tor-relays January 2016

tor-relays@lists.torproject.org

70 participants
55 discussions

Re: [tor-relays] Revised Opt-In Trial: Fallback Directory Mirrors
by starlight.2016q1＠binnacle.cx 19 Jan '16

19 Jan '16

I'd guess a bug in the version update script. At 19:20 1/12/2016 +0100, Aeris wrote: >> Are you *absoultely* certain that the config >> was not fiddled with at the time of this event? > >After grepping some logs, seems 13/12 was the day of a Tor >upgrade : > >2015-12-13 10:47:31 upgrade tor:amd64 0.2.7.5-1~d80.jessie+1 0.2.7.6-1~d80.jessie+1 >2015-12-13 10:48:39 configure tor:amd64 0.2.7.6-1~d80.jessie+1 > >Timing is good compare to the 10:48:46 of the consensus ! > >But I donât remember a config change after that, >perhaps only on /usr/share/tor/tor-service-defaults-torrc >or on a default config param change ? > >And perhaps the Tor reboot cause the DirPort to >be temporarily disabled (seems not human, only >2s duration) ? > >Regards, >-- >Aeris

2 4

Re: [tor-relays] Opt-In Trial: Fallback Directory Mirrors
by starlight.2015q3＠binnacle.cx 18 Jan '16

18 Jan '16

Relay 'Binnacle' experienced outages due to a loose fiber-option junction in the overhead wires that has been repaired. I believe it would make the list if not for this and do not foresee further trouble. Has a static IP and another Verizon FiOS relay qualifies, a positive reflection on the network. Available if desired. Can configure IPv6 on the HE tunnel here if helpful. $ python updateFallbackDirs.py DEBUG:root:Failed to get an ipv6 address for 4F0DB7E687FC7C0AE55C8F243DA8B0EB27FBF1F2. DEBUG:root:Adding uptime 4F0DB7E687FC7C0AE55C8F243DA8B0EB27FBF1F2. DEBUG:root:4F0DB7E687FC7C0AE55C8F243DA8B0EB27FBF1F2 not a candidate: guard avg too low (0.910189) { "dir_address":"108.53.208.157:80", "or_addresses":["108.53.208.157:443"], "contact":"starlight dot YYYYqQ at binnacle dot cx", "consensus_weight":17500, "fingerprint":"4F0DB7E687FC7C0AE55C8F243DA8B0EB27FBF1F2", "recommended_version":true, "nickname":"Binnacle", "last_changed_address_or_port":"2015-06-12 18:00:00" }

3 3

Revised Opt-In Trial: Fallback Directory Mirrors
by Tim Wilson-Brown - teor 18 Jan '16

18 Jan '16

Hi all, Nick sent an email in December[0] asking relay operators to opt-in as a fallback directory mirror. This will help tor clients reach the tor network, and reduce the load on directory authorities.[1] We will keep the opt-ins and opt-outs submitted so far - no need to opt-in or opt-out again! If you run an under-utilised exit, we encourage you to opt-in as a fallback directory. We've also fixed a major bug that excluded some relays from the list. (Thanks starlight!) Here's the latest list of fallback directory candidates: https://trac.torproject.org/projects/tor/attachment/ticket/15775/fallback_d… <https://trac.torproject.org/projects/tor/attachment/ticket/15775/fallback_d…> This list was generated a few minutes ago from scripts/maint/updateFallbackDirs.py in my branch fallback-17887-17888-18035 on [2]. (This branch has some bug fixes compared to what's in master.) Tim [0]: https://lists.torproject.org/pipermail/tor-relays/2015-December/008361.html <https://lists.torproject.org/pipermail/tor-relays/2015-December/008361.html> [1]: https://trac.torproject.org/projects/tor/wiki/doc/FallbackDirectoryMirrors <https://trac.torproject.org/projects/tor/wiki/doc/FallbackDirectoryMirrors> [2]: https://github.com/teor2345/tor.git <https://github.com/teor2345/tor.git> Tim Wilson-Brown (teor) teor2345 at gmail dot com PGP 968F094B teor at blah dot im OTR CAD08081 9755866D 89E2A06F E3558B7F B5A9D14F

6 13

Opt-In Trial: Fallback Directory Mirrors
by Felix 17 Jan '16

17 Jan '16

Hi I'm happy to bring in the relay Doedel22 '8FA37B93397015B2BC5A525C908485260BE9F422'. Best regards, Felix

3 2

Do less-secure pluggable transports on bridges render more-secure types useless?
by Rick Huebner 17 Jan '16

17 Jan '16

I've read that obfs4 and scramblesuit are very resistant ("immune" is so optimistic) to such things as active probes performed by the Great Firewall, which can quickly probe and detect older transports (and of course vanilla ORports), plus the older transports and ORports are subject to relatively quick detection through deep packet inspection once a user connects from there. Does it make sense to offer older more vulnerable transports along with newer more secure ones? If my bridge offers both obfs3 and obfs4, does that just mean that as soon as someone in China uses obfs3 it's detected and my IP address is blocked, making the obfs4 port unusable from there as well even though it would have avoided detection on its own? More fundamentally, does the bridge address server also publish vanilla ORports for those bridges which offer obfs4, and does a Chinese user accessing my bridge's ORport doom my entire bridge to immediate blockage from there? I can't imagine the GFW would be so kind as to only block the ORport's specific port number, I assume it blocks the entire bridge IP address, making all transports useless if any single one of them is detected. Would it be better to only offer obfs4 to avoid detection and blockage via older transports?

2 2

Re: [tor-relays] Opt-In Trial: Fallback Directory Mirrors
by Joost Rijneveld 17 Jan '16

17 Jan '16

Hi all, > On 17 Dec 2015, at 15:07, Nick Mathewson wrote: > If your relay is on this list, and you expect it to be on the same IP > address(es) and port for at least 2 years, please consider opting-in > for this trial. I realise it's been a while since the last post in this thread, but I'd like to opt-in. Relay: kili DD85503F2D1F52EF9EAD621E942298F46CD2FC10 Cheers, Joost

3 3

Tor being blocked by mayor ISP in Mexico?
by Test This 17 Jan '16

17 Jan '16

Tor being blocked by mayor ISP in Mexico? I've been running an exit relay for about 2 years. Since new year's day, I noticed that my relay went down and was no longer listed in Globe or Atlas. Just like Fabian Bustillos Vega reported here: https://lists.torproject.org/pipermail/tor-relays/2016-January/008491.html a few days ago. Software version at the time: (was running without problems for almost five months) Tor: 2.6.10 openSSL: 1.0.1i libevent: 2.0.21 running on Linux At first, I thought it was a configuration error, so I double checked the TORRC file manually and with software (Vidalia and ARM). Everything was OK. I check the log file and found something very unusual, when trying to connect to the Tor network, there were several openSSL connection errors. Eventually after a while and several attempts, Tor connection was successful. Here's the error: *[warn]* 8 connections died in state connect()ing with SSL state (No SSL object) *[warn]* 1 connections died in state handshaking (Tor, v3 handshake) with SSL state SSL negotiation finished successfully in OPEN *[warn]* Problem bootstrapping. Stuck at 50%: Loading relay descriptors. (Connection timed out; TIMEOUT; count 11; recommendation warn; host 7BE683E65D48141321C5ED92F075C55364AC7123 at 193.23.244.244:443) This happened for other host as well. Link to complete log <http://pastebin.com/vUXkfXNf>. *See note at bottom. I thought maybe some Tor's Directories went down or my router was dropping packets for some reason. Several hours later I restarted my router and tried to connect again. I got the same error. I went to the tor project website and read the release notes, I found that new versions were using a new *elliptic-curve* Diffie-Hellman function, so I decided to update Tor to version 2.7.6. The error appeared once again. I tried with The Tor Browser and again, it took a while to establish a connection. I had to abort and reconnect several times in order to establish a successful connection. With these results I tried some other software; *TAILS* (Linux distro), *Fire.Onion* (Android browser). Both got stuck as well while bootstrapping. TAILS with no intervention is able to connect after a long long while, just like my Relay. Fire.Onion just like the Tor Browser are unable to connect unless I abort and reconnect several times. Back to my Relay... When it finally connects: *[notice]* Bootstrapped 90%: Establishing a Tor circuit *[notice]* Tor has successfully opened a circuit. Looks like client functionality is working. *[notice]* Bootstrapped 100%: Done *[notice]* Now checking whether ORPort XXX.XXX.XXX.XXX:9001 and DirPort XXX.XXX.XXX.XXX:9030 are reachable... (this may take up to 20 minutes -- look for log messages indicating success) *[notice]* Self-testing indicates your DirPort is reachable from the outside. Excellent. *[notice]* Self-testing indicates your ORPort is reachable from the outside. Excellent. Publishing server descriptor. *[notice]* Performing bandwidth self-test...done. So I Waited a couple of hours and check in Atlas and Globe again. No luck. In the log I also get: *[notice]* Heartbeat: It seems like we are not in the cached consensus. The DIR and ONION ports are open as showed by the log, I also manually checked them using port scanners. I used other people's networks, the Tor Browser and TAILS to connect to my XXX.XXX.XXX.XXX:9030 port. In every case I got the DirPortFrontPage (html) served by Tor. As indicated by the log I have client connectivity and the Relay seems to be in order but in reality the Relay is dead. It is also worth mentioning that after a successful connection the openSSL errors no longer appear in the Relay's log. Maybe Tor is skipping those (previously faulty) servers. I can only guess. A similar thing happen with the Tor Browser, if I open it frequently, it connects fast (after a successful connection), but if is not used in days, when I launch it, it gets stuck while bootstrapping. Since TAILS is a “live” distro I can't reproduce this behavior. My Relay, the Tor Browser and Fire.Onion have a higher possibility to get stuck while bootstrapping at 0, 5, 20%. Once passed the 50~60% it get faster. My assumption is that my ISP is blocking or at least randomly dropping packets to and from well known Tor Authorities (IP blocking). I don't suspect DPI, as client functionality is working. Using bridges was not necessary when trying client functionality. I was able to connect (abort and retry). As reported by Fabian Bustillos as well. Other Observations: Tor Project <https://www.torproject.org/> website, TAILS <https://tails.boum.org/> website and other Tor related pages are visible without tor. Once connected the Tor Browser is able to fetch updates. Instead of ports 9001 and 9030 I also tried 443 (OR) and 80 (DIR). *For the log, I deleted the Data directory in order to reproduce all the errors, this includes; keys, logs and cached* files.

2 1

Suggestion to make Tor usage more disguised
by Raúl Martínez 16 Jan '16

16 Jan '16

Hi, I am writing this message to make a simple suggestion that could help driving more adoption to Tor by making using tor less obvious for a network administrator. This suggestion tries to address the user case of a common Tor usage, in which the user is not being attacked nor mitm, he is just using tor in his work for example. The network admin of the office is not searching actively for Tor users in his network but one day he log-in in the router panel and he sees this: - Current conexions - WORKSTATION-98 38.29.00.2 [torproxy10.teaxxcu.com] Is obvious that is using tor. The network admin was not looking for Tor usage in his network but it saw this without looking for it. Now this worker can be in serious trouble for using Tor. So my suggestion is to set-up a custom hostname an a Tor-explaining html index ONLY in TOR EXIT nodes. They are the only nodes that can get in trouble and its helpful to advertise that they are tor nodes. ENTRY GUARD nodes should not advertise neither in the hostname nor in a HTML-index-page that they are Tor nodes. This way the network admin would only see an IP and a common hostname, that is a normal behaviour for a HTTPS request. So, having said that *I encourage all Entry-Guard owners to unset his hostname and to disable the HTML-index-page*. That could help a lot of Tor users to not draw unwanted attention. Obviously a network-admin can get a list of Tor relays and check if you are connecting to one of them but most of network-admins just take a look at his router info page without further investigation. Thanks for your time. TL;DR: I encourage all Entry-Guard owners to unset his hostname and to disable the HTML-index-page.

5 5

Re: [tor-relays] [tor-dev] How many exits exit from an IP address different than their OR address? (10.7%)
by grarpamp 14 Jan '16

14 Jan '16

On Wed, Jan 13, 2016 at 10:05 PM, Virgil Griffith <i(a)virgil.gr> wrote: > In our quantifications of relay diversity, knowing the IP addresses that > traffic exits from is important. Ways to have this information correctly > reported would be very helpful. Which is exactly why free to connect back through them and make your quanta and know for yourself or for some research statisticals. But it is the apparent disappreciation for and implied calls to remove them or to publish consensusify their would be formerly stealthy feature use that is a problem from this view. Users use them to access things around censorship, there is no higher purpose of Tor.

1 0

avoid exclusion from FallBack Dir list: do not start during minute 49
by starlight.2016q1＠binnacle.cx 14 Jan '16

14 Jan '16

See comment 6 in Bug #18050: Relay submitted a descriptor with 0 DirPort due to a self-test race condition https://trac.torproject.org/projects/tor/ticket/18050

1 0

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

tor-relays January 2016