logs archiveIRC Archive / Oftc / #tor / 2015 / September / 23 / 1
qwerty0
lol a lot of registered nicks
myralif
sorry im in the wrong room
hi everyone I would like to know if theres anyway for us to make our own chat rooms?
inet
sure
/j #yourchat
marcusw
myralif: https://tools.ietf.org/html/rfc1459
inet
then aladdin appears
slackie
(Action) hi there \o
Guest2379
Can anyone tell me how to setup TBB to disable javascript
cacahuatl
click the no script icon, choose "forbid scripts globally"
ncl
or select "high" in the privacy/security settings under the onion button
         

DirtyZach
I got a notification about restarting tbb to get an update, are updates downloaded through tor? (newbie here)
cacahuatl
Yes
DirtyZach
Cool
thanks
kork
hmm, I just installed the update, now I can't seem to maximize the browser window any more (I know it's discouraged), windows 7
ndsay
HiddenServiceAuthorizeClient: What's the difference between stealth and basic?
ghetto
stealth creates a different onion address for each client
cacahuatl
Guest2379
Anyone know if twitter has an hidden service to access it?
whitanne_
no
Guest2379
damn
whitanne_
it sucks
Guest2379
definetly need to get people to start asking for it. Hell even facebook has one
whitanne_
yep but facebook still asks for a phone number
Guest2379
true
I still want a twitter hidden service though
:)
qwerty1
to get a twitter hs you need twitter to employ one or more hs-friendly people
wtf_fcntl
Or make it look like good PR.
ticktock
I'd be more thrilled if google and cloudflare started providing things on hidden services since they provide the damned captcha service everyone uses
qwerty1
well they would say, that would defeat the purpose of the captcha
ticktock
if by that you mean to track you, then yes
qwerty1
track and ban
         

ticktock
I'd feel a lot less uncomfortable about allowing their cookies if it were only from a hidden service though
qwerty1
there are plenty of people who want twitter (and facebook) wiped off the face of the earth and let them know by attacking their servers 24/7
defending against that without caring about ip addresses is harder than with
ticktock
if you block the legitimate users along with the bad guys you risk creating more bad guys
Peng
This sounds off-topic.
ticktock
Peng: it was straying off but probably would have followed a natural progression back once ipv6 came up
whitanne_
is it possible for nodes to censor?
k1llscrypt
no
ticktock
the tie-in is of course that ip-based banning would become essentially useless for blocking both tor and regular users due to the extra overhead incurred by the shear number of addresses and ways of bypassing blocks, so better figure out a better way to handle tor users than blocking exits NOW before ipv6 bites us in our collective asses
whitanne_
how
wtf_fcntl
To censor websites?
An exit node could censor a website if it wanted but then you could just use a different exit node.
ticktock
exit nodes can censor
whitanne_
wtf_fcntl: yes, or ports, just censorship in general
wtf_fcntl
They can censor ports already, that's allowed and supported.
k1llscrypt
who uses exit nodes anymore to risky
wtf_fcntl
But as long as they tell the consensus which ports they disable so a client can build a circuit and would be able to pick an exit that supports their desired port.
ticktock
in fact, some exit nodes who used bad dns servers would auto-redirect tor users to spam pages a while back
k1llscrypt: exit nodes are safer from a tracking standpoint than hidden services atm
whitanne_
just asking because my exit node's dns was acting odd
ticktock
at least assuming the client and server traffic you're piping through tor bothers to do ssl, check certs and stuff
wtf_fcntl
ticktock: Not necessarily. They are safer from traffic correlation attacks in some ways, but they are not as safe from MITMs.
k1llscrypt
ticktock: how do you figure?
wtf_fcntl
Yeah that's a risky assumption to make.
ticktock
that depends
for browsers? probably
for sanely written stuff like fetchmail? no
wtf_fcntl
Then it'd be accurate to say that exit nodes are safer for mail. :P
ticktock
there are also use cases where the possibility of a mitm is actually a benefit rather than liability too
k1llscrypt
exits nodes intake and connect to plaintext traffic. True if your not informed on how to protect yourself hidden services can be risky, but if you have set up a proper enviroment there should be no issue other than through human error
ticktock
afaik, it's the hidden services that have to be set up properly
if clients connect to ones that aren't, then not only the hs but also the clients risk being discovered
k1llscrypt
a hidden service doesn't know who is connecting to it just an encrypted route
ticktock
I'm sure I'll get corrected but this has to do with the hsdir issues and there are several open tickets that afaik won't have proper fixes until 2016 or later
k1llscrypt
exit nodes can use bad cookies and be part of mitm and mots attacks that easily give up your identy
wtf_fcntl
The cookies could be use to track you across visits to that site until the browser is closed, but not across sites.
k1llscrypt
how couldn't they track you across sites?
wtf_fcntl
1) They would have to own both sites, 2) the exit node changes as soon as you change to a different site, and 3) you can't just say "set a cookie for google.com" if you aren't google.com.
k1llscrypt
you can set cookies for other sites though. At least you could a few years ago when I did some work in data acquisition
wtf_fcntl
Oh Tor Browser's configs?
whitanne_
there's self-destructing cookies y'know :^)
wtf_fcntl
Self-destructing cookies need to be explicitely set as such.
They're a good thing. (self-destruction = "expire time")
whitanne_
there's an add-on for it :p
wtf_fcntl
You don't need a potentially insecure add-on to do that.
k1llscrypt
yes there is that
wtf_fcntl
Tor Browser has that functionality built in, well all firefox does.
k1llscrypt
all i know is it don't trust exit nodes for critical traffic unless its one of my own exit nodes
qwerty1
or encrypted yes
wtf_fcntl
For most threat models that's a bad idea.
qwerty1
a hs is more secure
wtf_fcntl
By some measures. :P
qwerty1
but hs users are anonymous which can be a problem for the service
by all relevant measures
ticktock
self-destructing cookies makes destroys the cookies as soon as the tab is closed or the site is browsed away from
firefox' builtin only deletes them after X hours or whatever unless they changed it recently
qwerty1
have you tested the self-destructing cookies addon to check it actually does what you think it does? have you read the source?
ticktock
I don't use FF so no
qwerty1
yikes
ticktock
I tend not to like browsers that 1) crash the system because they OOM it and cause serious thrashing, and 2) kill ALL 100+ tabs just because ONE had a problem
what we really need out of mozilla is to make a damned MDI window that loads "app" instances ala prism in tabs rather than trying to make the interface iphone-pretty
qwerty1
oh you use a custom tor browsing setup?
wtf_fcntl
Just set RLIMITS.
It's a trivial fix and prevents the browser from messing up the entirety of the system.
ticktock
it doesn't work. all you can do is dump it to a vm or lxc instance and then it still ends up blowing itself up
« prev 1 2 3 next »