but there could be extra files on the mirrors and extra pgp public keys ;)
nickm
So what happens if somebody grabs the package and signature for an insecure version, and renames them with the filenames of a secure version. Somebody can download them and they'll verify as correct.
I hope they check the actual version of the thing as they're building or running it. :)
scream
I have no checked... I thought the content checksum was part of the signature.
nickm
the content, yes.
scream
With regards to "So what happens if somebody grabs the package and signature for an insecure version"...
phobos
gpg --verify tor-0.2.1.20.tar.gz.haha.asc
gpg: Signature made Sat 24 Oct 2009 05:26:30 PM EDT using DSA key ID 28988BF5
gpg: Good signature from "Roger Dingledine <arma@mit.edu>"
scream
A developer would not sign an insecure version?
phobos
rename the file and voila, it still validates the package
nickm
scream: Tor 0.0.0.5 is inseure, and I believe we signed it.
scream
Oh... you mean insecure as in... bugs.
got it
There is a flaw there, yes.
phobos
and then renames tor-0.0.0.5 as tor 0.2.1.20
nickm
You'd know it as soon as you checked the version on the first log line, of course.
But a user might not.
pflag_
and then you're top of the clowns ;)
nickm
This is something Thandy is supposed to solve, and solves pretty nicely.
scream
I don't think I'm connecting this to the fake certificate question.
Or rather, I don't think I have your intent on the tutorial.
nickm
mine? I dunno ; I don't see self-signed certs as very helpful except in cases where an adversary is doing content-based blocking , but in that case they are a pretty good idea.
pflag_
it's *OLD*
but still working
nsa
or: hanru committed revision 21034 (/website/trunk): Updated zh-cn translation.
phobos
but if they're doing domain name or Ip blocking, ssl won't help
keb
i thought stuff that depended on v1 directory wont work anymore
scream
So the preferred encouragement is to use a recognized certificate issuing authority.
I don't know if our mirror volunteers will shell the $$$.
tbh
Because the mirror IP is known, encrypting traffic from the mirror won't help.
An adversary will be able to guess *what is going on*.
phobos
hanru: thank you for the updates
scream
There may be a false sense of security implied in that.
phobos
right
and now we're back where we started
pflag_
ther can be no sense of security, only lack of insecurity
AstralStorm
nickm: even in the case of content-based blocking these are useful
scream
Do we have reports of content based blocking visavis our packages/mirrors?
AstralStorm
as long as you can verify the cert fingerprint e.g. by checking with another source or independent one
none I've heard about
scream
Something that a self signed cert may protect against...
If /downloading/ circumvention software is illegal in a jurisdiction.
AstralStorm
circumvention? circumvention of what ;p
phobos
i guess if the mirrors page published the ssl fingerprints
AstralStorm
phobos: that will make it harder, yes
but not impossible
phobos
but that's not going to help someone googling for "tor mirrors"
because torproject is blocked in the first place
« prev 1 2 next »