Hi Andrew, thanks first four your long answer! > I have a few concerns about your proxy setup and service. First off, > you should disclaim that this site and service isn't an official > project of Tor. People may confuse your url with the real Tor and > think they are getting the same anonymity properties. Although the Layout is much different, you are right, there could be some confusion. I will add a hint, that it is no official project of TOR. > Second is a concern over the last bullet point at the bottom > of http://tor-proxy.net/impressum.html. It appears to say that you are > recording IP address and browser in a log file. Additionally, the log > file is purged when 48 hours old. Why log at all? Simply disable all > logging in relation to the proxy service on the server. The default > Tor log settings should be sufficient. I suppose there is a misunderstanding. I am not logging anything about the proxy-service (like output of tor, privoxy, etc.). Only logging is made by a simple counter, included in the frontpage (index.php) for me to get some informations about how much people are using the service. There is no possibilty to use the data to find out, which sites users were accessing through the proxy, and if they were using the proxy at all. But I suppose it would be possible to change the counter that way, that it does not collect IP-Adresses at all, or delete it immediatly after counting the user. > Third, can you publish the source code that runs the proxy site? It > appears you are using php and CGI:Proxy code to interface with Tor. > Feel free to choose a FSF-approved license, such as the GPL or > 3-clause BSD, and publish the source for the site, along with any dependent > software and licenses as required by their license terms. The project works with CGIProxy of James Marshall ( http://jmarshall.com/tools/cgiproxy/ ). Did you mean that with the source code, that runs the proxy? Of course I could mention some more technical details like configuration-files etc. > Fourth, in order to be more transparent, you should publish the > configuration of the proxy. A clear description, whether text or > graphical, will help increase the trustworthiness of the service. Yes, good idea. I will do so. > Fifth, you probably want to publish the fingerprint of your > self-signed ssl cert, or look into getting a cert signed by a browser > accepted CA. This is weak, but possibly better than nothing. Thinking about using cacert.org as mentioned by Bluestar. > Sixth and final, if you decide to put ads on the site or become a > commercial entity, please contact The Tor Project before doing so. We > cannot allow a commercial entity to confuse users about Tor. As an > open source project, the disclaimer in the first paragraph may be > enough to not confuse users. Well, first I will never take money for using that service. I also wrote that in the FAQ. I think it isn't fair to all the other ones who are running nodes, and which the service relies on. Second, at the moment there is no need for me to put ads on the site, because server-costs are okay for me. If service would get very popular, and server-costs are getting higher, than probably it will be neccessary to do so, but thats totaly unclear. I would say, we can think about that, when the moment comes. Hopefully I answered some questions, Regards, Ricky. -- "Falls Freiheit überhaupt etwas bedeutet, dann bedeutet sie das Recht darauf, den Leuten das zu sagen, was sie nicht hören wollen." - George Orwell, aus dem Nachwort zu "Animal Farm", 1945 - GPG-Fingerprint: 10D6 7B8F 1F7C 7CB1 2C4E 930E AFD2 FDF3 A10B D302 GPG-Key-ID: AFD2FDF3A10BD302 http://www.lawlita.com/pgp-schluessel/
Attachment:
signature.asc
Description: Dies ist ein digital signierter Nachrichtenteil