[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: Blocked by Websense

To: or-talk@xxxxxxxxxxxxx
Subject: Re: Blocked by Websense
From: Roger Dingledine <arma@xxxxxxx>
Date: Sun, 26 Nov 2006 04:31:57 -0500
Delivered-to: archiver@seul.org
Delivered-to: or-talk-outgoing@seul.org
Delivered-to: or-talk@seul.org
Delivery-date: Sun, 26 Nov 2006 04:32:11 -0500
In-reply-to: <a46699dc0611260110k255de886wfbf260dee8d2a0b1@mail.gmail.com>
References: <a46699dc0611260110k255de886wfbf260dee8d2a0b1@mail.gmail.com>
Reply-to: or-talk@xxxxxxxxxxxxx
Sender: owner-or-talk@xxxxxxxxxxxxx
User-agent: Mutt/1.5.9i

On Sun, Nov 26, 2006 at 05:10:22PM +0800, John Kimble wrote:
> The blocking is done by redirecting all HTTP requests with
> "/tor/server/" in the path to a local "blocked by Websense" page. I've
> tested this by entering arbitrary URLs with "/tor/server/" in the
> path, like these two below, which all lead to the "blocked" page:
> http://www.google.com/tor/server/blahblah
> http://www.arbitrary.net/more-arbirary-path/tor/server/meh.txt

Oh boy. Looks like they have started that particular arms race.
Do you know what version of Websense they were using?

We know what the next few steps of the arms race will be on our side,
and we have some guesses about what they'll be on the opposing sides,
but I'm not sure how quickly we want the arms race to proceed. I suppose
we should give that some thought now.

> A couple of questions:
> 
> Is there a way I can somehow supply Tor with directory information
> when Tor is unable to do a plaintext HTTP download (which is quite
> easy to block based on fixed strings in the path) when it starts up?

Get a cached-routers file and the cached-status/* files from
somewhere. Bring them from home on a USB stick if you like. I'm not
sure how recent they need to be -- if you're using 0.1.1.x it needs
to be from within 24 hours. I believe 0.1.2.3-alpha is more forgiving,
but not by much. Let me know if you get it working and what it takes.

Future versions of Tor will bootstrap better with whatever files it
starts with; and will avoid the particular fingerprinting vulnerability
you describe above.

> Provided the first question is solved, once Tor has built its
> circuits, can it be configured to download its directory updates
> through the Tor circuits, so as to avoid leaving behind these telltale
> footprints of periodical Tor directory downloads?

Set "__AllDirActionsPrivate 1" in your torrc.
(This config option is intended for controllers that bootstrap your
initial circuits themselves, but it should work fine as a manual
workaround for now.)

Hope that helps,
--Roger

Follow-Ups:
- Re: Blocked by Websense
  - From: John Kimble
- Re: Blocked by Websense
  - From: lester psigal
- Re: Blocked by Websense
  - From: Watson Ladd

References:
- Blocked by Websense
  - From: John Kimble

Prev by Author: Re: build of rpm fails
Next by Author: Re: False certificates
Previous by thread: Blocked by Websense
Next by thread: Re: Blocked by Websense
Index(es):
- Author
- Thread