[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: Holy shit I caught 1



Thus spake Roger Dingledine (arma@xxxxxxx):

> I recall hearing stories about gatherings in east Asian countries suddenly
> finding all their https connections man-in-the-middled.
> 
> Fortunately, Firefox catches it, and complains -- but unfortunately,
> nobody takes the complaints seriously anymore.

Yeah. For this reason it's not cause to panic yet. Hopefully. I
suppose it depends on extension-update behavior. I could easily see
that UI eating SSL errors somehow. Esp right after a firefox upgrade
when the whole beast hasn't properly launched and it is just "scanning
for updates".

However, I also have whole collection of corrupted Torparks I need to
have a look at.  May just be a bug in my script, though. Or maybe the
Torpark mirrors automagically provide localized versions? They're
coming from a lot of what I would expect to be trustworthy exits.

> > Is anyone else scanning? My list of hits on for this zip is awefully
> > small.. It appears we may actually need to scan, folks. 
> 
> Thanks for setting this up.

Just updated it to 0.0.2 to change the behavior on tor exits that kill
the connection before an SSL cert could be obtained to just warn
rather than save an empty cert.

http://fscked.org/proj/minihax/SnakesOnATor/

> I've been meaning to integrate an 'exit traffic comparison scheme'
> inside the directory authorities, so they not only check reachability,
> but they check whether certain sites are retrieved accurately from you
> if you're an exit node. Then you are listed as 'not running' (or not
> listed at all) if you're found to be funny-looking.
> 
> But I obviously haven't gotten around to this yet. Feel free to beat me
> to it.

Yeah, this essentially does that. I suppose you would want it built in
to Tor proper though? I dunno if I can commit the time for that,
unfortunately. Plus C really bothers me.. Been spoiled by C++ & STL :)

Also, is there a complete python Tor controller? contrib/TorControl.py
referrs to new version in CVS, but I can't find it. Perl is starting
to bother me for the same reasons C did.. OO support is an abysmal
afterthought..

> In the mean time, it looks like we need to start a policy of what Tor
> servers don't get included in the directory. We can exclude servers by
> key, by nickname, and by IP address/netmask. Another option is to label
> them as invalid, which will cause (correctly behaving) Tors to use them
> only for untrusted locations in the path. Sounds like that's the best plan
> for now. Let us know if you find others and we'll treat them similarly.

Will do. Maybe at some point I will create real web presence for this
deal. Maybe a third script that enumerates all the output files and
makes that into a web-friendly listing page. Maybe after it stabilizes
for a few weeks.

-- 
Mike Perry
Mad Computer Scientist
fscked.org evil labs