[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re[2]: Holy shit I caught 1


My torpark mirrors are not providing pre-localized downloads. They all
come in english flavor by default, but include the lang packs for
chinese simp and german.

Tell me more about the corrupt downloads, are they recent? From
karotte or sectoor?


Sunday, August 27, 2006, 9:10:05 PM, you wrote:

> Thus spake Roger Dingledine (arma@xxxxxxx):

>> I recall hearing stories about gatherings in east Asian countries suddenly
>> finding all their https connections man-in-the-middled.
>> Fortunately, Firefox catches it, and complains -- but unfortunately,
>> nobody takes the complaints seriously anymore.

> Yeah. For this reason it's not cause to panic yet. Hopefully. I
> suppose it depends on extension-update behavior. I could easily see
> that UI eating SSL errors somehow. Esp right after a firefox upgrade
> when the whole beast hasn't properly launched and it is just "scanning
> for updates".

> However, I also have whole collection of corrupted Torparks I need to
> have a look at.  May just be a bug in my script, though. Or maybe the
> Torpark mirrors automagically provide localized versions? They're
> coming from a lot of what I would expect to be trustworthy exits.

>> > Is anyone else scanning? My list of hits on for this zip is awefully
>> > small.. It appears we may actually need to scan, folks. 
>> Thanks for setting this up.

> Just updated it to 0.0.2 to change the behavior on tor exits that kill
> the connection before an SSL cert could be obtained to just warn
> rather than save an empty cert.

> http://fscked.org/proj/minihax/SnakesOnATor/

>> I've been meaning to integrate an 'exit traffic comparison scheme'
>> inside the directory authorities, so they not only check reachability,
>> but they check whether certain sites are retrieved accurately from you
>> if you're an exit node. Then you are listed as 'not running' (or not
>> listed at all) if you're found to be funny-looking.
>> But I obviously haven't gotten around to this yet. Feel free to beat me
>> to it.

> Yeah, this essentially does that. I suppose you would want it built in
> to Tor proper though? I dunno if I can commit the time for that,
> unfortunately. Plus C really bothers me.. Been spoiled by C++ & STL :)

> Also, is there a complete python Tor controller? contrib/TorControl.py
> referrs to new version in CVS, but I can't find it. Perl is starting
> to bother me for the same reasons C did.. OO support is an abysmal
> afterthought..

>> In the mean time, it looks like we need to start a policy of what Tor
>> servers don't get included in the directory. We can exclude servers by
>> key, by nickname, and by IP address/netmask. Another option is to label
>> them as invalid, which will cause (correctly behaving) Tors to use them
>> only for untrusted locations in the path. Sounds like that's the best plan
>> for now. Let us know if you find others and we'll treat them similarly.

> Will do. Maybe at some point I will create real web presence for this
> deal. Maybe a third script that enumerates all the output files and
> makes that into a web-friendly listing page. Maybe after it stabilizes
> for a few weeks.