[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] TPP



 Where do we even begin countering the catastrophe that is the Trans Pacific Partnership? Apparently it passed through today. Where were you when the internet officially died?


>Tuesday, October  6, 2015 12:00 PM UTC from tor-talk-request@xxxxxxxxxxxxxxxxxxxx:
>
>Send tor-talk mailing list submissions to
>tor-talk@xxxxxxxxxxxxxxxxxxxx
>
>To subscribe or unsubscribe via the World Wide Web, visit
>https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
>or, via email, send a message with subject or body 'help' to
>tor-talk-request@xxxxxxxxxxxxxxxxxxxx
>
>You can reach the person managing the list at
>tor-talk-owner@xxxxxxxxxxxxxxxxxxxx
>
>When replying, please edit your Subject line so it is more specific
>than "Re: Contents of tor-talk digest..."
>
>
>Today's Topics:
>
>ÂÂÂ1. Redirects from exits (sh-expires-12-2015@xxxxxxxxxxxxxxxx)
>ÂÂÂ2. Re: Making TBB undetectable! (sh-expires-12-2015@xxxxxxxxxxxxxxxx)
>ÂÂÂ3. Re: Potential uses for the Tor network (Moritz Bartl)
>ÂÂÂ4. Re: Potential uses for the Tor network (zaki@xxxxxxxxxx)
>ÂÂÂ5. Making TBB undetectable! (Spencer)
>ÂÂÂ6. Re: pidgin and tor (coderman)
>
>
>----------------------------------------------------------------------
>
>Message: 1
>Date: Mon, 5 Oct 2015 20:35:32 +0200
>From: " sh-expires-12-2015@xxxxxxxxxxxxxxxx "
>< sh-expires-12-2015@xxxxxxxxxxxxxxxx >
>To:  tor-talk@xxxxxxxxxxxxxxxxxxxx
>Subject: [tor-talk] Redirects from exits
>Message-ID: < 20151005183532.GA24964@xxxxxxxxxxxxxxxxxxxxx >
>Content-Type: text/plain; charset=us-ascii
>
>While using the exits 
>EF8AFB7F6A040CBE0ABA2C5A76BE04D84524C56B~Heaven
>184E9215A97F21323BF8661329FCB6F89305CDAC~QPgufmQMLX9T
>to i.e.  http://www.freedesktop.org (and some academic sites)
>we observe occasionally strange behavior, like HTTP 
>requests redirected from port 80 to 8123.
>
>I can't tell much more, only that the link_apconn_to_circ()
>logmessges correlate to the request log from the proxy
>that limits connections to port 80 and 443.
>
>Maybe someone can enlighten me :)
>
>
>------------------------------
>
>Message: 2
>Date: Mon, 5 Oct 2015 21:50:57 +0200
>From: " sh-expires-12-2015@xxxxxxxxxxxxxxxx "
>< sh-expires-12-2015@xxxxxxxxxxxxxxxx >
>To:  tor-talk@xxxxxxxxxxxxxxxxxxxx
>Subject: Re: [tor-talk] Making TBB undetectable!
>Message-ID: < 20151005195057.GB24964@xxxxxxxxxxxxxxxxxxxxx >
>Content-Type: text/plain; charset=us-ascii
>
>On Mon, Oct 05, 2015 at 02:14:11AM -0700, Spencer wrote:
>> The various bits that define your fingerprint.
>
>That makes only sense if you sync your clients requests
>to TrackHostExitsExpire, the effect on CDNs that stick
>lots of cookies to you, is that what happens to the folks
>in the cloudflare thread, any automatic observer will
>diagnose these clients requests for a defunct scraper
>and force human interaction proof.
>
>Basically, the countermeasure against such behavior is
>to stick a cookie with an hash of your fingerprint
>to your browser and deny you, as soon as it no longer
>matches.
>
>If you try to spoof any plugin, you forget that, the
>presence of a plugin is easy to check, lets assume
>we spoof the very popular flashplugin (ewww):
>The countermeasure is the same as above, a site
>gives you some .swf with a obfuscated redirector inside.
>Since you only accept the .swf and discard it your
>adversary knows that you fake this bits and denies
>you again.
>
>As soon as you turn on javascript, nearly every bit
>of your browser is easy to verify, and requesting
>with user-agent A in the http-header and stating
>that appName is B does look a little bit suspicious.
>
>> No need to spoof traffic if using real fingerprint variables.
>
>If you'd read the TBB design doc, you'd understand that the
>choice that was made, using a pretty real and pretty common
>user-agent, and some measures were added.
>
>> I feel like behavior will address the examples for this argument.
>
>The case, that OP describes, is that he is using tor to connect
>to another semi-public entity (like an open proxy) and likes
>to hide the fact, that he is using Tor/TBB.
>
>The only case, were that makes sense to me is for trolling sites,
>that aren't available via Tor anymore, were the preference for
>anonymity is less than trolling those sites, or that is the
>impression I get.
>Â
>> True, but we can come up with other ideas than using the public Tor 
>> exits.
>
>You still can use tor, the standalone OR, and any browser you
>like, if you are so unhappy with TBB. The demanded feature makes
>absolutly no sense for a TBB usecase or threatmodel.
>
>You will notice, that if you start to do this, you are uniquely
>fingerprintable just try to trick the
>https://check.torproject.org/ in stating that you are using
>TBB while using another browser, lets say Chrome, with
>enabled scripts.
>
>You fail to understand that TBB is a convenient solution,
>that is build so humans can circumvent censorship and
>achieve a pretty high degree in anonymity while using Tor.
>
>If you really must use non-tor exits, for whatever reason,
>access them as a hidden-service, that makes much more sense. 
>If you can, for example, use only bridges and like to use
>a vpn to achieve a high degree of privacy to a given endpoint.
>
>But since OP uses open proxies, I really doubt he wants/needs some
>of the features that Tor actually provides. ;)
>
>
>------------------------------
>
>Message: 3
>Date: Mon, 05 Oct 2015 22:13:51 +0200
>From: Moritz Bartl < moritz@xxxxxxxxxxxxxx >
>To:  tor-talk@xxxxxxxxxxxxxxxxxxxx
>Subject: Re: [tor-talk] Potential uses for the Tor network
>Message-ID: < 5612D9FF.6010306@xxxxxxxxxxxxxx >
>Content-Type: text/plain; charset=windows-1252
>
>On 10/04/2015 09:39 PM, Bryan Gwin wrote:
>> Is it possible for someone to design some software that can
>> utilize the Tor network (i.e. software that will allow users to communicate
>> with each other through the Tor Network allowing for private
>> conversations). 
>
>Totally! "Tor" as core component simply provides a local SOCKS proxy for
>applications. This is also what the Tor Browser uses. So, any
>application that understands how to tunnel application traffic via SOCKS
>can be "torified".
>
>For a lot more information see the community wiki page:
>https://trac.torproject.org/projects/tor/wiki/doc/TorifyHOWTO
>
>-- 
>Moritz Bartl
>https://www.torservers.net/
>
>
>------------------------------
>
>Message: 4
>Date: Mon, 5 Oct 2015 14:57:59 -0700
>From: " zaki@xxxxxxxxxx " < zaki@xxxxxxxxxx >
>To:  tor-talk@xxxxxxxxxxxxxxxxxxxx
>Subject: Re: [tor-talk] Potential uses for the Tor network
>Message-ID:
>< CAJQ8TmB6ZxRoqE6bFH7449rLZsDCwLwbfS9gGMRGQAC=Wv=Yww@xxxxxxxxxxxxxx >
>Content-Type: text/plain; charset=UTF-8
>
>Tor Hidden Services have a lot utility in the context of peer of peer
>networks.
>
>Consider how Tor and Hidden Services work in Bitcoin.
>
>1. The user sets up a Hidden Service for their Bitcoin.
>https://github.com/bitcoin/bitcoin/blob/master/doc/tor.md
>
>2. Once the user's node starts, the .onion address of their hidden service
>is circulated in the bitcoin gossip network. Basically other bitcoin nodes
>tell each other about all the Bitcoin node they learn about.
>
>3. Other bitcoin nodes will learn about the new hidden service from the
>nodes they are connected to and the tor aware nodes will connect with them.
>
>Hidden Services have a number of advantages over other peer to peer
>architectures.
>
>1. Hidden Services enforce a binding keypair to each node on the peer to
>peer network. This ensures that a node x.onion that we learn about through
>the gossip network is the name node x.onion that we connect to. Most peer
>to peer networks make the assumption that you'll be able to find some
>honest nodes to connect to.
>
>2. Tor tells the users ISP that you run Tor but tells them very little
>about what other peer to peer services the users run on top of Tor.
>
>3. Tor Hidden Services provide end to end reachability for to the peer to
>peer network far more reliably than system like UPNP.
>
>
>
>On Mon, Oct 5, 2015 at 1:13 PM, Moritz Bartl < moritz@xxxxxxxxxxxxxx > wrote:
>
>> On 10/04/2015 09:39 PM, Bryan Gwin wrote:
>> > Is it possible for someone to design some software that can
>> > utilize the Tor network (i.e. software that will allow users to
>> communicate
>> > with each other through the Tor Network allowing for private
>> > conversations).
>>
>> Totally! "Tor" as core component simply provides a local SOCKS proxy for
>> applications. This is also what the Tor Browser uses. So, any
>> application that understands how to tunnel application traffic via SOCKS
>> can be "torified".
>>
>> For a lot more information see the community wiki page:
>>  https://trac.torproject.org/projects/tor/wiki/doc/TorifyHOWTO
>>
>> --
>> Moritz Bartl
>>  https://www.torservers.net/
>> --
>> tor-talk mailing list -  tor-talk@xxxxxxxxxxxxxxxxxxxx
>> To unsubscribe or change other settings go to
>>  https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
>>
>
>
>------------------------------
>
>Message: 5
>Date: Mon, 05 Oct 2015 15:47:35 -0700
>From: Spencer < spencerone@xxxxxxxxxxxxxxx >
>To:  tor-talk@xxxxxxxxxxxxxxxxxxxx
>Subject: [tor-talk] Making TBB undetectable!
>Message-ID: < 08029a42fb0bc2e6cab75e92df12a11a@xxxxxxxxxxxxxxx >
>Content-Type: text/plain; charset=US-ASCII; format=flowed
>
>Hi,
>
>>> 
>>> Spencer:
>>> The various bits that define your fingerprint.
>>> 
>> 
>> sh-expires-12-2015@xxxxxxxxxxxxxxxx:
>> Basically, the countermeasure against such behavior is
>> to stick a cookie with an hash of your fingerprint
>> to your browser and deny you, as soon as it no longer
>> matches.
>> 
>
>Yes, but discrimination is unsupported and avoidable.
>
>> 
>> If you try to spoof
>> 
>
>No spoof.
>
>> 
>> If you'd read the TBB design doc,
>> 
>
>Quite the presumption :(
>
>> 
>> you'd understand that the
>> choice that was made, using a pretty real and pretty common
>> user-agent, and some measures were added.
>> 
>
>And as a result, Tor Browser owns up to its ID with no spoofing, as Tor 
>Browser users appear a Tor Browser users.
>
>> 
>> using tor to connect
>> to another semi-public entity (like an open proxy)
>> 
>> The only case, were that makes sense to me is for trolling sites
>> 
>
>Or using the internet.  What if the OP is tired of being rejected from 
>visiting sites due to IP badlists and uses said proxy to appear like a 
>clearnet user so as not to be restricted.  Google products (except for 
>Google Images) require this.  Ix Quick and Startpage feature this.
>
>> 
>> if you are so unhappy with TBB.
>> 
>
>Again with the presumptions :(:(
>
>> 
>> The demanded
>> 
>
>Discussed
>
>> 
>> feature makes
>> absolutely no sense for a TBB usecase or threatmodel.
>> 
>
>Will you link to the use cases and threat models in the documentation?
>
>> 
>> You fail to understand
>> 
>
>Fail often to succeed sooner :)
>
>My thought is that this is being mentioned in multiple places and, if 
>there is any merit to undetectability, we should challenge it fully to 
>see; not settle with what we have and use "good enough" as an argument. 
>I suggested a formal proposal as the next step.
>
>Wordlife,
>Spencer
>
>
>
>------------------------------
>
>Message: 6
>Date: Mon, 5 Oct 2015 16:00:36 -0700
>From: coderman < coderman@xxxxxxxxx >
>To:  tor-talk@xxxxxxxxxxxxxxxxxxxx
>Subject: Re: [tor-talk] pidgin and tor
>Message-ID:
>< CAJVRA1T_7RJEHQv9wcbTwSnv+05cKxE2TmRUYa08oTRYPDddeA@xxxxxxxxxxxxxx >
>Content-Type: text/plain; charset=UTF-8
>
>On 9/29/15, Tempest < tempest@xxxxxxxxxxxxx > wrote:
>> ...
>> another option to consider is whonix.  https://whonix.org . it's a good
>> mitigation platform against potentially leaky aps.
>
>the primary problem with Pidgin is libpurple [
>https://pidgin.im/news/security/ ] and a more appropriate mitigation
>would be Qubes isolation, perhaps Whonix-Qubes on new 3.0. :)
>
>as indicated in the thread, there are not any good alternatives.
>xmpp-client and irssi-xmpp-otr, others quite weird usability wise.
>ÂÂÂ[old schoolers may disagree *grin*]
>
>
>best regards,
>
>
>------------------------------
>
>Subject: Digest Footer
>
>_______________________________________________
>tor-talk mailing list
>tor-talk@xxxxxxxxxxxxxxxxxxxx
>https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
>
>
>------------------------------
>
>End of tor-talk Digest, Vol 57, Issue 10
>****************************************



-- 
tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk