logs archiveIRC Archive / Oftc / #tor / 2015 / August / 1 / 1
bron
wat
tyrey
Please is it hard to make a javascript attack against a tor user when he is seying a website with tor javascript enabled. And please may private website do this attack? Can they be forced by a state?
srg
tyrey: it's not hard. I'd recommend disabling javascript in the tor browser for privacy/security.
tyrey
Yes but I need some option wich make me use javascript so I need to make a goog choice.
woossa
the only good choice is to disable it
otherwise u can be hacked
srg
yes ^
it's a compromise on security
enable javascript: less secure
disable javascript: more secure
that's just how it works
tyrey
woossa: nice answer but my problem is who can hack me.
I need to establish a security politic to see what website I can trust.
srg and woosa please can a javascript attack come from otherwhere the website?
srg
it can be injected if you're using http
https makes it more difficult, but the server could be compromised
there's many ways this could happen, unfortunately :-\
a lot of websites use separate ad servers to serve advertisements and load javascript from there. the ad server could be compromised too
tyrey
Thank.
hello I am on Tails so I have the last tor version. Please how to look for quwicly only for https website for what I need?
Is it really important to disable javascript?
         

woossa
yes
dude we told you that alread
y
if u think ur gonna be attacked javascript is how it will happen
tyrey
"Already" You know me?
Please is there a search motor only for https?
theblindghoulie3
I read there's newer vulnerabilities to Tor. Is it enough we can't dance around it? Disabling Java seems to be the main way to block some of the biometric systems as that to my knowledge is their entrance
coderman_
da faq theblindghoulie3??
theblindghoulie3
Am I completely incorrect?
?
coderman_: ?
tonry
Do you think there would be any privacy issue difference between running Tor browser on Windows, or running the Tails ISO in a VM on Windows?
bermessie_
hi
everyone here
coderman_
theblindghoulie3 don't use Java!
this is done for you in standard Tor Browser as downloaded from the officla tp.o site
mrphs
theblindghoulie3: the rule of thumb here is to use Tor Browser or dont expect anonymity/privacy.
and like what coderman_ said, using java in general is not a wise move. it does more harm than good anyways and that's why it's disabled in Tor Browser
Giora
Is EntryGuard something new to Tor?
gryps
does it make sense to run a bridge relay with more than one or-port?
i mean, just to increase the chance that someone behind a restrictive firewall might be able to connect
if the bridge relay uses >1 well-known tcp ports, it might be more likely that someone can connect
ploopkazoo
gryps: not sure about bridges, but relays are encouraged to use port 443 because it's almost always allowed
I didn't even know you could allow multiple ports
gryps
ploopkazoo: ok, thx
gabre
is there anybody who uses Orbt?
Orbot
jager
i use it on occasion
tor on android, whats not to like
Peng
android
murb
tor
ryonaloli_
yeah, fu*k tor
Ninjamaster
haha
gabre
:)
Orbot + Drony?
         

Whir
hi I try to revive the tor relay on my raspberry
I get the following error: Received http status code 404 ("Not found") from server '154.35.32.5:443' while fetching "/tor/keys/fp/27B6B5996C426270...
ah ok, I see now..that is not critical
Rastus_Vernon
Hello.
kurelane
Hello, I have been running a new tor relay when my ISP disconnected my server from the network after being sent an abuse complaint of how my relay was a "badbot" this lead my relay to be blacklisted by fail2ban. When asked why they disconnected my server from the network they said I had to block certain ports in order to reconnect my server. They then linked to this website http://www.sectoor.de/tor.php and said that I had to block the por
velope
cut off at "block the por"
on irc you need to press Enter after each sentence
kurelane
velope: sorry m8, I'm new to irc
velope
is the relay an exit, or does it have "ExitPolicy reject *:*" (non-exit)
kurelane
velope: it was an exit
velope
this is why, when beginning with a provider, it can be a good idea to run as a non-exit for a while, to establish a history without abuse complaints
at this point you don't have much to fall back on
you either have to try to educate them about tor and hope that they care, or convince them to allow a non-exit
or find a different provider
kurelane
velope: If I were to block the ports listed on http://www.sectoor.de/tor.php.
velope: Would the people using my exit relay be prevented from using important services such as web browsing etc...?
qbi
kurelane: You might want to have a look at https://trac.torproject.org/projects/tor/wiki/doc/TorExitGuidelines
velope
web browsing generally happens on ports 80 and 443
qbi
The reduced exit policy is a good way to go in the beginning: https://trac.torproject.org/projects/tor/wiki/doc/ReducedExitPolicy
velope
yeah, cross-reference those wiki pages with that sectoor page
so, if configuring your tor to reject exiting to those ports makes the provider happy enough to allow your relay, great
however, there will still be abuse complaints, just hopefully many fewer
kurelane
qbi: When I set up this relay I used Micah Lee's Tor relay bootstrap to harden the ssh server then I used arm to set it up.
velope
those things can be fine but have nothing to do with this
kurelane
qbi: I used the default exit policy.
velope: Great advice. I guess I should be thankful that they allow exit relays to begin with.
velope
now you should read the linked info and take the time to digest the information
kurelane
velope: Thanks m8
unxenophobic
Is there any way to access Freenode using tor
I found the issue troublesome
velope
freenode has stopped allowing tor
unxenophobic
yes, unfortunately
bob3
hi - i noticed that when i connect to a network torsocks makes network connections in the background before i connect to my vpn - is this correct?
jjweiss
unxenophobic: find a free shell or bouncer provider and make sure they don't require you to be on freenode to become a part of their community to begin with
bob3
what the best way to basically enable only after my vpn?
on debian
jjweiss
torsocks will be "enabled" whenever the tor server it connects through has its SOCKS proxy open
so make sure you start tor AFTER you connect to the vpn if that's what you want
unxenophobic
i did notice many times that tor does not work if I turned ON VPN afterwards
Using VPN is risky...My country allows access to only those VPNs that it can decrypt
velope
then don't use it with tor. generally tor doesn't need a vpn, and it doesn't help
jjweiss
velope: isn't this also where people normally recommend using bridges or something?
unxenophobic
yep
bridges are recommended to disguise traffic right?
« prev 1 2 next »