[tor-talk] Some observations running tor and privoxy

[ÃaÄÄl P. Åesto <secpost@xxxxxxxxxxx>]

Greetings,

if you (still) use privoxy version 3.0.11 or higher, you may notice
that the actions (regexes) like img-reorder are not really white-space
friendly. If you run/use a webservices that sign or checksum entites
or checks signatures on static content, you get a lot of false positives
like in "OMG!11!1, the government, the nsa, my isp, that exitnode
manipulates/injects data into every bit I receive via Tor". :)

An application we did for a printshop, which detects if images
were tampered with (proxies for mobile phones do that), made some people
really paranoid.

Anyway, since everybody is using TLS nowadays or very soon, I reduced
my actions to a few lines and my family and I are very happy with the
results:

# 1- Remove x-forwarded-for
{ +change-x-forwarded-for{block} }
/
# 2- Hide Tor exit notation in Host and Referer Headers
{ +client-header-filter{hide-tor-exit-notation} }
/
# 3- Remove expiry from cookies
{ +session-cookies-only }
/
# 4- Remove DNT Header
{ +crunch-client-header{DNT:} }
/

1) if you run more proxies like personal firewalls or whatever
antiviri, these headers may get added and they need to go away.
They leak information of your internal network, which may be very unique.
2) nobody wants to say, hey watch me, I am using tor and this
exit with your site. They have blacklists and CDNs for that. :)
3) is very helpful if you have clients, that fetch data like weather
via http, or feedreaders and IOT-thingies. The embedded browsing-engines
usually don't care or don't manage cookies, so most cookies will
expire when you close the application (I am talking about you liferea
and any other tablet that uses webkit).
4) it is more effective to turn the geoapi off.

Another Option is to rewrite all clientheaders like:
{ +hide-user-agent{ spoofed chrome or apple header work fine} }
/

Since privoxy can only rewrite non-TLS Traffic, its perfectly fine for
us.

Tor and CDNs: Someone told me a joke about tor devs/users waving signs
with captchas at cloudflare employees and denying them passage until
they solve them. I didn't got it at that time. 
Since I use tor more often, I feel tempted to do the same.

Another complaint about Tor, I hear very often, that tor is slow. A
great countermeasure against CDNs and tor being slow is a caching
proxy like squid. Within our family is is usually like:
Alice: look at that cute cat picture at ...
Bob, Mallory and Trent doesn't need to solve another captcha, since the
image comes directly from the proxy.

Squid runs fine with a little space in tmpfs chained behind
privoxy and logging to /dev/null. Btw., Grandma runs a client and a 
hidden service so we can connect to her, the hiddenservice is much more
reliable than most of the Dyn-DNS services we tried.

I felt like I share some insight of us using tor,
along with problems we encountered with the privoxy regexes.

If you have questions about our setup, feel free to ask.

Happy realying.
-- 
tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk