Hey all,
You may remember an email from me about a week ago, and I could really use some pointers.
We just stealth launched an alpha version of http://grailo.net and I would love all of you to try it out and give me feedback. Its 100% open source, 100% free, and you can even fork the project yourself on github.
Its goal: Create a simple to use client side, RSA public key encryption for microblogging on the internet.
The reason I am reaching out to you is I am I am interested in creating a client side plugin for the TOR browser so that people can use the client side encryption safely and privately, and without fear. Since scripting is disabled in TOR, with good reason, I want a plugin that is blessed by the TOR project as open and safe for encryption.
Any leads on where to get started are greatly appreciated.
Clay
On Sat, 1 Dec 2012 15:39:25 -0800 Clay Graham claytantor@gmail.com wrote:
The reason I am reaching out to you is I am I am interested in creating a client side plugin for the TOR browser so that people can use the client side encryption safely and privately, and without fear. Since scripting is disabled in TOR, with good reason, I want a plugin that is blessed by the TOR project as open and safe for encryption.
Any leads on where to get started are greatly appreciated.
“Scripting is disabled in Tor” is not an entirely correct statement. The Tor *Browser* disables scripts via NoScript; this provides the ability to selectively enable scripting on sites you trust. However, Tor itself is agnostic to what you use it for. If you write an application that can talk to a SOCKS proxy, it can be pointed directly at Tor with no need to interface with the browser.
Julian
On 01/12/12 23:39, Clay Graham wrote:
You may remember an email from me about a week ago, and I could really use some pointers.
We just stealth launched an alpha version of http://grailo.net and I would love all of you to try it out and give me feedback. Its 100% open source, 100% free, and you can even fork the project yourself on github.
Its goal: Create a simple to use client side, RSA public key encryption for microblogging on the internet.
The reason I am reaching out to you is I am I am interested in creating a client side plugin for the TOR browser so that people can use the client side encryption safely and privately, and without fear. Since scripting is disabled in TOR, with good reason, I want a plugin that is blessed by the TOR project as open and safe for encryption.
Any leads on where to get started are greatly appreciated.
I can't trust any javascript that your service sends to my browser over Tor, because you don't use https. That javascript on the signup page which generates your private key... How do I know that script came from your server and that it's not a modified version which came from an exit node, which is going to report the key back to them after it is generated?
At a bare minimum, before I would even start considering using this service, every single resource that your site delivers should be sent over https, all http connections should be redirected to https. HSTS should be used so browsers remember to use https, and you should contact the Chromium project to get yourself on their list of pinned SSL sites for first time visitors (which is also used in Firefox now I believe), and is also used in the HTTPS-Everywhere project for rule generation.
Mike,
I can't trust any javascript that your service sends to my browser over Tor,
because you don't use https.
Great feedback. We are installing the cert in the next couple of weeks, there is a process for that, and the kind of cert we want takes a little time and work. We are still looking for feedback during that period.
How do I know that script came from your server and that it's not a
modified version which came from an exit node, which is going to report the key back to them after it is generated?
This is one reason we would like to create a client side plugin for the TOR browser. Any ideas how this would be done? I would also like some online pointers about how the javascript client side encryption (we are using cryptico https://github.com/wwwtyro/cryptico) could be hijacked so we can endeavor to thwart these exploits.
HSTS should be used so browsers remember to use https, and you should
contact the Chromium project to get yourself on their list of pinned SSL sites for first time visitors (which is also used in Firefox now I believe), and is also used in the HTTPS-Everywhere project for rule generation.
Wonderful! Thank you so much! All pointers and references are aprecciated!
Clay
On Sun, Dec 2, 2012 at 5:44 AM, tor@lists.grepular.com wrote:
On 01/12/12 23:39, Clay Graham wrote:
You may remember an email from me about a week ago, and I could really use some pointers.
We just stealth launched an alpha version of http://grailo.net and I would love all of you to try it out and give me feedback. Its 100% open source, 100% free, and you can even fork the project yourself on github.
Its goal: Create a simple to use client side, RSA public key encryption for microblogging on the internet.
The reason I am reaching out to you is I am I am interested in creating a client side plugin for the TOR browser so that people can use the client side encryption safely and privately, and without fear. Since scripting is disabled in TOR, with good reason, I want a plugin that is blessed by the TOR project as open and safe for encryption.
Any leads on where to get started are greatly appreciated.
I can't trust any javascript that your service sends to my browser over Tor, because you don't use https. That javascript on the signup page which generates your private key... How do I know that script came from your server and that it's not a modified version which came from an exit node, which is going to report the key back to them after it is generated?
At a bare minimum, before I would even start considering using this service, every single resource that your site delivers should be sent over https, all http connections should be redirected to https. HSTS should be used so browsers remember to use https, and you should contact the Chromium project to get yourself on their list of pinned SSL sites for first time visitors (which is also used in Firefox now I believe), and is also used in the HTTPS-Everywhere project for rule generation.
-- Mike Cardwell https://grepular.com/ http://cardwellit.com/ OpenPGP Key 35BC AF1D 3AA2 1F84 3DC3 B0CF 70A5 F512 0018 461F XMPP OTR Key 8924 B06A 7917 AAF3 DBB1 BF1B 295C 3C78 3EF1 46B4
tor-dev mailing list tor-dev@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev
Clay Graham:
This is one reason we would like to create a client side plugin for the TOR browser. Any ideas how this would be done?
What is the Tor specific question here?
I think this is a normal Firefox question "how to create a Firefox Addon? or do I misunderstand? Just make sure your Addon goes through Tor and does not create a Tor Browser proxy bypass.
There are a few Tor/proxy related Addons in Mozilla Addon. I'd read their source.
https://addons.mozilla.org/en-US/firefox/search/?q=Tor&appver=10.0&p...
Or is you specific question how to get your new Addon installed by default in Tor Browser?
What is the Tor specific question here?
So the TOR Browser supports firefox add-ons? That's good to know, I assumed they were disabled or had to be blessed. That clearly was a poor assumption.
There are a few Tor/proxy related Addons in Mozilla Addon. I'd read their
source.
This is exactly what I needed!!! Thank you so much!!! I will put my implementation on github for peer review when we are a little carter down the road.
Clay
On Sun, Dec 2, 2012 at 11:14 AM, adrelanos adrelanos@riseup.net wrote:
Clay Graham:
This is one reason we would like to create a client side plugin for the
TOR
browser. Any ideas how this would be done?
What is the Tor specific question here?
I think this is a normal Firefox question "how to create a Firefox Addon? or do I misunderstand? Just make sure your Addon goes through Tor and does not create a Tor Browser proxy bypass.
There are a few Tor/proxy related Addons in Mozilla Addon. I'd read their source.
https://addons.mozilla.org/en-US/firefox/search/?q=Tor&appver=10.0&p...
Or is you specific question how to get your new Addon installed by default in Tor Browser? _______________________________________________ tor-dev mailing list tor-dev@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev
-
adrelanos -
Clay Graham -
Julian Yon -
tor@lists.grepular.com