[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: Blocked by Websense



Roger Dingledine wrote:
> On Sun, Nov 26, 2006 at 05:10:22PM +0800, John Kimble wrote:
>> The blocking is done by redirecting all HTTP requests with
>> "/tor/server/" in the path to a local "blocked by Websense" page. I've
>> tested this by entering arbitrary URLs with "/tor/server/" in the
>> path, like these two below, which all lead to the "blocked" page:
>> http://www.google.com/tor/server/blahblah
>> http://www.arbitrary.net/more-arbirary-path/tor/server/meh.txt
> 
> Oh boy. Looks like they have started that particular arms race.
> Do you know what version of Websense they were using?
What about by getting tor to use tor to get the directory information?
I don't know how we would bootstrap though without the public key of the
server we use. If it was a signature-based key negotiation we could have
the client ignore the signature until it was able to verify it. Or we
could use the first server we connect to to give the client the
directory. Or we could use a DHT.
> 
> We know what the next few steps of the arms race will be on our side,
> and we have some guesses about what they'll be on the opposing sides,
> but I'm not sure how quickly we want the arms race to proceed. I suppose
> we should give that some thought now.
> 
>> A couple of questions:
>>
>> Is there a way I can somehow supply Tor with directory information
>> when Tor is unable to do a plaintext HTTP download (which is quite
>> easy to block based on fixed strings in the path) when it starts up?
> 
> Get a cached-routers file and the cached-status/* files from
> somewhere. Bring them from home on a USB stick if you like. I'm not
> sure how recent they need to be -- if you're using 0.1.1.x it needs
> to be from within 24 hours. I believe 0.1.2.3-alpha is more forgiving,
> but not by much. Let me know if you get it working and what it takes.
> 
> Future versions of Tor will bootstrap better with whatever files it
> starts with; and will avoid the particular fingerprinting vulnerability
> you describe above.
> 
>> Provided the first question is solved, once Tor has built its
>> circuits, can it be configured to download its directory updates
>> through the Tor circuits, so as to avoid leaving behind these telltale
>> footprints of periodical Tor directory downloads?
> 
> Set "__AllDirActionsPrivate 1" in your torrc.
> (This config option is intended for controllers that bootstrap your
> initial circuits themselves, but it should work fine as a manual
> workaround for now.)
> 
> Hope that helps,
> --Roger
> 
> 


-- 
They who would give up essential Liberty to purchase a little temporary
Safety, deserve neither Liberty or Safety
--Benjamin Franklin

Attachment: signature.asc
Description: OpenPGP digital signature