[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
Re: PrivacyNow is a BadExit (was Re: PrivacyNow node has misconfigured OpenDNS account)
On Apr 15, 2010, at 9:11 AM, Scott Bennett wrote:
On Thu, 15 Apr 2010 08:25:07 +0200 Sebastian Hahn <mail@xxxxxxxxxxxxxxxxx
On Apr 15, 2010, at 8:17 AM, Scott Bennett wrote:
Unfortunate (IMO), the latest versions have the support for .exit
either disabled or deleted, apparently leaving us no easy way to
such tests. I've asked recently on this list whether some other
were available, but have been met with silence, so I assume that
still is none.
If you want the functionality, feel free to set the AllowDotExit
to 1. Note that this can't be recommended, because it opens you up
That is what I have been doing in order to be able to test for
misbehavior. However, the ChangeLog notes under "Minor bugfixes" for
0.2.2.9-alpha the following:
- Resume handling .exit hostnames in a special way: originally we
stripped the .exit part and used the requested exit relay. In
0.2.2.1-alpha we stopped treating them in any special way, meaning
if you use a .exit address then Tor will pass it on to the exit
relay. Now we reject the .exit stream outright, since that behavior
might be more expected by the user. Found and diagnosed by Scott
Bennett and Downie on or-talk.
I understood the "Now we reject" part as meaning that the .exit
been completely removed. I do not understand why that behavior
more expected by the user." In any case, the above note is why I've
at 0.2.2.7-alpha while waiting to discover some fairly easy-to-use
method of testing exit behavior.
Ah no, that's not what is meant here. The idea is that when .exit is
we reject connections to some domain ending in .exit, instead of passing
that URL to the exit node. This is more expected behaviour because there
is no .exit tld currently, so people telling to to go to xyz.exit are
thinking that they are talking to a tor with the .exit functionality
Regarding the attack route you mention, I have some firefox plug-
like NoRedirect and RefreshBlocker installed in addition to the
plug-ins (including QuickJava, NoScript, and Torbutton especially)
help with automated stuff, and I'm in the habit of checking the
in links before using the links manually. In many cases, I don't
firefox to get stuff from the links, but rather do a copy-and-paste
wget(1) or some other downloader command in an xterm(1), so I have
opportunity to notice that sort of interference. If those
attacks where the exit node can choose who your exit is going to be,
unless you use encrypted protocols when webbrowsing only.
miss something, please do let me know.
I suppose you still load images and possibly other resources, too;
those can be fetched from arbitrary locations unless disabled via
special-purpose addons like RequestPolicy.
Okay, I guess I had forgotten tor implemented such a command,
# This file was generated by Tor; if youedit it, comments will not
I think the comment may be a lie. It's most likely a torrc
vidalia, not tor. (Someone please correct me if I've forgotten some
case in which tor does rewrite a torrc.)
I think it is more likely that the file was written by Tor, via the
is issuing the command? Vidalia?
Thanks for the information, Sebastian.
Yes, Vidalia as the only Tor controller in a typical setup would be
the saveconf command.
To unsubscribe, send an e-mail to majordomo@xxxxxxxxxxxxxx with
unsubscribe or-talk in the body. http://archives.seul.org/or/talk/