logs archiveIRC Archive / Oftc / #tor / 2015 / July / 26 / 1
tjfontaine
would anyone like to test the mechanism to allow new tor connects via certificates?
(new tor connects to oftc)
weasel
"via certificates"?
wgreenhouse
tjfontaine: is this the same as nickserv+CertFP or another thing?
tjfontaine
weasel: a certificate signed by our CA
weasel
documentation?
tjfontaine
http://www.oftc.net/Tor/#future-work most of the documentation right now, but the basics of implementation are as follows:
a proxy sits in front of the leaf doing dnsbl checks, and if tor is blocked and you're from tor, if you supplied a cert from our ca you will still be able to connect
weasel
that's a server/operator centric view. :)
pretent I am a user and want to connect. what do I do?
tjfontaine
a webportal will exist, you will identify with your services credentials
you will then supply a csr or we will generate a cert for you, with the CN set to your <nickname>.user.oftc.net
weasel
does that work already?
         

tjfontaine
the webportal? no
_cpo_
wgreenhouse: yes. i understand. it has the same security level as the standart connection method?
weasel
ok :)
tjfontaine
the latter part I can do for people whow ant to test
given a csr I will create a cert for it
weasel
asn complained just two days ago that he couldn't get on IRC easily.
tjfontaine
automatic cloaking is still coming, though stu just committed it
weasel
he isn't on this channel, but you could troll #-project for him.
he might be a good guinea pig
wgreenhouse
tjfontaine: so existing certs made for the purpose of nickserv's certfp won't be related to this?
tjfontaine
wgreenhouse: no, we need them to be able to be verified by our CA, but you can have multiple certfps, and soon the FP will be forwarded along
I just haven't tested that part (yet)
_cpo_
wgreenhouse: oh, i understand. thank you very much!
bye
wgreenhouse
tjfontaine: I'm sure that there will be further discussion along these lines with tor project people (I'm not one, just a user), but I am concerned about whether channels like #tor and #tails would be well-served by something that only helps already-registered long-time users; support channels really exist for "newbies" rather than "regulars"
tjfontaine: it would be unfortunate if the normal experience for someone seeking tor help from a tor-using system was that they couldn
't get here
tjfontaine
wgreenhouse: OFTC is trying to make sure it can still serve regular/legitimate users while mitigating spam/abuse of the network -- hopefully with something like this we'll be able to more quickly enable/disable during times of abuse
wgreenhouse
tjfontaine: yeah, I understand this; my concern is that in some ways the most critical users of a support channel (as opposed to a social channel or a channel for internal project meetings) are not regular
support channels are for first-time users as much as for anyone
and they may have no other business with OFTC
tjfontaine
wgreenhouse: tor users who are having problems are likely connecting "In the clear" such as it were, but we understand, the messages when blocked should be more clear and indicate where people should go to remedy this -- ideally by then we'll let you register with services by a web portal as well
captcha etc etc etc
dresto
when they register they must do so in the clear?
wgreenhouse
tjfontaine: yeah, that would be an improvement from the rather seemingly random dnsbl messages, which might mention something about spamming or network policy abuse
tjfontaine
dresto: well when anonymous tor usage is enabled on oftc they will be able to do it there and then, if it's disabled then we'll likely have a web portal that will let them do it, it probably won't also block tor
wgreenhouse: dnsbl or kline messages for exit nodes should always be reported, right now when tor is disabled on the network you should be getting " no more connections allowed" style messages
wgreenhouse
tjfontaine: okay, thanks for that. I've seen several other strange ones
I will report them in future; none currently in irc buffer though
cacahuatl
Certificates are the opposit of anonymity, I assume that the captcha alone would be enough to allow them one-time access?
tjfontaine
ok support@oftc.net when you get them
cacahuatl: for now there will not be a concept of one time use connections, only anonymous users and identified users
         

cacahuatl
Okay but you won't need a certificate to get past the tor blockade?
tjfontaine
I have thought about such things in the past, but it's not what I'm working on in the meantime
cacahuatl: only when anonymous tor usage is blocked
cacahuatl
Ah, so it's exactly as I feared.
tjfontaine
as far as what we've built so far, there are plans to do more, but piece by piece
keeping regular users able to connect is far more important in the short term
cacahuatl
I'd suggest that a critical requirement is some kind of one-time-use system, even if it's just a captcha-wall around a pre-auth'd webirc intance that lets a user enter #tor for support without needing to setup a certificate.
tjfontaine
maybe we'll do that, one day
it may be that all webirc connections are captcha'd as outlined in http://www.oftc.net/WebIRC/
for now we've spurned the idea that anyone but ourselves will run webirc gateways
our webirc gateways (which are also the tor gateways) allow connections via websockets or socket.io connections
thus freeing people up to write pretty frontends, while letting the network still identify the connection
for people who want persistent connections, those networks should connect to oftc with an ipv6 address per identity
adred
How is it possible to simulate New Identity on linux without Vidalia or without clicking on New Identity in TBB?
is this the only command to request new IP / Tor Circuit? > killall -HUP tor
cacahuatl
New Identity on TBB does more than vidalia did. What are you trying to achieve?
adred
Understand. I am talking just about simulating that 'new circuit'.
cacahuatl
Also that's not guaranteed to cause a new circuit, it just happens to
You want to look into the "NEWNYM" signal
adred
Understand as well, still.
Yes, heard about that a little
cacahuatl
adred
Thanks for the link.
cacahuatl
something like 'tor-prompt' (part of stem https://stem.torproject.org/) is probably an easy way to interact with the control port
adred
We would like to just start new circuit via command line. For this purpose, if it will be possible with an easy solution without stem, we are not sure if we will install its libraries.
But stem seems like a nice solution for whole bunch of other purposes
jjweiss
I was able to cobble something together once upon a time using netcat
cacahuatl
sure, read the spec and implement it yourself
jjweiss
the annoying part is that you have to AUTHENTICATE "" even if you set 'CookieAuthentication 0'
cacahuatl
https://raw.githubusercontent.com/0xcaca0/misc-items/master/newnym.sh yup I wrote one in pure bash
doesn't make it a good idea
jjweiss
cacahuatl: what OS is that for?
adred
The script is not a good idea?
jjweiss
I don't think I've ever seen a /dev/tcp anywhere
cacahuatl
see: bash
jjweiss
adred: it can be safe-ish if you firewall off the port so that normal users can't access it, but that still allows for anything that has root access to mess with it
adred
so what is the cleanest way to request new circuit in Tor?
jjweiss
wow, they just keep adding more and more features to bash
adred: afaik, NEWNYM or restarting tor are your main options
danialbehzadi
Hey dudes,
Where are these errors come from?
Jul 26 03:30:46.000 [warn] The communication stream of managed proxy '/usr/bin/obfs4proxy' is 'closed'. Most probably the managed proxy stopped running. This might be a bug of the managed proxy, a bug of Tor, or a misconfiguration. Please enable logging on your managed proxy and check the logs for errors.
Jul 26 03:30:47.000 [notice] Bootstrapped 5%: Connecting to directory server
Jul 26 03:30:47.000 [warn] We were supposed to connect to bridge '23.94.252.166:60050' using pluggable transport 'obfs4', but we can't find a pluggable transport proxy supporting 'obfs4'. This can happen if you haven't provided a ClientTransportPlugin line, or if your pluggable transport proxy stopped running.
tjfontaine
danialbehzadi: easier to gist/pastebin
danialbehzadi
cacahuatl
What happens if you just run `/usr/bin/obfs4proxy`?
danialbehzadi
cacahuatl: $ /usr/bin/obfs4proxy --manged
flag provided but not defined: -manged
Usage of /usr/bin/obfs4proxy:
-enableLogging=false: Log to TOR_PT_STATE_LOCATION/obfs4proxy.log
-logLevel="ERROR": Log level (ERROR/WARN/INFO)
cacahuatl
(as an aside, it's good practise to redact your bridge IP/port from outputs for your protection and the bridges)
danialbehzadi
cacahuatl: It's not my man server but a test one
cacahuatl
and that bridge is definitely an obfs4 bridge?
« prev 1 2 3 next »