[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: Blocked by Websense

On Sun, Nov 26, 2006 at 05:10:22PM +0800, John Kimble wrote:
> The blocking is done by redirecting all HTTP requests with
> "/tor/server/" in the path to a local "blocked by Websense" page. I've
> tested this by entering arbitrary URLs with "/tor/server/" in the
> path, like these two below, which all lead to the "blocked" page:
> http://www.google.com/tor/server/blahblah
> http://www.arbitrary.net/more-arbirary-path/tor/server/meh.txt

Oh boy. Looks like they have started that particular arms race.
Do you know what version of Websense they were using?

We know what the next few steps of the arms race will be on our side,
and we have some guesses about what they'll be on the opposing sides,
but I'm not sure how quickly we want the arms race to proceed. I suppose
we should give that some thought now.

> A couple of questions:
> Is there a way I can somehow supply Tor with directory information
> when Tor is unable to do a plaintext HTTP download (which is quite
> easy to block based on fixed strings in the path) when it starts up?

Get a cached-routers file and the cached-status/* files from
somewhere. Bring them from home on a USB stick if you like. I'm not
sure how recent they need to be -- if you're using 0.1.1.x it needs
to be from within 24 hours. I believe is more forgiving,
but not by much. Let me know if you get it working and what it takes.

Future versions of Tor will bootstrap better with whatever files it
starts with; and will avoid the particular fingerprinting vulnerability
you describe above.

> Provided the first question is solved, once Tor has built its
> circuits, can it be configured to download its directory updates
> through the Tor circuits, so as to avoid leaving behind these telltale
> footprints of periodical Tor directory downloads?

Set "__AllDirActionsPrivate 1" in your torrc.
(This config option is intended for controllers that bootstrap your
initial circuits themselves, but it should work fine as a manual
workaround for now.)

Hope that helps,