logs archiveIRC Archive / Oftc / #tor / 2009 / December / 18 / 1
nsa
or: nickm@seul.org (Nick Mathewson) committed patch by Karsten Loesing <karsten.loesing@gmx.net> at Thu, 17 Dec 2009 17:41:23 -0500 (EST) to tor/master: Move ChangeLog entry to the right place.
or: nickm@seul.org (Nick Mathewson) committed patch by Karsten Loesing <karsten.loesing@gmx.net> at Thu, 17 Dec 2009 17:41:23 -0500 (EST) to tor/master: Remove v0 hidden service statistics code.
fossiiil
hi!
nsa
or: phobos committed revision 21248 (/projects/misc-sysadmin): added latest server, our new www-mirror
or: phobos committed revision 21249 (/projects/misc-sysadmin): updates to wwwmirror
smorg
It is possible to configure tor to distribute bandwidth along multiple connections so that bandwidth isn't limited by the slowest link in the chain of nodes? like network bonding, only with the virtual tunnels rather than physical links.
Daikoku
how can u know, that the proxy servers are not logging your real ip?
keb
Daikoku every node after the first one does not know your real ip
smorg
Daikoku: you can't.'
keb
hmm
smorg
Daikoku: Tor gets around the problem with onion routing. Conventional proxy servers have that weakness.
Daikoku: but the first node can still know your ip, they just can't know where your data is going to or what the content of the data is.
         

Daikoku
ok. and what if first node redirects my ip to second node and so on?
keb
if you got a bad entry node, there are no guarantees of anything
er, except what smorg just said above
smorg
Daikoku: Your end dictates the nodes that your data is going to. The nodes themselves each have the keys for unwrapping the "onion" successively. All of the nodes would have to be hostile for that to be a problem. Or at least, the second hop in the chain would have to be coordinating with the first to recieve your ip.
Daikoku: You can also eliminate any possibility of that happening if you yourself run a tor server. That way they cannot know that the data is even originating from your end since you're also forwarding for other nodes
Daikoku
i see. so without an own server tor might be unsafe
keb
the tor on your own computer can be both client and relay
smorg
Daikoku: Possibly, but it is disputable how likely that is because all of the nodes your end decides to send the data though would have to be compromised by the same mallicious entity (or separate enteties who are collaborating)
Daikoku
i see. the possibility is very low you mean
smorg
Daikoku: There are some hypothetical attacks in which one person can redirect lots of traffic through nodes of their choosing. It was a few years ago since that was discovered and they might have taken some steps to make that more difficult since then.
Daikoku: in practice, you should be fine. Tor is considered one of the best networks in terms of anonymity. Of course, we make no guarantees.
Daikoku: Whats vastly more likely to blow your cover is something going wrong on your end rather than someone compromising the network. DNS leaks, java/flash attacks, browser insecurity, etc.
Daikoku
i see. therefore i am using the firefox browser of the bundle
keb
are you using torbutton
Daikoku
u see, that is very important, as i am sometimes in countries where internet is censored
yes, i do
keb
if you travel, be careful never to leave your laptop on and unattended. it may have spy devices put in
or software
smorg
I normally leave my home computer on and work through putty or nx (x11 forwarding thing)
then I do kde's lock screen :P
Daikoku
smorg: so complicated? :P
smorg
Daikoku: its not that bad. freenx server is a bit tricky to use.
Daikoku
what do you think about the fact that Tor is also used by hackers and scammers?
smorg
Daikoku: Thats a minor side-effect of having anonymity. Scamming is easy enough to prevent for the non-gullible. Smart hackers aren't going to be caught anyway.
You could do your hacking and scamming at a coffee-shop with wifi and get the same results.
Daikoku
ok. thats a good argument.
smorg
A more real problem is spam
Daikoku
yes. what about this?
         

{h4tuliku89}098765
of course spammers make it harder for people who just want to use email anonomously
Daikoku
Tor is easy to use for mail clients etc
smorg
most tor nodes block common email ports.
can't really use tor with email
{h4tuliku89}098765
webmail, i get blocked all the time
by the respective website
sahal
there is at least one remailer on that has a tor hidden service
Panta Rhei Remailer
i guess it is offline now, nevermind
{h4tuliku89}098765
dang. thanks anyway
Goldstein
Question: How does one adjust privoxy settings if it doesnt appear to be filtering?
keb
with tor we dont use privoxy in filtering mode
Goldstein
I dont see anything in Vidalia for that
keb
*usually
Goldstein
i see
keb
normally you would go to http://config.privoxy.org but that is probably turned off
Goldstein
what if I want it to filter
indeed it says i'm not using it
keb
in the privoxy config file in /etc/privoxy there is a toggle to enable the browser based configuration
Goldstein
happen to know where that is on Moc?
Mac?
keb
maybe under your home/library directory
i dont have a Mac
dr|z3d
Goldstein: You can run it via Vidalia if you can locate it. sherlock will locate it for you.
Goldstein
i see vidalia.conf
dr|z3d
You're looking firstly for privoxy.
and then for vidalia.
privoxy or polipo.
Goldstein
oh, polipo then
dr|z3d
if you haven't installed from the bundle, perhaps that's a good idea (tm).. it should rig everything up for you.
Goldstein
i did
actually i usually prefer not to
keb
polipo doesnt have a browser based config, and doesnt do much filtering
dr|z3d
Did you reboot thereafter?
Goldstein
i believe so
i should be clear
dr|z3d
polipo should be running on 8118
Goldstein
tor is running for me
dr|z3d
Ok.
So web browsing isn't?
Goldstein
it is, just not being filtered
I've got somthing listening on localhost.privoxy
yeah, 8118
i just wanted privoxy filtering
keb
you mean ads ?
Goldstein
does torbutton change that around for you?
yes
keb
torbutton prevents headers and other info that might identify you or reduce your anonymity set from being sent
Goldstein
entirely?
keb
you can use adblock plus or requestpolicy add-ons in firefox to block ads
Goldstein
even if I want to use safari?
keb
well, torbutton doesnt prevent you from typing your info into a form and submitting, but it does stop harmful javascript and java and plugins
torbutton doesnt work in safari
Goldstein
right
i was being ironical
keb
hmm we dont have Safari instructions yet https://wiki.torproject.org/noreply/TheOnionRouter/TorifyHOWTO/WebBrowsers
dr|z3d
We don't recommend Tor with Safari, in the same way we don't recommend it for IE.
keb
but ie is on that page
Goldstein
well you're just mean then
keb
lol
hard-nosed
dr|z3d
If you're purely using Tor for circumvention and don't care about anonymity, feel free to not use Firefox/Torbutton.
keb
or use a one-hop proxy service, it will be faster
Goldstein
Well acutally one thing I wish I could do is use tor on a router, which is now much easier than it used to be i've noticed
but I'm curious. suppose my router tunnelled all my stuff into tor or droped it
that would mitigate some of the problems yes?
dr|z3d
http://decloak.net
keb
also tor doesnt handle udp
dr|z3d
Try that in Safari with Tor enabled and see how far you get.
And/or try in Firefox with Torbutton enabled/disabled.
That will give you some idea of the scope of the issues.
Goldstein
i'm aware of js telling peeps lots about your machine,
screensize, etc
i know tor doesnt handle udp. that presumably would be dropeed by the router
what is the embeded document test?
to give you an idea, i dont have flash, java, quicktime, or intunes installed with my browser
keb
it downloads a word document and then your browser tries to open that and the document contains a url
Goldstein
so the only thing to exploit is JS
keb
so if your external document handler knows your ip it could transmit it
js and java
oh
Goldstein
i am unaware of a pure JS->ip exploit
they always involve java or something
yeah my current browser doesnt handle docs automagically
keb
dont needn an exploit, it just has to know your ip address, and then it can send it to any server on the internet
Goldstein
i consider any such js to be an exploit
is there a site which claims to do such a thing purely in JS?
keb
js is a programming language that runs in your browser, it could do anything
hmm
tor for openwrt routers is available at version tor_0.2.0.31-1_mipsel.ipk
arma
yuck
Goldstein
2-8 on decloak.net are js calling plugins
keb
http://downloads.openwrt.org/kamikaze/8.09.1/brcm-2.4/packages/
Goldstein
arma: about that nick right?
keb: i was aware of something like that
arma
about 0.2.0.31
Goldstein
keb: thing is, the reason the plugin hacks work is because people havent configed every plugin to use tor
sometimes it's even impossible to do so
so if they are allowed to connect to the internet directly, then yeah, they can get a real ip
but lets say your firewall only allows connections thru tor
i bet that would also break all that stuff
keb
if i can figure out how to compile packages for openwrt, i will update it. but first i have to update my openwrt from 7 to 8
nickm
Goldstein: browser-based anonymity exploits are a really big topic. You might want to start with the list of everything the Torbutton deals with, which is conveniently listed in https://www.torproject.org/torbutton/design/ .
So far as I recall, much of it would not be solved with a firewall.
Goldstein
but for example, sometimes I just dont config my dns at all. then you know stuff cant use that
hi nickm
u r my hero
nickm: I'm not necessarily saying just firewall.
How about not having any plugins installed with your browser
that defeats 2-8 on decloak.net
leaving dns empty defeats #1
please show me the pure JS exploit that leaks ip. i think there's some fud
nickm
Not my department, I'm afraid. Ask mikeperry. Or read the document I linked you to.
I am not wise on browsery matters.
Goldstein
will do
in other words, i think your app is better than people give it credit for
:D
keb
here is one that gets it from the remote server, which if course shows the exit node ip address http://javascript.internet.com/user-details/ip-address.html
looking...
Goldstein
nickm: I dont understand the inserting CSS exploit
"can cause the browser to perform network activity after Tor has been disabled"
is this scenario one in which the user uses tor, leaves an old window open, the disables tor
then the old window is doing AJAX like stuff with a now unprotected browser?
Daikoku
someone knows where to get free webspace?
Goldstein
i bet google does it somehow
how does that relate to tor
Daikoku
sorry you are right
Goldstein
nickm: Cuz yeah I understand that issue
nothing in that paper scares me
but it is very thorough
the only thing my firewall stuff wouldnt stop is the history and browser attribute attacks
i'm not saying that torbutton is useless, i just dont think you should jump down peoples throats if they try to do things differently
and for example, if there were a firewall-ish way to do it, one benefit is, you dont have to config every machine on your net to get good anonymity. So it's worth thinking about
keb
https://wiki.torproject.org/noreply/TheOnionRouter/TransparentProxy
doh
nike
I need a way to connect to a server via SSH and run commands without having the server know my IP address ever.
Sebastian
torify ssh
nike
I think Tor can do that, but is it really safe to use torify ssh?
Sebastian
it should be, why wouldn't it?
murb
nike: pesuably you already know the public key of the server?
as people have been known to try MitM attacks on tor exists.
smorg
ssh is encrypted end-to-end anyways. Tor would give you an anonymous connection but otherwise it doesn't matter. ssh over tor is really laggy btw.
What would be more useful would be to run openssh over a hidden service. Otherwise they can find the machine you're connecting to.
I wonder if you can do ssh without encryption
murb
smorg: yes, but if you don't know the public key of the machine you're connecting to it is trivial for a bad person to MitM it.
smorg
would be handy for scp/sftp over a lan.
murb
smorg: it used to be possible.
smorg: -> #nottor
smorg
btw, anyone know: [20:08] <smorg> It is possible to configure tor to distribute bandwidth along multiple connections so that bandwidth isn't limited by the slowest link in the chain of nodes? like network bonding, only with the virtual tunnels rather than physical links.
Sebastian
no
smorg
Might as well not even bother donating bandwidth if you have less than really fast cable, since it isn't exactly adding to the capacity of tor if your up speed is less than that of the down speed of a single user. You could even see it as degrading network performance
Sebastian
Tor's primary goal is to provide good anonymity, not highest possible throughput.
smorg
true
Sebastian
providing 20kB/s (minimum to be a relay, btw) per user sounds pretty good
of course, it doesn't compare to cable speeds
but we have 1.5k relays, and 300k users
smorg
Its just that assuming all of the fast nodes aren't maxed out all the time, adding a relay thats slower than the average relay speed increases the liklihood that someone stumbles upon a non-optimum path.
Sebastian
that were true if Tor didn't employ load balancing techniques to pick faster relays more often
smorg
That doesn't completely solve the problem since it doesn't take into account the current load on relays. For each concurrent user on a 20kb relay it becomes unusable very fast, though the odds of hitting it are lower. If it were like 1mb/s it would be faster than most people so additional users would cause any problem up to the maximum, and even then the bottleneck would be some other slower node for each individual. I suppose deciding nodes based
upon current bw usage rather than max bw available would make node selection predictible though.
« prev 1 2 3 next »