logs archiveIRC Archive / Oftc / #tor / 2015 / October / 2 / 1
whitanne_
Epi:
xdcc0
hi there
I'm running tor browser on debian and about 6 month (maybe more), the first IP of my circuit is always the same
whatever the version of tor browser
erdbeer
hi
that's normal
xdcc0
the website I go... Always the first IP never change
ya ?
erdbeer
ya.
ncl
your guard relay is not supposed to change for months
xdcc0
ho
ok good to know
cacahuatl
That's your "guard", keeping it the same helps resist certain kinds of attack.
ice9
ncl but if this is the case, if that entry guard is compromised then the person will be exposed for months
         

cacahuatl
(keeping it for long periods of time, at least)
xdcc0
we can't specified a country ? Or at least refuse some country ?
cacahuatl
Does it matter?
ncl
ice9: anyone between you and the guard knows you're using tor anyway?
ice9
ncl: right but I mean if they can sniff the traffic unencrypted
ncl
and?
cacahuatl
https://blog.torproject.org/blog/improving-tors-anonymity-changing-guard-parameters Recommended reading
xdcc0
I suppose no but I can't be sure 100 % after
ice9
and capture the traffic and dycrypt it
xdcc0
we can setup our own ?
If i get a dedicated, can I make my own guard ?
cacahuatl
Yes but it might not improve your anonymity at all.
xdcc0
if I allow some traffic
cacahuatl
Infact there are specific cases where it would reduce protections.
ncl
(usually when its "hey kid wanna use my bridge?")
ice9
is it possible to increase the number of nodes?
cacahuatl
or when there's a warrant to wiretap you and you own your guard...then they can tap your guard, for example.
ncl
except the entire point of tor is you need not trust any single node
cacahuatl
So yeah, wouldn't really recommend it. Any advantages it may provide would be at least equally matched by disadvantages.
xdcc0
ok thanks for those advise will read the change guard parameters
cacahuatl
ice9: I know you like to come here and ask the same questions repeatedly and you've been told before to just read the FAQ but that question is specifically addressed in the FAQ.
https://www.torproject.org/docs/faq.html.en
         

ice9
thanks cacahuatl will check the FAQ again, and the reason for the repeated questions is that everytime either in this channel or others for any topic, I get different answers from people so it helps in getting more opinions to build mine
torQUES
a relay must not have the GUARD and EXIT flags in the same time; just one of them
ice9
but sorry if that is not good attitude or something
ncl
torQUES: relays can have guard and exit, no relay can be used twice in a circuit
torQUES
I experienced a situation with the same circuit for 2 diff tabs in TBB
is it normal?
cacahuatl
If they were both for the same hostname, yes entirely.
torQUES
kernelcorn
ice9: the entry node can't see or decrypt your web traffic. It doesn't have the encryption keys.
ice9
kernelcorn: thanks for the clarification :)
whitanne_
kernelcorn
Tor is an onion router. There are multiple layers of encryption and the layers are removed like peeling an onion as it travels down the circuit.
whitanne_
torQUES: they are both torproject.org
torQUES
so check.torproject.org and torproject.org is same host
whitanne_
yeah
torQUES
I see
kernelcorn: a packet sent from client to guard to a http link is encrypted with 3 layers of encryption (guard, middle, exit)?
(((exit)middle)guard)
kernelcorn
yes
as is the routing information to tell each router where to send it
hence each router has just enough information, the whole thing is very need-to-know
torQUES
so only exit can see the plain text (if not https)
how the destination packet return back to client through circuit? what encryptions?
a TBB client has no public or private encryption keys in /data/tor/
cacahuatl
The client performs a key exchange with each relay, they share a secret key. Each can apply their shared secret key each hope back.
torQUES
aaa, so no stored keys on the client, only volatile keys
cacahuatl
like any TLS connection, yes.
torQUES
the client store only the guard more complex public keys and a public key for any active node in cloud
kernelcorn
the client has every relay's public key. It's in the consensus documents.
Then the client performs an ECDHE/Curve25519 key exchange with each relay in turn, extending the circuit one relay at a time until it's three relays long.
torQUES
I think is possible to select programatically certain 3 relays for a circuit
with help of STEM libs
from a controller; is not that kind of app you tested, kernelcorn?
kernelcorn
I'm not certain what you are asking, but I have used Stem before, and Stem can indeed control the choices of relays in a circuit
torQUES
a "controlled randomness" for selecting the circuit hops (by countries, internet providers, bandwidth, etc.)
with a private blacklisted hops
kernelcorn
yes, the selection probability is weighted by consensus weight, which is dependent on bandwidth capabilities. The bandwidth authorities and the directory authorities assign consensus weight.
if relay X has proven that it has high bandwidth compared to the rest of the nodes, clients have a high chance of choosing X in their circuits.
torQUES
I know it's automatic
but I have some reserves about certain big traffic nodes
kernelcorn
me too
torQUES
a busted bussinessman in my country run 2 of top 10 biggest relays
kernelcorn
but the consensus weight approach does make it logistically difficult for an adversary to gain lots of circuit traffic
torQUES
he run a security agency
kernelcorn
A few months ago the Lizard Squad launched a Sybil attack on the Tor network. Even though they spun up many hundreds of nodes, they didn't receive much traffic, so the effect was minimized.
ncl
also they were extremely obvious about it
kernelcorn
true, it was a PR stunt, but their new nodes weren't very fast and weren't up for very long, so they didn't get much consensus weight at all
throwawayrelay
I'm in the process of setting up a relay. I am working with https://www.torproject.org/docs/tor-doc-relay.html.en I am wondering though, should I be placing the 4 lines at the bottom or should i be un-commenting those lines in the torrc?
srg
doesn't really matter. torrc is the config file, so as long as they're in there somewhere (just once), it'll work
you can either uncomment them and edit, or add them together at hte bottom or top
throwawayrelay
so for this line "#DirPort 80 NoListen" do I leave the NoListen?
and what is the purpose of the next line "#DirPort 127.0.0.1:9091 NoAdvertise", not sure if I would want this since its local?
Peng
throwawayrelay: It's only of use if you want to do some sort of bizarre firewall-port forwarding stuff, so clients connect to port 80 but your daemon actually listens on localhost:9091.
throwawayrelay
ah ok, last question. What is the proper formatting of the contact info if I wanted to include a GnupG id?
srg
throwawayrelay: I use: 0xfooooooo my name here <website here>
0xfooooo i the gpg id
throwawayrelay
kind of new to gpg, when looking at my key I'm seeing 2 id's? is that normal?
srg
Depends how you make the key, but you'll have a main key and a signing key
pub and sub
then one or many uid
throwawayrelay
created the key using ubuntu's password and key app, don't see details on which is which. I see a short Key ID: and then 2 ID's in the actual window.
ah, nvm I see now in the terminal
srg
I use the terminal for everything, i don't know how the keyring apps work
« prev 1 2 3 next »