logs archiveIRC Archive / Oftc / #tor / 2010 / March / 7 / 1
phobos
and then someone runs po2wml
and then commit to svn
and then i can hush and push
Sebastian
ugh
heh
I never knew it was *that* bad
nsa
or: [wiki] JensKubieziel updated TheOnionRouter/GoodBadISPs - http://wiki.torproject.org/noreply/TheOnionRouter/GoodBadISPs
qbitor
Some pages in the wiki direct to tpo/faq, which is empty. Is this intended?
outofwords
for get_next_token branch. http://paste.debian.net/62844/ with branch tor have fastest parser in the world.
Sebastian
qbitor: I don't know why the empty page keeps getting recreated. Runa: plz to fix?
Sebastian_
outofwords: is that the same patch you pasted earlier?
outofwords
with modified get_token_arguments() only space is allowed. still the spec should disable spec as argumentchar.
space
Sebastian_
yup
         

outofwords
ah "No keyword and garbage in the middle of a line" a little wrong. garbage can be at start.
qbitor
Sebastian_: thx
atagar
Sebastian_: replied on or-dev, thoughts appreciated
Sebastian_: gonna head off (house is having power problems so no persistent irc connection for the next week so guess feedback will need to be through email)
subbie3
does anyone one know if a dodgy Tor exit node could land you in the sh*t
mikeperry
heh
yes, it can
you want to make sure you are runing the latest firefox version, and following everything in: https://www.torproject.org/download.html.en#Warning
you also want to avoid using http for email and other important traffic
yahoo mail and hotmail/msn are bad
kmacy_
gmail isn't?
mikeperry
in general, you should treat your Tor usage as if you were using a very public open wireless network, like at an airport or library
kmacy_: privacy concerns aside, gmail is perhaps the most secure webmail provider available
Manny
why are they any better than yahoo?
and if they are so secure, why did they get own3d
mikeperry
yahoo accounts are compromised *constantly*. I routinely get fake emails from my friends who use yahoo. yahoo just isn't as public about it, because it happens so damn often
not fake emails, but legit emails sent from their hacked accounts trying to spread worms, etc
yahoo does not allow you to use ssl past login
which makes it especially bad for tor
Manny
ah
mikeperry
fyi, other decent providers include fastmail.fm, riseup.net, lavabit.com, and safe-mail.net
and also, the compromise against google was a different beast. an untold other number of US companies were compromised as well in that hit. it was a targeted attack against some of their employees by a very sophisticated adversary who used non-public exploits against various client-side software. in other words, this is a risk profile you face when using any service. it wasn't a property of gmail itself that allowed those accounts to get owned
Manny
what client-side software was own3d?
mikeperry
I believe it was acroread and/or flash
thank god for adobe. what would we do without them
most secure software ever..
I think IE8 was also a suspected vector
this sort of attack is one of the reasons you should not use plugins with tor, and should use end-to-end encryption for sensitive emails by using something like FireGPG (so you do not have to trust the email provider not to read your email or get owned itself)
murb
adobe are also nice in that they sue / get people shutdown with dmca requests when they re-implement their protocols.
Manny
well i think ssl+imap or pop is better than any kind of webmail and lots of people offer that
mikeperry
true, but you have to be careful there. so far no one has studied what sort of info clients like thunderbird leak over pops/imaps
Manny
what could they leak?
mikeperry
we've heard rumors they send your local machine's hostname in message headers, as well as timezone info
they are probably capable of leaking a lot more, since they typically also have html renderers that may be able to run javascript
Manny
coulkd i not test that by sending myelf email
mikeperry
and possibly even plugins
         

Manny
could*
mikeperry
if you want to investigate securing thunderbird or some other imaps client, we'd love to hear about it on or-dev or or-talk
and/or a wiki page
Manny
the only thing it does afaict is leak user agent
mikeperry
some others may have already posted some initial inviestigation already too, so searching the web is probably a good place to start
Manny
could i not simply test that by sending myself email
Sebastian_
you could test it, sure. But that doesn't mean that there isn't a clever trick that changes behaviour
mikeperry
you would also need to test html mail and what it is capable of displaying in the default mode
yeah
and if you expect to toggle thunderbird in and out of tor mode, that is a whole different beast
Manny
not if i dont use html mail
mikeperry
https://www.torproject.org/torbutton/design/#adversary
it would be great if you could publish what you believe to be a secure configuration and ask for comment on or-talk
Manny
yeah well torbutton sucks
Sebastian_
heh. It sure doesn't
mikeperry
heh
Sebastian_
Manny: you're speaking to its author ;)
Manny
it doesnt actually protect what people think it does
oh, good
mikeperry
please enlighten me
Manny
it's windowsize handling leaks too much info
mikeperry
how so?
Manny
anybody with an oddball windowsize will be rounded to a nonetheless unique windowsize
mikeperry
how do you think we can do that better?
Manny
give everybody 640x480?
or 800x600
mikeperry
people aren't going to like that. would you like your web browser to always force itself to be 800x600 every time you toggle, and not let you do anything about it?
I can provide an option for something like that though
Manny
nobody likes it anyway
torbutton breaks a lot of sites anyway
mikeperry
hardcoding a window size is far more intrusive than rounding by 50x50
Manny
and imo, toggling is bs anyway.
i never said it wasnt
using different browsers for different stuff will always be better
Sebastian_
I've not foudna single website that is broken by torbutton. Giving examples would be nice.
mikeperry
do you have examples of sites that are broken? everything except flash sites work for me
Manny
facebook
mikeperry
is this recent? I've tested facebook before
Manny
no
mikeperry
how does it break?
Manny
anything with heavy ajax use
mikeperry
is that torbutton that's breaking it, or are requests just timing out because of tor?
Manny
ajax events dont happen
mikeperry
do you use polipo or privoxy, or SOCKS directly?
Manny
but to b honest, i dont even care all that much because using just one browser for both tor and non-tor use is retarded
mikeperry
does facebook work for you for your alternate browser?
what do you use?
Manny
insofar as torbutton encourages that, its doing more harm than good
mikeperry
torbutton is extremely rigourous in isolating browser state
Manny
not as rigorous as using diff browsers is
mikeperry
no, it is more so
Manny
no it is less so
mikeperry
different browsers share plugins and plugin data directories
if you are not actively using something to disable plugins, all your flash cookies are shared, for example
even between something like safari and firefox
Manny
not if you just disable all the plugins for your tor browser
mikeperry
you have to know to do this, and several other things if you do not use torbutton
it is not as simple a solution as you make it out to be
Manny
what other things
examples please
just like id like an example of a purely js based attack that reveals ip
mikeperry
and I'm still waiting to hear what configuration works for facebook for Tor use where torbutton does not
Manny
without java or flash or whatever
mikeperry
you started out complaining about window size. that is a far cry from js revealing IP :)
Manny
good
mikeperry
however
I'll give you several
many browsers can be tricked into autolaunching external applications
Manny
thru plugins
mikeperry
http://deanonymizer.com/ is the best single collection of examples
no
things like itunes, msword, acroread, etc can *all* be induced to launch without a plugin
https://www.torproject.org/torbutton/design/#TestPlan has tons of other tests
without torbutton you are much more at risk than without
even if you are not toggling
Manny
yeah, that site doesnt break my config
mikeperry
what do you use?
Manny
ff with no plugins
mikeperry
that site takes quite a while to run, esp over tor. I'm not sure I believe you :)
it runs through something like 20-30 tests
maybe you just don't have those apps installed right now and are lucky
but your configuration is fragile
Manny
no it launches word i think
but i just dont open its crap
i also dont allow general apps to access the internet raw
all of your examples always seem to assume that the user is retarded
Sebastian_
Torbutton should work from the Tor Browser Bundle, without the user needing to do anything. It's not about being retarded or not, it's about being a normal person being able to browse the web relatively safely without needing to take a three month class
Manny
i would like torora to move further along
i also wish they would host it on sourceforge
Is there any way to install it without making from source?
Sebastian_
It's been pretty much abandoned, if I'm not mistaken
Manny
ah, that explains things
so assuming I dont use html in email, is there anythig I need to check wrt thunderbird except the header
afaict, it doesnt reveal ip
Sebastian_: thing is every time I ask a q like that, i always get "well it can do x because it's really a web browser so you're still own3d" rather than someone asking me "do you use html email". As an example
IMO, people should ask about things like that rather than assuming that i do the stupidest things possible
and for example, without knowing more about the particulars of my web browser use, you cant know whether torbutton is better than what i do
Sebastian_
people have pretty little control about the kind of bytes they receive
mikeperry
that's why I asked you to describe your config for your web browser. however, I'm more interested in your publishing your config for thunderbird to or-talk
so that other people can review it for mistakes, and maybe even package it into a thunderbird addon, config file, or package
Manny
Sebastian_: they do with firewalls
mikeperry
its not that we're assuming you are retarded, we just kow that this stuff is hard, and a LOT of different random issues can surprise you
torbutton took 2 years of active development and correspondence with some of the best hackers and security researchers on the internet before it was really finished and secure
Manny
mikeperry: well try tbird with 'message body as' set to plaintext
that's basically it
mikeperry
and disabling html mail, and ...?
Manny
that does disable html mail
Sebastian_: I guess I could try just using torbutton and never turning it off
and not use ajax sites
I think it shouldnt be a toggl though. I think you should encourage people to use FF for tor, and either safari or opera for normal browsing
how is that not the best way?
mikeperry
we basically do by recommending the tor browser bundle for people on windows
I still don't know why ajax sites are breaking for you
are you sure they all work without torbutton?
Manny
i'm sure many dont
mikeperry
they seem to work for me, but sometimes are a bit slow
for example, gmail works just fine. it has tons of ajax
Manny
ajax and tor breaks for me all the time
but it seemed like torbutton made it worse
i dont actually care
but for example:
What if rather than tricking someone into auto downloading a word file like deanonymizer, you trick them into actually downlaoding it manually, then you use word to access the inet once they open it after?
so they use torbutton
now if you deny unnecessary apps from accessing the inet like i do, you're still protected
if you relied on torbutton, you're screwed
to me, there's no way around doing things properly
and the root cause of plugin problems is, external apps like word shouldnt get inet access at all
mikeperry
you're not screwed
torbutton prevents these apps from launching automatically
Manny
yes you are
mikeperry
they otherwise can be launched silently in the background
Manny
i didnt say they launched automatically
i said you dl'ed a dynamically generated word doc thru torbuttoned ff
intentionally
then you open it manually
if you were relying on torbutton, too bad for you
if you rely on not letting word talk to the inet, you're okay
mikeperry
how do you block word's net access?
Manny
firewall
nsa
or: erinn committed revision 21842 (/projects/android/tags): tagging Orbot 0.0.4 release
Manny
what is or-talk?
phobos
a mailing list
nsa
or: erinn committed revision 21843 (/website/trunk/include): updated orbot version
Manny
what was the FF addon that allows you to block external links from being loaded?
phobos
request policy
Manny
thx
nsa
or: arma committed revision 21844 (/projects/android/trunk/Orbot/res/values): found this typo, and it seems i can commit, so here we are
or: Roger Dingledine <arma@torproject.org>: 2010-03-07 03:39:34 [tor/maint-0.2.1]: clean up the 0.2.1.25 changelog
or: Roger Dingledine <arma@torproject.org>: 2010-03-07 03:39:34 [tor/master]: clean up the 0.2.1.25 changelog
or: Roger Dingledine <arma@torproject.org>: 2010-03-07 03:46:39 [tor/master]: Merge branch 'maint-0.2.1'
« prev 1 2 3 next »