tor-dev October 2013

tor-dev@lists.torproject.org

62 participants
78 discussions

Using Stem to monitor TBB usage.
by remi py 27 Oct '13

27 Oct '13

Hy, I am having trouble using Stem to connect to the tor controller, while at the same time browsing the web using the TBB. The tor control settings can be edited in Vidalia -> settings -> advanced. There it is configured by default to use port 9150 and a random password for authentication, but I can not see what password. If I change any of these settings, then I cannot browse anymore, and TB displays "The proxy server is refusing connections". I am using this snippet: import stem from stem.control import Controller with Controller.from_port(port = 9151) as controller: controller.authenticate('') # provide the password here if you set one bytes_read = controller.get_info("traffic/read") bytes_written = controller.get_info("traffic/written") print "My Tor relay has read %s bytes and written %s." % (bytes_read, bytes_written) from https://stem.torproject.org/tutorials/the_little_relay_that_could.html So my problem is that I can not connect to the tor controller while at the same time browsing using the tbb. How do I fix this? Kind regards, Rémi.

3 3

This is my new OnionMail
by enfn 26 Oct '13

26 Oct '13

The first OnionMail server is working. OnionMail + Tails is simple!

2 1

test
by enfn 26 Oct '13

26 Oct '13

Test

1 0

Browser extension identification/fingerprinting mitigation?
by Griffin Boyce 26 Oct '13

26 Oct '13

Hi all, I'm looking at possibly replacing the images used by Cupcake with inline SVG XML, to reduce the possibility of fingerprinting/identifying Cupcake users who use Chrome [1]. One of the more talked-about methods of identifying a user's browser extensions is to look for images used by the extension (in Chrome at least), so this seems to make some amount of sense. [2] Does anyone have any thoughts on this? ~Griffin [1] https://chrome.google.com/webstore/detail/cupcake/dajjbehmbnbppjkcnpdkaniap… [2] http://blog.kotowicz.net/2012/02/intro-to-chrome-addons-hacking.html -- "Cypherpunks write code not flame wars." --Jurre van Bergen #Foucault / PGP: 0xAE792C97 / OTR: saint(a)jabber.ccc.de My posts are my own, not my employer's.

1 0

Re: [tor-dev] Incorporating your torsearch changes into Onionoo
by Kostas Jakeliunas 25 Oct '13

25 Oct '13

On Fri, Oct 11, 2013 at 12:00 PM, Karsten Loesing <karsten(a)torproject.org>wrote: > Hi Kostas, > > should we move this thread to tor-dev@? > Hi Karsten! sure. >From our earlier conversation about your GSoC project: > > In particular, we should discuss how to integrate your project into > > Onionoo. I could imagine that we: > > > > - create a database on the Onionoo machine; > > - run your database importer cronjob right after the current Onionoo > > cronjob; > > - make your code produce statuses documents and store them on disk, > > similar to details/weights/bandwidth documents; > > - let the ResourceServlet use your database to return the > > fingerprints to return documents for; and > > - extend the ResourceServlet to support the new statuses documents. > > > > Maybe I'm overlooking something and you have a better plan? In any > > case, we should take the path that implies writing as little code as > > possible to integrate your code in Onionoo. > > Let me know what you think! > Sounds good. Responding to particular points: > - create a database on the Onionoo machine; > - run your database importer cronjob right after the current Onionoo > cronjob; These should be no problem and make perfect sense. It's always best to use raw SQL table creation routines to make sure the database looks exactly like the one on the dev machine I guess (cf. using SQLAlchemy abstractions to do that (I did that before)). Current SQL script to do that is at [1]. I'll look over it. For example, I'd (still) like to generate some plots showing the chances of two fingerprints having the same substring (this is for the intermediate fingerprint table.) (One axis would be substring length, another would be the possibility in (portions of) %.) As of now, we still use substr(fingerprint, 0, 12), and it is reflected in the schema. Overall though, no particular snags here. > - make your code produce statuses documents and store them on disk, > similar to details/weights/bandwidth documents; Right, so if we are planning to support all V3 network statuses for all fingerprints, how are we to store all the status documents? The idea is to preprocess and serve static JSON documents, correct (as in the current Onionoo)? (cf. the idea of simply caching documents: if we serve a particular status document, it gets cached, and depending on the query parameters (date range restriction, e.g.) it may be set not to expire at all.) Or should we try and actually store all the statuses (the condensed status document version [2], of course)? > - let the ResourceServlet use your database to return the > fingerprints to return documents for; and > - extend the ResourceServlet to support the new statuses documents. Sounds good. I assume you are very busy with other things as well, so ideally maybe you had in mind that I could try and do the Java part? :) Though, since you are much more familiar with (your own) code, you could probably do it faster than me. Not sure. Any particular technical issues/nuances here (re: ResourceServlet)? cheerio Kostas. [1]: https://github.com/wfn/torsearch/blob/master/db/db_create.sql [2]: https://github.com/wfn/torsearch/blob/master/docs/onionoo_api.md#network-st… (e.g. http://ts.mkj.lt:5555/statuses?lookup=9695DFC35FFEB861329B9F1AB04C46397020C… )

2 2

Guard-security projects extracted from Roger's blog post
by George Kadianakis 25 Oct '13

25 Oct '13

Hey Nick, I made a pad with some of the tasks that Roger mentioned in his recent blog post [0]. The pad can be found here: https://pad.riseup.net/p/BQl2W58RLurU_guard It's probably not an exhaustive list and needs more work. Unfortunately I won't have time to work on it during the weekend so I'll post it here in case you find it useful. Cheers! [0]: https://blog.torproject.org/blog/improving-tors-anonymity-changing-guard-pa…

1 0

Re: [tor-dev] [tor-assistants] Finding a maintainer for Weather
by Damian Johnson 23 Oct '13

23 Oct '13

For those on tor-dev@, this is a thread where Karsten and I have been talking about the future of Tor Weather. Present thoughts are to do one of the following... a. Attempt to tap the community to find a maintainer (the service has been unmaintained for years). b. Hire a developer from odesk to address its present issues. Karsten and I aren't especially thrilled about this idea since it would mean continuing to have an unmaintained service linger on. c. Replace the functionality Weather provides with something else (that's most of what our recent discussion has been about). d. Simply deprecate and later shut down the service. >>> 3. We redesign Weather based on stem. >> >> As mentioned earlier this is already done to the extent that a patch >> exists. Weather's use of TorCtl was pretty simple so it was easy to >> map to stem, making some general improvements to the codebase in the >> process. If we opt for any plan involving the continuation of Weather >> than I'd like to see us do this since it's both easy, and will let >> Weather move off a deprecated dependency. We can then shift the >> service to Onionoo or rewrite it afterwards. > > There's a patch for this? Sounds like a new Weather maintainer should > apply this patch as their first action. (However, I'm not sure if we > should apply it without having a maintainer, because if it breaks, who's > going to pick up the pieces? Unless you'd want to do that?) Yup, a patch but untested (I didn't invest time into starting up a new Weather instance). So we definitely do need a maintainer before applying it. >>> 5. (Even smarter ideas go here) >> >> What about my earlier suggestion? I'd like to replace weather with a >> new torrc parameter, say... >> >> SendNotifications me(a)some_address.com >> >> ... which is then included in the extrainfo descriptors. DocTor (or a >> new Weather if we really don't want to merge services) could then send >> notifications when a relay that previously set this goes down, or has >> reached a point of deserving a t-shirt. The only trouble with this is >> that it would expose real addresses in descriptor data (and hence, >> possibly spam). >> >> Maybe there's something smart we can do to overcome this issue? >> Providing relay operators with a method for including real contact >> information would be helpful (as mentioned with the upgrade scenario >> earlier in the thread). > > But we already have ContactInfo lines. What's the difference between > the two? I'd find this rather confusing as a relay operator. Differences are... * This option would be an opt-in for receiving notifications about their relay. * It resides in extrainfo descriptors rather than server descriptors (not sure if that'll lessen spam, but ContactInfo's definitely in the wrong spot). * We've already trained users to throw garbage information into the ContactInfo. Since SendNotifications would be for automated systems like DocTor we could clearly state that it requires un-munged addresses, lest it doesn't work (and hence is pointless to set). This said, without a solution to the spam issue I don't think this is a good idea. I'm hoping others on this list will have some ideas around this since a solution for the spam problem is the only thing standing in our way for having a good replacement for Weather. > Also, I dislike the fact that we're adding a config option to tor that > is mostly used by the Weather service. What if we want to discontinue > the Weather service? The config option will be around for another two > years after that, but it won't do anything, which will make people think > the tor program is broken. Actually, DocTor rather than Weather - I want to shut Weather down. In theory this is a more general field for 'hey, automated services may send me notices regarding my relay', maybe also with 'here's tags for the notices I want'. Anyway, food for thought - an opt-in flag and email address is really most of what Weather provides us. > Also also, should this discussion happen on tor-dev@? :) Perfectly fine with me - added. Cheers! -Damian

3 4

Attentive Otter: Usability issues with existing OTR clients
by Derek Moss 23 Oct '13

23 Oct '13

>As you point out, you get a "Unverified/Verified" when using OTR. Verifying >fingerprints of anonymous chat is practically impossible -- every side >channel I can think of (telephone, meeting in person, email - ha) either >leaks the act of contacting, isn't practical or convenient, or requires >some kind of Internet reputation. I'd bet that most OTR users don't verify >fingerprints. >TOFU is a must, along with a dialogue that explains in simple terms what is >going on, with a way to dismiss the dialogue (e.g. by correctly answering a >security question). >Perhaps replacing "Unverified" with "In use for: x days" ? Changing fingerprints seems like a big problem, because it's reasonable for users to verify them when they first add a user to their contacts (via phone or whatever) but they're not going to keep doing that if the contact keeps changing their fingerprint and will probably just click OK when warned that the fingerprint has changed. I have no idea if this exposes a risk from a MITM attack or some other compromise but it would seem like it might. Certainly it should be easy to bring up a contact's fingerprint for verifying, by right-clicking on their name for example and not buried away somewhere in the preferences. > > We should have per-message icons for > > both sent and received messages that indicate encryption status for that > > message in the chat scrollback window. >If the Attentive Otter client is going to be "Force OTR", then you'd >only need a special flag for "received insecurely" (much as pidgin-otr >has). With Jitsi, I think it's not clear enough whether chats are secured or not and there seems to be some bugs that cause it send unsecured messages despite the "Force OTR" setting. I've had problems with it sending unencrypted messages when starting a conversation from one end but not in the reverse direction. Obviously this needs to be prevented and I like the idea of just not sending any text until a secure connection has been established. For Attentive Otter, hopefully the "Force OTR" can be made rock-solid and so it should only need to indicate unsecured incoming message (or maybe even block those but perhaps there's not much benefit from doing so). >Is "skull and crossbones" an easily understandable icon for "message >received insecurely"? It would certainly need a tooltip hint, or >something like that. I think a padlock icon is much more understandable for most users. > > 7. Logging should be off by default when OTR is on. >Agree (as with pidgin-otr 4.x). >> I guess people like logging for some reason, and I'll admit that pidgins >>"History" mode really enables asynchronous chat. Rather than require you >> *turn off* OTR to get this feature, an alternative would be to require a >> passphrase and automatically expunge encrypted logs after a configurable >> period of time. And, unlike other clients, perhaps telling the conversation >> counterparty that logging is enabled (e.g. the opposite of gchat "OTR" >> notifications ) at the start of the session would provide informed consent. >Unfortunately, such counterparty notifications cannot be relied on, as >you could have hacked your client. On the issue of logging, I'd suggest it would be best to have no logging features at all. That way, they can't be enabled accidentally or deliberately and other than the other user running a hacked version (either on purpose or unknown to them) both users can have more confidence that their chat isn't being logged. Of course, this won't prevent the other user cutting and pasting the conversation to manually log it but that comes down to trusting them, whereas logging features can cause a security breach without either party intending to do so. This was a big issue for a number of users on the Jitsi mailing list and we were rather disappointed that the devs seemed more focused on the convenience some users get from being able to refer back to old conversations than the security from not having conversations logged. Although the devs didn't really accept that logging could be a security problem and felt that Jitsi's purpose was to secure chats in transit and nothing else. If you must have logging, at least encrypt the logs so that they're not sitting around in plaintext for anyone to grab. Despite the issues I've mentioned with Jitsi, I wonder if it might not be an alternative starting point to InstantBird? I see that it's been decided you don't want to use Pidgin/libpurple but wonder if other alternatives, like Jitsi which I understand is free to be forked, have been considered, where much of the required OTR work might already have been done?

1 0

Re: [tor-dev] First draft of Requirements and Software Design for a Better Tor Performance Measurement Tool
by Karsten Loesing 23 Oct '13

23 Oct '13

[Adding tor-dev@ back to the Cc.] On 10/8/13 7:25 PM, Robert Annessi wrote: > On Friday 06 September 2013 15:58:53 Karsten Loesing wrote: >> I just finished a first draft of a tech report sketching out the >> requirements and a software design for a new Torperf implementation. > >> Feedback in the form of patches to the LaTeX sources is most preferred, >> though email replies are of course fine, too. > > I would add a "Circuit build success/failure rate" to the tests. Recent events > (botnet) clearly showed that such data is needed but missing. Absolutely. The plan is to log stream and circuit information on the tor processes used by Torperf. See section 2.2.1 "Results format" for details: """ Results may include data which appear not immediately relevant to measuring Tor performance, but which may be useful for related purposes. For example, Torperf should include data about circuit failures in its results, even though these circuits may not have been used in actual requests.% \footnote{\url{https://trac.torproject.org/projects/tor/ticket/8662}} """ Also see the appendix that specifies data formats for stream and circuit information. If you have suggestions for making this clearer, can you send me a patch to the LaTeX sources? https://gitweb.torproject.org/user/karsten/tech-reports.git/blob/refs/heads… All the best, Karsten

1 0

Torperf implementation considerations (was: Torperf)
by Kevin Butler 23 Oct '13

23 Oct '13

[cc tor-dev] On 16 September 2013 09:47, Karsten Loesing <karsten(a)torproject.org> wrote: > Hmm, I don't think the HTTP client/server part is the right interface to > write another client and server and call it Torperf compatible. The > Torperf data API would be a better interface for that: people could > write their own experiments and provide data that is Torperf compatible, > or they could use the data that Torperf provides and analyze or > visualize it in a better way. But writing only half of an experiment, > client or server, wouldn't be of much use. > > I thought bit more about this and I don't fully agree (but you've nailed it that the data is the core api). I've come to the conclusion that I think it makes sense for TorPerf to do much of the heavy lifting and the core server aspects, but I think the experiments should be decoupled in such a way as to allow for flexible client implementations. Below are a bunch of semi related musings on how to get to this: Of course as many experiments will just be doing simple http requests, the experiments will really just be wrapper scripts around a bundled default client implementation which would be similar to the one in your perfd branch. Specifically, to aid in this, I'd propose something like the folder structure below: https://etherpad.mozilla.org/iqrgueVFd6 [Why a set of directories? There's not a solid reason other than it forces unique names and gives good opportunity to isolate experiment specific data. If an experiment has no specific data files it should be alright to just have the config file instead of a directory. A directory structure also mimics the idea of a restful web service as mentioned in the pdf, i.e. the user could easily know to go to http:/.../results/myexperiment/ to see results filtered for that single experiment. Either way, it's a minor detail, I just feel it's easier for a user.] A good use of the specific experiment data could be for static files, where anything in an experiments '/public' folder would be served by the webserver while that experiment is running. If wanting to ensure nothing gets proxy cached, the experiment could be responsible for generating random data files for each run. (This is a clear separation of server vs experiment implementation concern.) Another idea could be custom experiment views(js probably) that would transform the experiment results when viewed on the web dashboard. The experiments should not be responsible for determining details such as socks port or control port, the TorPerf service should deal with load balancing a bunch of tor instances on different ports and just tell an experiment 'Do your stuff using this sock port, this public ip:port, etc...' via environment variables. (The config could ask that certain aspects of the torrc file are setup specifically but managing ports and stuff is just asking for user error unless there's some experiment that requires it.) The config should minimally have an execution rate and a command. The command could be to just execute the bundled TorPerf client implementation with boring parameters e.g. just fetch facebook.com and record the normal timings that the default implementation tracks. A more interesting config's command could be the alexa_top_100 where it's just a basic script/makefile that fetches a new alexa list if the one in the local folder is older than X days and then for each site in the list it runs the TorPerf client instance. The TorPerf service instance should be able to run experiments by just executing the commands and recording whatever is written to stdout and stderr. After the command exits, if it's non zero then the stderr output is treated as error messages while if it's zero then it's treated as info messages. The stdout data should be treated as TorPerf results and it's an error if it's not well formed. If it's not well formed it should be captured in the results file for debug purposes. An example of informational output might be that the alexa_top_100 experiment updated it's list before this result set. [On the web interface it should be clear which results sets contained errors or information] Once the experiment finishes, the service should postprocess the results from the experiment and replace any fingerprinted entries (This needs to be well defined) with the server side timing information for that specific fingerprint. Then the server should store the results file in a timestamped file (timestamped probably by experiment start time) and update it's database(if there is one). The experiments should be able to specify their required tor version in their config, but it should accept placeholder values such as the default 'latest', 'latest-stable' or even 'latest(3)' which would run the experiment for all 3 of the latest tor versions. I think the ability to check the performance of the same experiment over multiple Tor versions could be interesting, especially to determine if any one build has caused anomalies in performance. I would expect very few experiments to run across multiple versions though. Additionally, something that could be neat, but it's not clearly in the requirements, should TorPerf be responsible for notifying the user when there are new clients available to run as latest? Would it be useful to be able to specify that some experiments should be run on 'master' or a gitref and that it would be pulled between runs? That's probably not practical. Apologies for the length and lack of order! Kevin

4 11

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

tor-dev October 2013