logs archiveIRC Archive / Oftc / #tor / 2015 / October / 18 / 1
thorazine
using tricks to bypass the corporate proxy, while possibly effective in the short term, will not end well
cacahuatl
By-passing censorship is both educational and character building!
thorazine
so is getting fired
cacahuatl
Now you're getting into the spirit of it :P
thorazine
the corporate proxy isn't blocking him at home
presumably, if the company is paying him to try to use tor at work, the company will be willing to -let- him use tor at work
if the company is not aware that tor is being used at work, and they find out, sh*t will hit the fan
cacahuatl
That assumes a lot, review your contractual obligations and network policies that you may have agreed to.
b3h3m0th
they're are okay with tor, but not with online gaming. so whitelisted only a few ports
Brownout
many organizations won't enjoy the idea of users using any kind of proxy technology at work
thorazine
cacahuatl: true, some companies may be fine with tor
         

cacahuatl
Hey, unless they told you up front not to then they can just deal with it *sunglassesface*
thorazine
most of my experience with corporate infosec is from my current employer, who runs non-profit R&D centers, one of which is sponsored by the DoD
Brownout
because corporate policies about acceptable content, data loss prevention, antivirus scanning at the border and so on
b3h3m0th
what I do using tor, it's a part of my academia
qwerty1
maybe just use meek
it'll work
thorazine
and so my corporate infosec is pretty insistent on being kept in the loop
b3h3m0th
looking up on that
cacahuatl
or some other kind of system to then proxy tor over, like iodine
Brownout
that would be hardcore
cacahuatl
not really, it'd just be acting like a pluggable transport
thorazine
actually our corporate infosec is pretty badass, from an employee perspective
i have admin on my work machine and they don't block outgoing ssh
nor do they try to proxy ssh
qwerty1
thorazine: this is offtiopic
thorazine
qwerty1: sorry, didn't notice was nto #nottor
my bad
b3h3m0th
reading up on pluggable transport, I now realize I was using one of them all this time. I was using an obfs4 proxy
qwerty1: how is meek being helpful ?
qwerty1
meek looks very boring to a firewall
cacahuatl
And blocking meek can break other parts of the web, CDNs for some websites, etc.
b3h3m0th
I cant find meek on https://bridges.torproject.org/options
cacahuatl
Yeah, easiest way to use it will be to use tor browser
b3h3m0th
Tor failed to establish a Tor network connection.
Establishing an encrypted directory connection failed (identity mismatch -
cacahuatl
sounds like they're messing with TLS, maybe mitm as previously suggested.
         

b3h3m0th
[WARN] Tried connecting to router at ip:port, but identity key was not as expected: wanted blah but got blah
I have the certs of my firewall, can I use that somewhere to fix this ?
cacahuatl
Not really, no.
b3h3m0th
the ip:port was not looking good
0.0....
:2
cacahuatl
Not without rebuilding the code and probably a lot of hacking and in doing so removing any protections
b3h3m0th
what does the ip:port in that msg signify ?
cacahuatl
maybe that your bridge line is b0rked, for one, if you're still trying to use bridges
You should just use tor browser, it'll handle a lot of this for you.
b3h3m0th
That msg came up when I used meek-amazon from TBB
qwerty1
it's fine
normal for meek
hang on
the rest isn't normal
b3h3m0th
(Unexpected identity in router certificate
qwerty1
that
cacahuatl
Could be Corporate TLS MITM once again? maybe better to use a PT that doesn't look like TLS?
qwerty1
yes
try fte
actually try the ssh tunnel to ourserver
b3h3m0th
ssh tunnel way works with obfs4
qwerty1
is it usable speed?
stick with that then imo
b3h3m0th
bandwidth is the main issue
when I use meek-google (without ssh), it's atleast not showing identity mismatch, But it's stuck at "loading relay info"
and just as I said that, the process got completed :)
gootroot!
I mean got tor :D
(Action) wonders why it did not work for amazon
Brownout
is orfox an official tor project?
cacahuatl
It's guardianproject, but there's overlap. I don't know how "official".
b3h3m0th
what are the downsides of meek ?
Brownout
cacahuatl: isn't orweb the one from guardianproject?
cacahuatl
Yes, that's based on the AOSP browser, which is pretty much dead
orfox is trying to make the android firefox comply with the tor browser design spec
b3h3m0th
I think I saw the first
unbearable latency
I'm pretty sure there is no DIP in my network
*DPI
but outboud ports are filtered except a few whitelisted ones
what happens when I have in my torrc
Bridge obfs ip:5555 blah...
ReachableAddresses *:443, *:80
?
(and I do *not* use any local proxy like an ssh tunnel to my server)
my traffic originates at 0.0.0.0:browserprocessport ->- 127.0.0.1:9150 --> what next ?
qwerty1
with that torrc the bridge is unreachable because it doesn't match anything in reachableaddresses
b3h3m0th
so it is 0.0.0.0:browserprocessport ->- 127.0.0.1:9150 ->- bridge:reachableport ->- guard ->- relay* ->- exit node ?
SnowyNight
Hello. :) I am on https://www.torproject.org/docs/hidden-services.html.en and reading that the connection between client and hidden service is "end-to-end" encrypted. But by witch keys? By routers stream ciphers AES 128 bit?
b3h3m0th
If I'm right, symmetric encryption key is shared using diffie hellman, but then again I just have <24 hours experience in TOR
s/encryption//
ncl
SnowyNight: the hs key whose fingerprint is the .onion
b3h3m0th
so it's assym
?....onion/crypto100
SnowyNight
Thank You very much ncl . :)
b3h3m0th
where can I find obfs4 running on 80/443/22 ?
If I create a socks proxy at 127.0.0.1:1234 by ssh -fD 1234 level1@a.wargamesserver.com, how risky is it to use that as tor proxy ("local proxy you use to connect to internet" option) ?
assuming that the sudoers in the server are all bad guys specifically targeting me and knowing that I'm going to connect ?
(worst case scenario is what I always consider)
cacahuatl
They can see your encrypted traffic to the guard/bridge
SnowyNight
But why there are no MITM attacks on Directory Authorities? Are they possible? Are there possibilities to drop hidden service site from Directory Authorities?
cacahuatl
They're not stored in the dir auths
« prev 1 2 3 4 5 6 7 next »