Custom Query (4454 matches)

Filters
 
Or
 
  
 
Columns

Show under each result:


Results (901 - 1000 of 4454)

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20
Ticket Summary Status Owner Type Priority Milestone
#10963 Bypassing proxy settings? assigned mikeperry defect Medium
Description

Post was posted to blog's comments:

One TBB behaviour that continues to trouble me is that Firefox continues to try to connect to the internet. I use standard install on ubuntu with no add-ons (tor-browser-linux32-3.5.2.1_en-US.tar) and with js disabled in both NoScript and about:config.

I see additional changes with each update that improve browser isolation by disabling / blocking more auto-connect threats like blacklist updates, rule-set updates, safebrowsing reporting...etc...etc...

So with every new TBB release, I have renewed hope that Firefox will not go outside of the tor process with an internet connection attempt. Each release I allow tor to access the internet and firefox to access tor via 127.0.0.1. Each release I am either immediately or later disappointed when Firefox attempts its own internet connection.

My concerns...

1) Why does TBB continue to be released with default settings that allow Firefox automatically seek an internet connection? I can not imagine this not being noted in testing. What is trying to connect and what information is trying to be shared?

2) How many people trust any connections from TBB and allow both tor and TBB Firefox connections to outside world? Why is this not a significant security flaw? Tor works fine when I block these Firefox external connection attempts. I run a minimal ubuntu box with standard Forefox gutted to the best of my ability. I have a process connection map running and see that the Firexoz attempting to connect is from the TBB package.

3) If this behaviour is known and accepted, how do we know that connections are not being made and information being sent to unknown locations by Firefox through tor? This is something that I would never catch even with my layers of application and port level firewalls...

Sorry that I do not have Wireshark capabilities, but can not imagine that this behaviour is not seen on all installations.

Thanks for your efforts.

inside

#10969 Set of guard nodes can act as a linkability fingerprint assigned mikeperry defect High Tor: 0.2.???
Description

It's well understood that your set of guard nodes can act as a fingerprint. Some calculations can be found in comment:3:ticket:9273 but it's pretty clear that each 3-subset of guards is rare enough that it's very likely that no other clients have exactly the same.

There are a few proposed ideas on how to reduce the linkability of guard nodes sets. For example, reducing the number of guard nodes to 1 will help against this. Still, as an example, in a city with only 500 Tor users, even if each person has a single guard, there are only going to be a few people with the same guard node (and some of them might always be in the same physical location, so the one who roams is probably the same person).

To further improve on the above, maybe it makes sense to pick N guards but only use 1 of them at a time -- and cycle through the N guards every now and then. Maybe we should cycle everytime we change network (see https://github.com/leewoboo/tordyguards) but how does little-t-tor knows when we changed network? There is some more discussion on this topic here: https://lists.torproject.org/pipermail/tor-dev/2013-September/005424.html

#10972 searching atlas for email addresses fails new phw defect Medium
Description

I'd like to be able to search atlas by email address. Currently, queries with an "@" in them results in

Backend error!

The backend server replied with an error to your query. This probably means that you did not properly format your query. If your query was properly formatted it may mean that there is an issue with your browser/add-ons. Please report which browser/addons/etc. you're using to the bug tracker.

I'm using TBB 3.5.2 with its default set of extensions.

#10990 Shrink the FAQ new mttp defect Medium
Description

The wiki FAQ entries have been transferred to the main website FAQ. Now the page needs to be improved.

  • Add all subheads to the top of the FAQ for easier navigation.
  • Delete entries that are outdated, no longer relevant, or not frequently asked on the help desk.
  • Consolidate Tor Browser and Tor Browser 3 subsections.
  • Move sha256sum verification to the signature verification section.
  • Migrate information on setting up a relay to a dedicated page.
  • Migrate Abuse questions to the Abuse faq and kill the subsection.
  • Dedicated page for Alternate designs we don't do yet.
  • Kill Compilation and installation subsection.
  • Consolidate questions that duplicate answers.
#11007 Add more documentation about EntryGuardAddedBy in the state file new defect Medium Tor: 0.2.???
Description

Document better how EntryGuardAddedBy date is calculated and written in the state file (well, more documentation about all the state file would be also good).

Should we also change the way the date is calculated?

The EntryGuardAddedBy dates in the state file are not sequential because the date is calculated as the real date minus a random date between the real and 30 days before [1].

The reason for this is to avoid revealing the real date the user was online at that date to that entry guard.

The only existent documentation is in doc/state-contents.txt

[1] e->chosen_on_date = time(NULL) - crypto_rand_int(3600*24*30);

#11013 Windows installer's language should default to the bundle's language new erinn defect Medium
Description

When you open a localized torbrowser-installer exe bundle, the installer's language combobox defaults to English, whatever the localization.

#11017 Conflict with Firefox on Mac OS Mavericks: Open new FF window fails new pde defect Medium
Description

Mac OS Mavericks (10.9.1) HTTPS-Everywhere 3.4.5 Firefox 27 and Firefox 28 Beta

If Firefox is open but NO window is displayed and HTTPS-Everywhere is enabled, it is not possible to open a new window by any method.

Workaround: Quit Firefox and relaunch by clicking on a URL icon; Firefox launches and opens a new window. If the window is closed later, ALL methods for opening a new window work until FF is quit.

Disabling HTTP-Everywhere restores normal behaviour to Firefox.

#11044 No consensus results in empty 'GETINFO ns/name/*' responses new defect Low Tor: 0.2.???
Description

Hi Nick, spotted an interesting tor oddity during my flight (due to not having any network connectivity). When calling 'GETINFO ns/name/blarg' without a cached consensus it returns an empty string rather than the expected "Unrecognized key" response.

Repro details...

  1. With a data directory containing a cached consensus things work as expected...
% telnet localhost 9051
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
AUTHENTICATE
250 OK
GETINFO ns/all
[ ... lots of output... ]
GETINFO ns/name/blarg
552 Unrecognized key "ns/name/blarg"
  1. Blow away your data directory when you lack network connectivity.
% mv ~/.tor ~/.tor_bak
% mkdir ~/.tor
% cp ~/.tor_bak/torrc ~/.tor
% cat ~/.tor/torrc 
ControlPort 9051
% tor -f ~/.tor/torrc
...
  1. Now GETINFO for 'ns/all' and any requrest for a relay returns an empty response.
% telnet localhost 9051
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
AUTHENTICATE
250 OK
GETINFO ns/all
250-ns/all=
250 OK
GETINFO ns/name/blarg
250-ns/name/blarg=
250 OK

Interestingly this only seems to concern router status entries. Server descriptors and microdescriptors give us a 'Unrecognized key'...

GETINFO desc/name/blarg
552 Unrecognized key "desc/name/blarg"
GETINFO md/name/blarg
552 Unrecognized key "md/name/blarg"

For my part I noticed this because it caused an integ testing failure during my flight...

======================================================================
ERROR: test_get_network_status
----------------------------------------------------------------------
Traceback (most recent call last):
  File "/home/atagar/Desktop/stem/test/integ/control/controller.py", line 977, in test_get_network_status
    self.assertRaises(stem.ControllerError, controller.get_network_status, "blargg")
  File "/usr/lib/python2.7/unittest/case.py", line 471, in assertRaises
    callableObj(*args, **kwargs)
  File "/home/atagar/Desktop/stem/stem/control.py", line 1427, in get_network_status
    raise exc
ValueError: Router status entries (v3) must have a 'r' line:

This doesn't seem like the right tor behavior but if you think it is I can simply have stem check for the empty string. :)

Cheers! -Damian

#11050 pycrypto's AES implementation is not constant time new asn defect Medium
Description

This is a non-issue when AES-NI is supported by the host CPU since a separate code path is taken.

https://github.com/dlitz/pycrypto/blob/master/src/AES.c

It's not too bad in the pluggable transport case since traffic is super-enciphered, the session keys are ephemeral, and actually extracting sufficiently accurate timing information is probably non-trivial, but it probably should be addressed somehow.

#11059 Nodes' country codes should be "definite" and "possible" new defect Medium Tor: unspecified
Description

It would maybe be a good idea if nodes' country codes could have different statues, like "definitely in CC" or "possibly in CC". For example, if a country is "possibly in CC", then "ExcludeNodes {CC}" should exclude it, but "EntryNodes {CC}" should not include it.

This would also let us provide the feature that some operators have asked for of being able to specify their country. (I'd say that if you specify that you are in C1, but geoip says you are in C2, then you should count as "maybe in C1" and "maybe in C2" but not as definitely in either.)

See #11054 for another motivating example.

Is this a good idea?

#11090 torsocks should log errors to stderr and not stdout needs_information dgoulet defect Medium
Description

torsocks 2.0.0-rc3

I get stuff like this on stdout:

[Feb 28 14:05:16] WARNING torsocks[22952]: Non TCP inet socket denied. Tor network can't handle it. (in tsocks_socket() at socket.c:40)

Logging to stdout interferes with the output of the underlying program, and is generally a bad idea.

#11093 obfsproxy should use C implementation of UniformDH new asn defect Medium
Description

We are currently using a C implementation of UniformDH that is quite slow (even with gmpy2 for mod exp).

Yawning implemented UniformDH in C using OpenSSL and we should use his library.

He posted an obfsproxy patch in #11015 : https://trac.torproject.org/projects/tor/attachment/ticket/11015/0001-Add-support-for-using-py-uniformdh.patch

And the implementation can be found in: https://github.com/Yawning/py-uniformdh

#11095 allow storing passwords in TorBrowser new tbb-team defect High
Description

The "Remember passwords" option in TorBrowser is greyed out.

In past versions of the TorBrowserBundle there was a setting in TorButton, but in v3.5 it's no longer there. How can I store passwords in TorBrowser?

Its only about storing unimportant passwords. No one can remember a different password for each forum. Copy and paste all time from a while is less safe then storing in TorBrowser. How allow storing passwords in TorBrowser? Any workaround? Can you fix this please?

#11104 Tor-Relay-Server Diskio crash needs_information defect Very High Tor: unspecified
Description

Tor relay server Diskio increasing (tor) over a day ... than tor crashes on Debian.

What can I do?

#11107 Firefox extension interferes with other firefox extension new pde defect Medium
Description

The Savefrom.net extension bugs when Https Everywhere changes the url to https. An exception should be added for that site.

#11119 Write a proposal for client-side key pinning needs_information defect Medium Tor: 0.2.???
Description

Proposal 220 suggests that we pin RSA and Ed25519 identity keys to one another authority-side. Roger suggested to me that we also consider doing client-side identity pinning.

#11121 Revocation process for authority keys new defect Medium Tor: 0.2.???
Description

Right now, we don't have a proposal that explains how to do revocation on an authority's signing keys. We should write one, and eventually implement it.

#11123 Setup Nagios probes for the webchat support system accepted phoul defect Medium
Description

The webchat support system needs to be monitored by our Nagios installation.

This will require help from the TSA, but we should tell us exactly what to setup and eventually write complementary probes.

#11125 Videos at PBS do not load new pde defect Medium
Description

http://video.pbs.org/video/2365184276/

For this and all videos I've tried at PBS.org, the video will not load, instead providing an error message "Error loading plugin: plugin file not found"

Disabling HTTPS Everywhere results in desired playback of video. I could not find a PBS site setting in the extension

HTTP-E 3.4.5 Firefox 27.0.1 Mac

#11128 target dkb.de is a redirect page new pde defect Medium
Description

In DKB.de.xml we have the target https://dkb.de/ but dkb.de redirects to www.dkb.de. In the second rule we have a uselessly complex ([^/:@\.]+) match. IMHO rules should not handle usernames and passwords in urls and a simple (.+) should be sufficient.

I attached the updated xml. Also added rules for dkb.mdgms.com (stock ticker) and dkb01.webtrekk.net (tracker).

This applies to stable and HEAD. The currently offered version 3.4.5 is not listed on "Milestone" or "Version".

#11130 Ruleset AliceDSL.xml outdated new pde defect Medium
Description

Alice is part of Telefónica Germany for some time and has now been replaced by its brand O2. Most Alice pages redirect to http://www.o2online.de/ only email is still available. o2online.de rules can be found in O2_online.de.xml. (It might be a good idea to incorporate AliceDSL.xml into O2_online.de.xml.) I attached a updated ruleset. This applies to stable and development branch.

#11131 bookmark star icon does not update when user presses new pde defect Medium
Description

Firefox 27.0.1 with fresh profile and only https everywhere 3.4.5 installed ...

The bookmark star icon does not update when the user presses it ...

Occurs only on ordinary https sites (not for sites with EV certificates) redirected by https everywhere (not if the user typed the URL with "https://").

The bookmark star icon does update after user switches to another tab and back.

The bookmark is in fact added, but the bookmark star icon does not reflect this, and does not allow the user to press it again to change the settings for that bookmark.

Steps to reproduce: 1) Close Firefox and re-open; 2) type domain into location bar (without protocol) and press enter; 3) click the bookmark star icon

Result: bookmark star icon does not update.

Examples that do not work: google.com wikipedia.org

Examples that are not affected (these sites have EV certificates): mozilla.org aa.com

#11133 US Dept of Housing has mis directed rule set? new pde defect Medium
Description

<rule from="https?:(?:www\.)?hud\.gov/"

to="https://portal.hud.gov/portal/page/portal/HUD" />

The resulting https: link generates a 404 error, and a HUD webmaster reports this comment in response to my inquiry:

"The problem I was seeing was that your link https://portal.hud.gov/portal/page/portal/HUDoffices/hsg/comp/refunds/index.cfm combines the portal.hud.gov link and www.hud.gov link. "

#11134 obfsproxy's SOCKS server should send success response post handshake new asn defect Medium
Description

Currently the obfsproxy SOCKS server sends the response back to tor immediately after the TCP/IP connection has been established, instead of after the underlying transport has been fully initialized.

This behavior is incorrect, and should be changed to each of the underlying transports signalling that they are ready to relay data after they manage to handshake.

With the current SOCKSv4Protocol based listener this would require further monkey patching which may be a good argument for defering this till after #9221 or similar gets merged.

#11142 Youtube Livestreams Not loading in HTTPS new pde defect Medium
Description

Hi,

Since a few days that with some rule change i would think, youtube livestreams have stopped working in Google Chrome and firefox with the https everywhere extension installed, regardless of if the rule for youtube is active or not.

Example: if i open a livestream( any really ) like this one randomly picked https://www.youtube.com/watch?v=Y_LFrMcoEm4 it will say "Please stand by" Forever, if i open the same link on Internet explorer (with https) it will work just fine, or in Chrome without the HTTPS everywhere extension installed.

The first thing it does after i uninstall the HTTPS everywhere extension and reload it, is show an Ad, so i would assume the https everywhere is making ads not load correctly and the video doesn't take over correctly. ( this used to happen with adblock plus before oddly enough)

#11145 coverage utility should merge multiple output files assigned defect Very Low Tor: 0.2.???
Description

When multiple gcov invocations generate output for the same file (typically a header), we should combine their results rather than letting the last invocation win.

#11146 cov-diff utility should handle new source files assigned defect Very Low Tor: 0.2.???
Description

Right now, cov-diff doesn't report coverage in source fils that are completely new. We should fix that.

#11151 Drop support for 0.2.2 clients assigned defect Medium Tor: 0.2.???
Description

Once debian Squeeze hits EOL, it will be time to stop supporting 0.2.2 clients entirely.

#11153 Tor Cloud Amazon Imagery Update new defect Medium
Description

Updates Images For Tor CLoud

#11154 Tor TLS and Security Cipher new tbb-team defect Medium
Description

running the how's my ssl check the tor browser rated bad, the reason the tor browser is using old tls settings and old security cipers,

In the next update please set the minimum tls to 2 and the maximum to 3 in about:config for security.tls.version this makes the minimum tls 1.1 and my max tls 1.2.

Also please disable use of insecure cipher suites security.ssl3.rsa_fips_des_ede3_sha in about:config

#11159 Document deploying a scramblesuit bridge on the website. assigned phw defect Medium
Description

https://www.torproject.org/projects/obfsproxy-debian-instructions.html.en https://www.torproject.org/projects/obfsproxy-instructions.html.en

These two pages have instructions for setting up an obfs2/obfs3 bridge. Is changing the ServerTransportPlugin line and adding a note about using tor 0.2.5 enough to introduce bridge operators to scramblesuit? It might make sense for scramblesuit to get its own project page (#5192). Should scramblesuit get it's own installation page too? What other information should be included?

#11180 Improve "Use Bridges" UI based on feedback and testing new brade defect Medium
Description

We're likely to run into a few issues with the "Use Bridges Bridges" UI once users in various localizations try to use it. One issue we've already noticed is that people can become confused by the type selection dropdown, and may think it applies to bridges they enter in the "Enter custom bridges" textbox. We should probably make these radiobuttons behave such that they are more clearly mutually exclusive (ie when one is selected, all children of the other are greyed out).

I've tried to improve the situation a little with basic layout changes, but I am not sure those won't look worse in RTL languages and in very verbose localizaions, so that may be another issue to address: https://people.torproject.org/~mikeperry/images/Settings.jpg

#11190 obfsproxy shebang should point to "python2", not "python" reopened asn defect Medium
Description

It currently points at "python" which is not version specific and will break horribly on systems where the default system python is python3.

This isn't a issue when it is installed with setup.py, but was when I tried a TBB nightly a few days ago. As far as I can tell every system that has python2.x installed with have a "python2" symlink so changing the shebang won't break places where this works now, but will allow it to work on more systems without breaking in horrible unintuitive ways for the user.

#11192 Livestream ruleset breaks site player and chat new pde defect Medium
Description

The Livestream (partial) ruleset breaks crucial site features such as stream player and chat on HTTPS Everywhere version 2014.1.3 for Chrome.

#11197 obfsproxy should provide congestion feedback new asn defect Medium
Description

I went over this in IRC tonight to a poor GSOC student who was thinking about doing a CBR plugin, so I'll file a bug while it's fresh on my mind.

Currently there is nothing in place to prevent unbound buffer growth in obfsproxy. This problem arises when the bottleneck link is extremely narrow.

For example, examine the following network topology:

Client <-> obfsproxy <-> 14.4 kbit modem <-> ISP <-> 100 Mbit <-> obfsproxy <-> Server

The Client opens a connection, and initiates a bulk download from the Server. Since there is no mechanism to indicate congestion, the outgoing buffer in the Server side obfsproxy process will grow because feedback from the Client in the form of the shrinking TCP/IP receive window will not get propagated.

The same thing will happen on the Client side with a bulk upload, because the loopback interface has a gigantic amount of bandwidth compared to the bottleneck link.

Twisted connections have a producer/consumer interface (and can handle stopping reading once the send buffer reaches a certain threshold 'self.bufferSize'), so refactoring the base transport to use this interface to glue the upstream/downstream together would be the "correct" approach to solving this problem.

See https://twistedmatrix.com/documents/current/core/howto/producers.html for more details.

#11206 Regression: Torbutton 1.6.6.0 will not save Exceptions in the Firefox cookie manager new tbb-team defect Medium
Description

Cookie exceptions in Tor Browser Bundle 3.5.2 (Torbutton 1.6.6.0) are not remembered when TBB is restarted.

Orginal bug: https://trac.torproject.org/projects/tor/ticket/4749

#11210 livestream rule broken on http://bigbrothercanada.slice.ca/live new pde defect Medium
Description

This feed is broken by the default on livestream rule.

#11211 Multiple ServerTransportListenAddr entries should be allowed per transport. new defect Medium Tor: 0.2.???
Description

Looking through or/config.c, it is apparent that the ServerTransportListenAddr line only allows one address/port to be specified per transport. This is problematic because there are cases where it is beneficial/required to list more than one.

A simple example of where this would be useful is:

ServerTransportListenAddr obfs3 0.0.0.0:443
ServerTransportListenAddr obfs3 [::]:443

The Pluggable Transport spec doesn't explicitly disallow having multiple bind addresses for TOR_PT_SERVER_BIND_ADDR, but I'm not sure what would happen if more than one is passed with each of the pt config protocol libraries in use.

The keys holding transport names must appear on the same order as they appear on TOR_PT_SERVER_TRANSPORTS.

Currently the particular example I used is probably a moot point because of #7961, but in general I don't see a good reason why each transport should be limited to one bind address.

#11214 Gmail talkgadget/hangouts/chat infinite loop new tbb-team defect Medium
Description

Version: Tor Browser Bundle 3.5.2.1 *please relocate to appropriate thread if incorrect*

Gmail allows for two types of chat: by default, hangouts, and by choice, legacy chat. These operate in a frame on the lower left of Gmail. Legacy chat works, but reverting to legacy chat from hangouts is impossible from Tor Browser Bundle 3.5.2.1, where an infinite loop interferes.

  1. Gmail load attempted with restrictive NoScript settings. Options appear: loosen restrictions, or use HTML only.
  2. mail.google.com is whitelisted in NoScript, as well as (optionally) some of the following domains:
    1. clients6.google.com
    2. plus.google.com
    3. talkgadget.google.com
    4. www.google.com
  3. Page is reloaded. The following error message appears in the lower left chat frame: "Something's not right. We're having trouble connecting to Google. We'll keep trying...\n This may be caused by network or proxy issues. <a href="https://support.google.com/hangouts/?p=not_right_error&hl=en">Learn more</a>.
  4. apis.google.com is whitelisted in NoScript, as recommended on the linked support page. Gmail is refreshed.

Infinite loop:

  1. Hangouts loads, with contact list visible. Within seconds, it disappears and is replaced with a Sign In button.
  2. The Sign In button is clicked. A pop-up appears with a log-in page from domain accounts.google.com. Password is entered; user signs in. Page declares success, instructs user to close pop-up and refresh Gmail.
  3. Go to step 5.

This bug prevents users from being able to use Google chat at all, since reverting to legacy chat requires accessing the main menu in talkgadget/hangouts.

Tried many combinations of NoScript whitelists. None works.

#11222 Inform user if reachable bridges drop below a configurable fraction/number new brade defect High
Description

It would be very useful for a number of reasons if Tor Launcher could pop up some kind of alert if some fraction of their bridges become unusable (ie when less than 50% are reachable, or perhaps less than min(33%,1)).

In that case, it should instruct the user to obtain more bridges, and give them instructions and/or a bridgedb link specific to their PT type (ie https://bridges.torproject.org/bridges?transport=obfs3).

The primary motivation for altering the user is that if bridges either go down or get blocked, it will be far easier for the user to obtain more if the user still has at least one working bridge to work with (to connect to gmail or visit a link).

One way to do this might be to use the control port command 'GETINFO entry-guards" on a timer, but an event-based approach using the "GUARD" event could also work (but would require substantially more bookkeeping and may be error prone in the face of GUARD event state transition oddities).

Tor Launcher probably should also not issue the warning if all bridges become unreachable at once, and/or if Tor detects a cease in network activity (which does not seem to be directly exported to the control port at this point :/). We don't want to alert the user every time they walk out of range from a wifi hotspot or similar situation.

This option also should not be active if the user is not using bridges.

#11233 Bug: We're writing a text string that already contains a CR. needs_information defect Medium Tor: 0.2.???
Description

[Tue Mar 18 04:10:56 2014] Tor Software Error - The Tor software encountered an internal bug. Please report the following error message to the Tor developers at bugs.torproject.org: "write_str_to_file(): Bug: We're writing a text string that already contains a CR. "

#11245 Orbot bootstraped problem new n8fr8 defect Medium
Description

On my un rooted samsung galaxy note 10.1 Orbot only gets to bootstrapped 25%.

My system information: Android version: 4.1.2 Model Number: GT - N8010

Log:

Orbot is starting… Orbot is starting… Tor binary exists: /data/data/org.torproject.android/lib/libtor.so Privoxy binary exists: /data/data/org.torproject.android/lib/libprivoxy.so Obfsproxy binary exists: /data/data/org.torproject.android/lib/libobfsproxy.so Xtables binary exists: /data/data/org.torproject.android/lib/libxtables.so link RM err=0 out: link LN err=0 out: libtor.so: PRE: Is binary exec? true (re)Setting permission on binary: /data/data/org.torproject.android/lib/libtor.so libtor.so: POST: Is binary exec? true tor: PRE: Is binary exec? true (re)Setting permission on binary: /data/data/org.torproject.android/app_bin/tor tor: POST: Is binary exec? true libprivoxy.so: PRE: Is binary exec? true (re)Setting permission on binary: /data/data/org.torproject.android/lib/libprivoxy.so libprivoxy.so: POST: Is binary exec? true libobfsproxy.so: PRE: Is binary exec? true (re)Setting permission on binary: /data/data/org.torproject.android/lib/libobfsproxy.so libobfsproxy.so: POST: Is binary exec? true libxtables.so: PRE: Is binary exec? true (re)Setting permission on binary: /data/data/org.torproject.android/lib/libxtables.so libxtables.so: POST: Is binary exec? true Orbot is starting… got tor proc id: 21351 Tor process id=21351 Connecting to control port: 9051 SUCCESS connected to control port SUCCESS authenticated to control port Starting Tor client… complete. adding control port event handler SUCCESS added control port event handler updating settings in Tor service Starting privoxy process /data/data/org.torproject.android/lib/libprivoxy.so /data/data/org.torproject.android/app_bin/privoxy.config & orConnStatus (madiba): LAUNCHED NOTICE: Bootstrapped 10%: Finishing handshake with directory server. Privoxy is running on port:8118 Privoxy process id=21371

NOTICE: Bootstrapped 15%: Establishing an encrypted directory connection. orConnStatus (itpol2): CONNECTED

orConnStatus (madiba): CONNECTED

NOTICE: Bootstrapped 20%: Asking for networkstatus consensus. Circuit (1) BUILT: itpol2

NOTICE: I learned some more directory information, but not enough to build a circuit: We have no recent usable consensus.

Circuit (2) BUILT: madiba

NOTICE: Bootstrapped 25%: Loading networkstatus consensus.

Circuit (2) CLOSED: madiba

NOTICE: I learned some more directory information, but not enough to build a circuit: We have no recent usable consensus.

#11254 Tor Browser bundle v3.5 fails to clean up cancelled downloads in Temp folder new tbb-team defect High
Description
  1. Run TBB v3.5.3
  2. Click on a link to download an archive or any file type not natively handled by the browser
  3. Wait for the download to complete
  4. Observe that <random>.ext.part file is created containing entire file contents in the system's %temp% folder.
  5. In the Open/Save dialog box click Cancel.
  6. Observe that the temp-created file is not removed.
  7. Close Firefox/TBB.
  8. Observe that the temp-created file is not removed.

Firefox 28's Private Mode does not have this bug. I observed this bug in TBB v2.x as well.

#11258 Toggling permissions.memory_only causes crash of Tor Browser new tbb-team defect High
Description

While investigating #9531 I run into an other reason for crashing when hitting New Identity:

WARNING: NS_ENSURE_TRUE(asyncCloseWasCalled) failed: file /home/firefox/tor-browser/storage/src/mozStorageConnection.cpp, line 943
Assertion failure: !mAsyncExecutionThread, at /home/firefox/tor-browser/storage/src/mozStorageConnection.cpp:415

Program ./Browser/firefox (pid = 30485) received signal 11.

Commenting out the code toggling "permissions.memory_only" seems to help.

#11264 Relay has Exit flag but short policy says reject *? needs_revision defect Medium Tor: 0.2.???
Description

https://atlas.torproject.org/#details/65C35C03571307D7546D6978605A6B11B473F6EE

its short exit policy is reject *:*

but check out its actual exit policy

and it has the Exit flag

This seems like a contradiction, yes?

#11267 Short user manual on mirror sites redirect back to TPO new lunar defect Medium
Description

On mirror site, open https://www.torservers.net/mirrors/torproject.org/docs/short-user-manual.html.en.

When clicking Chinese, TPO link will open: https://www.torproject.org/dist/manual/short-user-manual_zh_CN.xhtml, which means users can't access the short user manual when they can't connect Tor network and TPO is blocked.

The link should be https://www.torservers.net/mirrors/torproject.org/dist/manual/short-user-manual_zh_CN.xhtml, and all short user manuals on mirror sites are out of date.

BTW, where is the user manual (help documentation) which included in Vidalia? If users can't find one to help themselve, I believe, help@tpo will get more tickets.

#11277 Bug creating hidden service with vidalia new defect Medium
Description

Tor 0.2.4.21 exited when I created a new hidden service using vidalia 0.2.21. I guess I typed a non existent directory as I read in the log, permission denied. I appologise for my eanglish.

[Sun Mar 23 03:53:28 2014] Tor Software Error - The Tor software encountered an internal bug. Please report the following error message to the Tor developers at bugs.torproject.org: "set_options(): Bug: Acting on config options left us in a broken state. Dying. "

Mar 23 03:53:28.825 [Warning] Error creating directory /var/tor/tornado: Permission denied Mar 23 03:53:28.825 [Warning] Error loading rendezvous service keys Mar 23 03:53:28.902 [Error] set_options(): Bug: Acting on config options left us in a broken state. Dying. Mar 23 03:54:39.128 [Notice] Tor v0.2.4.21 (git-c5a648cc6f218339) running on Linux with Libevent 1.4.13-stable and OpenSSL 0.9.8k. Mar 23 03:54:39.128 [Notice] Tor can't help you if you use it wrong! Learn how to be safe at https://www.torproject.org/download/download#warning Mar 23 03:54:39.128 [Notice] Read configuration file "/etc/tor/torrc". Mar 23 03:54:39.147 [Notice] Opening Socks listener on 127.0.0.1:9050

#11284 HTTPS Everywhere blocking DiS CSS and images new pde defect Medium HTTPS-E next Chrome release
Description

browsing www.drownedinsound.com with HTTPS Everywhere, I lose a lot of formatting (alignment, fonts) as well as images.

Version is Chrome 2014.1.3

#11287 Torbutton preferences not saving changes. new tbb-team defect Medium
Description

Using browser bundle 3.5.3-Windows

In the preferences menu of the Torbutton, under Security Settings: The "Disable Browser plugins (such as Flash)" does not remain unchecked. The other options work as intended.

The issue was encountered while modifying the bundle for bbc iplayer access.

#11293 Users are not able to log into http://www.bouyguestelecom.fr/mon-compte/ new tbb-team defect Medium
Description

Quoting Lunar From the original bug entry (#10569):

The user told me they were unable to login. They got an error message mentioning a bad cookie. I told them to deactivate Private Browsing Mode and then they were successfully able to login.

I unfortunately don't have credentials for that site.
#11294 Users are not able to log into https://unseen.is new tbb-team defect Medium
Description

There are reports that users are not able to log into unseen.is (see #10569 for some comments).

#11295 Users cannot log into LycosMail new tbb-team defect Medium
Description

We got a report that logging into LycosMail is not working: https://blog.torproject.org/blog/tor-browser-bundle-35-released?page=1#comment-43008

#11301 Tor does not reconnect after network loss with guards used as bridges new nickm defect High Tor: unspecified
Description

Yawning and I have both noticed that tor can become unresponsive if either normal tor bridges or PT bridges are configured, and the client suffers a network connectivity loss. After sustained network connectivity loss, all of the orconns end up closed, and Tor will not try to reconnect to its bridges, even when new stream attempts arrive.

It is possible that Tor is simply marking all of its bridges down in this case, and is not trying to reconnect to them when the network connectivity returns, thinking they are still down?

The only way to solve this issue is to either send "SIGNAL HUP" to the control port, or to kill -HUP pidof tor. After recieving the HUP signal, tor immediately launches new orconns and circuits for its bridges, and attaches the currently pending streams to these new circuits.

Sometimes, after this problem has happened once, tor will cease building circuits even if the network remains available.

This is extremely bad for usability, because TBB becomes completely unusable in this case, and the only thing a normal user can do is exit the whole browser and re-launch it.

This may also indicate a deeper bug with how Tor handles the liveness/'down' status of normal Guard nodes, and may cause Tor to rotate Guards more frequently than necessary.

#11307 connection_handle_event_cb() should handle orconns correctly even when not in OR_CONN_STATE_CONNECTING needs_review andrea defect Medium Tor: 0.2.???
Description

This code is in connection_handle_event_cb():

if (conn->type == CONN_TYPE_OR &&
    conn->state == OR_CONN_STATE_CONNECTING) {
  connection_or_connect_failed(TO_OR_CONN(conn),
                               errno_to_orconn_end_reason(socket_error),
                               tor_socket_strerror(socket_error));
}

It should be something like this:

if (conn->type == CONN_TYPE_OR) {
  if (conn->state == OR_CONN_STATE_CONNECTING) {
    connection_or_connect_failed(TO_OR_CONN(conn),
                                errno_to_orconn_end_reason(socket_error),
                                tor_socket_strerror(socket_error));
  } else {
    connection_or_close_for_error(TO_OR_CONN(conn));
  }
}

As it stands, if conn->state != OR_CONN_STATE_CONNECTING this code will incorrectly treat orconns as generic conns and call connection_mark_for_close() on them without properly notifying the channel layer.

Note that since this code is specific to bufferevents which do not currently work, this bug cannot be demonstrated in any working build of Tor, so I'm assigning it to the 0.2.?? milestone.

Created pursuant to connection_mark_for_close() audit task #7472.

#11311 httpse-ruleset-bug: wistia ruleset breaks some video thumbnail generation new pde defect Medium
Description

My HTTPS-E version is actually 3.4.5, but I didn't see that listed in the version field...

Problem url: http://www.bitplane.com/learning

Click on "Advanced Search", and filter the list for "tutorial videos" or "webinar recordings" -> thumbnails of the flash videos (hosted by wistia) are generally not visible. If you choose "application video gallery" instead, those flash video thumbnails (also wistia-hosted) work fine.

I noticed one difference is that the videos with thumbnails that work are playing back in a floating overlay window, but the ones where thumbnails fail are playing back in a player that's embedded in the webpage.

The reason I submitted this as a ruleset bug for the wistia domains is that, if I disable the "Wistia (parial)" ruleset, all the video thumbnails are generated just fine.

Since Wistia sells video hosting services, I guess this may affect other customers of theirs besides bitplane.com, but I don't know of any other specific ones other than their "sister site": http://www.andor.com/learning-academy?type=video (Bitplane is an Andor / Oxford Instruments company)

#11325 RFE: Adhere to XDB base directory specification new defect Low Tor: unspecified
Description

As noted by a Fedora user [1], when running Tor as a regular user it creates "$HOME/.tor" instead of "$XDG_CACHE_HOME/.tor", which is advised by the XDG specification [2] for user-specific non-essential (cached) data. Would you consider adhering to this specification?

[1] https://bugzilla.redhat.com/show_bug.cgi?id=968163 [2] http://standards.freedesktop.org/basedir-spec/basedir-spec-latest.html

#11327 Dir auths should choose Fast and Guard flags by consensus weight if they don't measure needs_revision TvdW defect High Tor: 0.2.9.x-final
Description

In #8435 we made directory-authorities-that-run-bwauths stop voting Fast or Guard for relays they hadn't measured yet.

But as I pointed out in https://trac.torproject.org/projects/tor/ticket/8435#comment:13, since only a minority of dir auths run bwauths, the majority of dir auths are still voting Fast and Guard based on descriptor bandwidths.

So while the title of ticket #8435 says "Ignore advertised bandwidths for flags once we have enough measured bandwidths", the ChangeLog entry is more accurate:

    - Directory authorities that have more than a threshold number
      of relays with measured bandwidths now treat relays with unmeasured
      bandwidths as having bandwidth 0. Resolves ticket 8435.

We should at some point actually do the original goal, which is to give Fast to the 7/8s of relays whose consensus weights are highest, and Guard to the 1/2 of relays whose consensus weights are highest and who match the other guard constraints.

#11328 Dir auths should compute Guard WFU using the consensus, not private history assigned defect Medium Tor: 0.2.???
Description

Currently directory authorities track the presence of each relay and keep notes about their view locally. Then when it comes time to vote about Guard, they look at their notes and decide what fraction of the past interval the relay was up for.

But it doesn't matter anymore to clients whether the directory authority could reach the relay for that time. The question as of the v3 directory design is whether the relay was in the consensus.

So it seems like the directory authorities should be basing their measurements off "is it in the consensus this hour".

#11337 Reimplement (move relevant functions, delete extra redundant code) of pdfSteg.cc, swfSteg.cc, jsSteg.cc as children of FileStegMod new vmon defect High
Description

It seems that SRI implementation of all steg modules have almost identical implementation of:

http_handle_client_XXX_receive http_server_XXX_transmit

As programmers usually do not duplicate a code that they need to use twice, instead, often they write a function and call it twice (surprisingly that was exactly the reason for which functions were invented in the first place), I came up with the following revolutionary solution:

I made a FileStegMod class (file_steg.h/.cc) which has only one copy of the above mention functions other steg module should be inherited from this class and call the parent function instead, so we don't need to keep zillion copies of these functions in our code.

Also doing so, it will uniformize the code (new steg modules are already children of FileStegMod) and as such, considerably simplify it.

#11341 Khmer translation new phoul defect Medium 2014 Tor Blog Replacement
Description

Hi,

I finished translation for TorBrowser at: https://www.transifex.com/projects/p/torproject/language/km/

Could you please build Khmer translations in the next release? and when will the next release happen?

Regards,

Sokhem

#11343 TorLauncher's UI should warn users when a bridge fingerprint appears to be incomplete new brade defect Medium
Description

A Tails user reported some trouble using the new Tails (version 0.23) which includes TorLauncher. They were entering a bridge line, and were confused why it was not working. After some troubleshooting, we determined that they had only entered 27 (out of 40) of the characters of the bridge's fingerprint. Perhaps it would help users to have some sort of feedback on this? The simplest would be: when they hit "OK", to take them back and display a message saying "Oops! It looks like you were trying to enter a bridge fingerprint. Bridge fingerprints are 40 characters long, and you only have 27!" More complicated: while they are typing the fingerprint, display a dynamic message which counts down the number of characters missing. For posterity, here is the conversation from #tails:

00:55  alster ) i'm just trying to run tails for the first time actually, with
                a bridges setup, but having trouble to get past the point where
                i need to type the bridges.
00:56  alster ) but the error message actually sounds like i may have a typo
00:56  alster ) [warn] key digest for bridge is wrong
00:57  velope ) hmm, are you entering a fingerprint for the bridge? don't.
00:57  alster ) [warn] controller gave us config lines that didn't validate:
                Bridge line did not parse. See logs for details.
00:58  alster ) the lines i got in the box look like this:
00:58  alster ) bridge obfs3 <IPv4> <HASH>
00:59  alster ) i guess the HASH is the fingerprint you're referring to?
00:59    isis ) yes, HASH is the fingerprint
00:59  alster ) actually that's
00:59  alster ) bridge obfs3 <IPv4:PORT> <HASH>
00:59    isis ) that should be correct
01:00  alster ) so what i should be using is this instead?
01:00  alster ) bridge obfs3 <IPv4:PORT>
01:00  alster ) correct?
01:00    isis ) i am not sure, i have not tried the new tails yet, but you really want the fingerprint in there, otherwise you could be trivially man-in-the-middled
01:01    isis ) so if tails is not handing the fingerprint correctly, that is a
                serious bug
01:01  alster ) maybe i don't want the leading "bridge"? since bridges.torproject.org does not output this
01:02    isis ) well, i write the code for bridges.tpo
01:02  alster ) well i entered the data manually, so chances are i just
                misspelled it
01:02    isis ) and the only reason we stopped putting the 'bridge ' at the
                beginning was because vidalia is idiotic and didn't handle it
                correctly
01:03    isis ) torlauncher explicitly has code to handle lines which either start
                with 'bridge ', or with the transport method, or with the IP:PORT
01:03  alster ) i assume the fingerprints should be the exact same # of characters
                always, right?
01:03    isis ) yes, always 40 chars
01:04    isis ) though? perhaps? is your bridge's fingerprint all uppercase or
                all lowercase?
01:04  alster ) all lowercase
01:04    isis ) bridges.torproject.org currently returns lowercase
01:05  alster ) i just checked, https://bridges.torproject.org gave me 2
                fingerprints with 40 characters each
01:05  alster ) but one of those i typed has 29 only
01:05  alster ) so it's my fault
01:05    isis ) ah, okay, that make sense :)
01:06    isis ) but perhaps torlauncher should be a bit smarter and tell you
                that that was the problem
01:06    arma ) isis: you could be man-in-the-middled for your first hop, but
                not your second or third. and if they're in a position to
                man-in-the-middle your first hop, they're in a position to
                do traffic analysis on it. so either way you'd best hope
                they're not watching the other end too. and if they are, it
                doesn't matter that they can mitm the first end.
01:06    isis ) arma: yes, true
01:07    arma ) that's why i was fine giving out bridges without fingerprints
01:07    arma ) it seems there's been a big push lately to switch to "you must
                have a fingerprint"
01:07    arma ) which seems to really harm usability
01:07    isis ) arma: though mitm'ing the first hop opens the grounds for more
                attacks than just analysis, like the replay attack and xor'ing
                in tags into the encrypted streams
01:08    isis ) arma: but this is the first i've heard of a usability issue
                with the fingerprints, is this normal? there are lots of these
                problems?
01:08  alster ) this GUI definitely needs something like "okay, you entered 27
                characters so far, 13 more to go."
01:09  alster ) also, the lines you enter there do currently wrap
01:09  alster ) (making it hard to read)
01:09    isis ) yes, i agree, it definitely should tell you that something was
                amok
01:09    arma ) isis: anybody who tries to manually copy a bridge line will
                basically fail if it's more than an ip and a port and maybe a
                few more characters
01:10    isis ) arma: i can give them a QR code with two lines of python,
                would that help?
01:10    arma ) but also, good point, they can get in past the tls if they can
                mitm the bridge. which is meaningful.
01:11    arma ) would the qr code help this tails person? probably not. would it
                help an orbot person? maybe.
01:11  alster ) presenting the fingerprint in a user friendly way (and having a
                user freindly input on the other end) would help
01:12  alster ) so think of images of fruits or whatever
01:12    isis ) should there be a "Wat? You expect me to type that in? Give me
                a QR code!" button on BridgeDB when you get bridges?
01:13  velope ) the GUI could be better, but for most people anything involving
                long meaningless strings is massive fail
01:13    isis ) hmm, the images of fruits thing becomes much harder to do, i
                think, because it would need to be something that the bridge
                puts in their descriptor (so that your tor could check it when
                you try to connect to the bridge)
01:14    isis ) hmm. i will need to think about this more.
01:14  velope ) "needs proposal"
01:15    isis ) though torlauncher should also be okay if there is no
                fingerprint at all
01:15  velope ) it is
#11361 Cloudefront rules block kitebit.com downloads new pde defect Medium
Description

When downloading some files from https://kitebit.com/, we are sent a link on http://ds6mgb82jxf5h.cloudfront.net/. However https-everywhere redirects to an https version of the URL which gives a permission denied error.

I suggest adding the following exclusion to the cloudfront rule:

<exclusion pattern="^http://ds6mgb82jxf5h\.cloudfront\.net" />
#11363 QR,DIR ports bind to 0.0.0.0 even when I tell tor otherwise. new defect Medium
Description

Hello, I am running a tor middle relay on a high bandwidth connection but an running into a problem which is causing me more frustration then needed.

I have multiple virtual ip's on my servers NIC. I only want ports 9030,443 and outgoing connections to be available on 1 virtual IP. In order to accomplish that I have added the following configuration to Vidalia.

# This file was generated by Tor; if you edit it, comments will not be preserved # The old torrc file was renamed to torrc.orig.1 or similar, and Tor will ignore it

AccountingMax 11811160064000 AccountingStart month 1 00:00 ContactInfo tor-relay-harrry at comcast dot net ControlPort 9051 DataDirectory C:/Users/jt/AppData/Roaming/tor DirPort 192.223.27.139:9030 DirReqStatistics 0 ExitPolicy reject *:* HashedControlPassword 16:0FD1F531889C1EA360F45BB687F6635983F68D781254B999BC7EDB0200 Log notice stdout Nickname BeefTits ORPort 192.223.27.139:443 OutboundBindAddress 192.223.27.139 RelayBandwidthBurst 30720000 RelayBandwidthRate 10240000 SocksPolicy reject * SocksPort 9050

The problem is TOR.exe looks for the ports on my default NIC ip address of 63.251.20.61:443 and 63.251.20.61:9031

===================================================================== Mar 29 00:03:59.678 [Notice] Now checking whether ORPort 63.251.20.61:443 and DirPort 63.251.20.61:9030 are reachable... (this may take up to 20 minutes -- look for log messages indicating success) ====================================================================== Because I have communication blocked on these ports the reach-ability test fails. ====================================================================== Mar 29 00:23:58.649 [Warning] Your server (63.251.20.61:443) has not managed to confirm that its ORPort is reachable. Please check your firewalls, ports, address, /etc/hosts file, etc. Mar 29 00:23:58.650 [Warning] Your server (63.251.20.61:9030) has not managed to confirm that its DirPort is reachable. Please check your firewalls, ports, address, /etc/hosts file, etc. ======================================================================

Is is possible for the service to only use the ports that I am specifying? If I leave the default ports open then port 443 is open on my main server ip which I do not want.

Additionally if I have the configuration setup with the default ports set i.e not specifying an ip:port in the config in vadalia, when I click on settings/sharing the box relay traffic inside the to network (non-exit relay) is checked as expected.

As soon as I edit the configuration like I have above and specify the ip:port allocations the button goes to run as client only by itself, and it over-writes the configuration I added and defaults the configuration to specify just the ports 443 and 9031 which means bind to 0.0.0.0 i.e 63.251.20.61

Question is there a way to specify outgoing and incoming port allocations to one virtual ip on the IP Stack?

Why is it using the default ip when I am specifically telling it not to do so.

I also see the ports being used in the sniffer output so the software is ignoring my configuration for port:ip bindings.

Thanks,

Justin

#11374 fix tor lockfile checking bug needs_revision dave2008 defect Medium
Description

I previously had a misconception that lockfile got removed every time tor exits :(

This patch checks the state of lockfile properly.

branch: https://github.com/houqp/chutney/tree/lock_fix

#11423 Fail to load http->https new pde defect Medium
Description

I haven't tested/reproduced it but I'm positive this is correct

When on a *http* site when the page loads a http resource that redirects itself to https; http everywhere won't load it. For an example on many squarespace sites such as this http://dstank.squarespace.com/portfolio/

I may get a http link and if I do the twitter/whatever icon will not show. If its https it works completely fine. If i visit http after loading the https version its fine. On hard refresh of course it has to find the resource again and fails thus I get weird squares instead of glyphs. See the linkedin link at the bottom of the page it should have a linkedin icon

#11442 Amazon Web Services rule breaks issuu.com new pde defect Medium
Description

This is a ruleset bug:

The Amazon Web Services stable rule breaks the display of documents at issuu.com. For instance, see http://issuu.com/bighass/docs/revolt_magazine_issue04_final03.

When the Amazon Web Services rule is turned off, you can navigate the pages, zoom in and zoom out with your mouse. When the rule is turned on, only a cover thumbnail is displayed.

HTTPS Everywhere for Chrome 2014.1.3 Google Chrome 33.0.1750.154 m Windows 8.1, 64 bit

#11444 Drop support for long-obsolete versions of Windows assigned defect Medium Tor: 0.2.???
Description

When we started writing Tor, Windows 98 was still a going concern. Now... it is less so.

We should identify and drop support code for all windows versions before Windows XP. This is mainly going to be a matter of identifying cases where we use LoadLibrary and GetProcAddress to find always-present-functions in always-present DLLs, and looking for opportunities to move from old busted APIs to fresh new ones.

(Dropping support for windows XP is a separate ticket.)

#11445 Drop support for Windows XP new defect Medium Tor: 0.2.???
Description

Windows XP hit its end-of-life today (April 8, 2014).

We should identify and drop support code for Windows XP. This is mainly going to be a matter of identifying cases where we use LoadLibrary and GetProcAddress to find always-present-functions in always-present DLLs, and looking for opportunities to move from old busted APIs to fresh new ones.

I'm making this a separate ticket from #11444 (removing support from pre-XP versions) since the timing on the two can be argued to be separate. Nonetheless, if we agree to do both at once, that might be clever.

#11448 Dirauths must support multiple relay identity keys at once new defect High Tor: unspecified
Description

As discussed on https://blog.torproject.org/blog/openssl-bug-cve-2014-0160, directory authorities must rotate their relay identity keys in order to recover from possible exposure due to the ‘Heartbleed’ bug. (A dirauth's relay identity key could be used by a MITM attacker to feed clients an outdated consensus, for example.)

There are two requirements in order to do this without causing a network meltdown:

  • A dirauth must be able to sign relay descriptors using multiple relay identity keys at once.
  • A dirauth must be able to operate multiple ORPorts at once, with (possibly) different relay identity keys.
#11459 libfaketime causes the build system to report being not sane new tbb-team defect Medium
Description

libfaketime causes build systems to report that they are not sane which can easily lead to an endless loop or at least to a much longer build time. This is only an issue if more than one core is used for building the TBBs.

#11466 Only blank PNG files are visible in thumbnails folder after disabling private browsing mode new tbb-team defect Very Low
Description

Instead of thumbnails of previously visited sites only blank PNG files are visible after disabling private browsing mode. The expected behavior is probably to see the real thumbnails.

#11502 Tor Cloud - Update, Heartbleed and new Maintainer new inf0 defect Medium
Description
  1. We have unattended-upgrades enabled on the images, I launched a new Instance and let it self upgrade to confirm. [1] In theory, our images are self updating, upgrading and rebooting:

https://gitweb.torproject.org/tor-cloud.git/blob/ce98487e1174bff3a76c1f9f0327486b5be89a44:/ec2-prep.sh#l41 https://gitweb.torproject.org/tor-cloud.git/blob/ce98487e1174bff3a76c1f9f0327486b5be89a44:/ec2-prep.sh#l59

  1. SiNA (inf0) needs to update the Amazon Images with latest system updates, and also create instances for all the available regions. Currently we are only displaying 1 or 2 regions on the website.
  1. Finally, sina@… needs access to these assets:
  • Tor's Amazon EC2 account login, or API access
  • Access to update cloud.torproject.org and git.torproject.org/tor-cloud.git
  • Access to update blog.torproject.org with latest Updated in regards to Tor Cloud

[1] root@ip-10-185-235-58:/var/log/unattended-upgrades# ls /var/log/unattended-upgrades unattended-upgrades-dpkg_2014-04-13_06:45:08.700625.log unattended-upgrades.log

==> unattended-upgrades-dpkg_2014-04-13_06:45:08.700625.log <== /usr/sbin/grub-probe: warn: disk does not exist, so falling back to partition device /dev/xvda1. /usr/sbin/grub-probe: warn: disk does not exist, so falling back to partition device /dev/xvda1. /usr/sbin/grub-probe: warn: disk does not exist, so falling back to partition device /dev/xvda1. Found memtest86+ image: /boot/memtest86+.bin done Setting up linux-headers-3.2.0-60 (3.2.0-60.91) ... Setting up linux-headers-3.2.0-60-virtual (3.2.0-60.91) ... Setting up linux-image-virtual (3.2.0.60.71) ... Setting up linux-headers-virtual (3.2.0.60.71) ... Setting up linux-virtual (3.2.0.60.71) ...

==> unattended-upgrades.log <== 2014-04-13 06:44:54,831 INFO Initial blacklisted packages: 2014-04-13 06:44:54,832 INFO Starting unattended upgrades script 2014-04-13 06:44:54,832 INFO Allowed origins are: ['o=Ubuntu,a=precise', 'o=Ubuntu,a=precise-security', 'o=Ubuntu,a=precise-updates', 'o=TorProject,a=precise', 'o=TorProject,a=experimental-precise'] 2014-04-13 06:45:08,700 INFO Packages that are upgraded: linux-headers-virtual linux-image-virtual linux-virtual 2014-04-13 06:45:08,701 INFO Writing dpkg log to '/var/log/unattended-upgrades/unattended-upgrades-dpkg_2014-04-13_06:45:08.700625.log' 2014-04-13 06:45:54,778 INFO All upgrades installed 2014-04-13 06:45:54,778 WARNING Found /var/run/reboot-required, rebooting

#11506 Users are confused by the 2000-01-01 00:00 UTC timestamp new tbb-team defect Medium
Description

Picture yourself: your browser tells you that there is an update. You go get the new shiny thing. And then, when you look at the date on it, it says more than 14 years ago. Confusing, neh?

I guess using the date of the latest Git commit would just work great.

#11517 Ukrainian Tor Browser Bundle new erinn defect Medium
Description

A few users have contacted RT requesting a Ukrainian Tor Browser Bundle. These strings have been translated by our Ukrainian translators on Transifex.

#11542 Add a new logging domain for transport proxies assigned yawning defect Low Tor: 0.2.???
Description

velope suggested (and nickm is not against the idea of) adding a new logging domain for all the stuff to do with transport proxies / PTs. It would sure be nice to have transport proxy output like #9957 go to that specific domain; it would make debugging PT things easier, I think.

Does this make sense, or is there simply no need for it, really?

#11559 Orbot-v13.0.7-BETA-1: "Tor Tethering" not working new n8fr8 defect Medium
Description

Hi,

I'm running the latest Orbot version [1] on a rooted Android 4.0.4 and enabled "Tor Tethering" while enabling Internet via 3G, but the devices connecting to the hotspot are not routed over Tor (tested via checkip.dyndns.org).

Should this work or is this a experimental feature anyway? How can I help to debug this?

https://guardianproject.info/releases/Orbot-v13.0.7-BETA-1.apk

#11560 Orbot-v13.0.7-BETA-1: "Tor Tethering" > Warnings about Listeners on 0.0.0.0 new n8fr8 defect Medium
Description

" WARN: You specified a public address '0.0.0.0:9050' for SocksPort. Other people on the Internet might find your computer and use it as an open proxy. Please don't allow this unless you have a good reason. WARN: You specified a public address '0.0.0.0:5400' for DNSPort. Other people... WARN: You specified a public address '0.0.0.0:9040' for TransPort. Other people... WARN: You have a ControlPort set to accept connections from a non-local address. This means that programs not running on you computer can reconfigure you Tor. That's pretty bad, since the controller protocol isn't encrypted! Maybe you should ... "

I assume these listeners are there due to the enabled "Tor Tethering", but wouldn't it be possible to bind these listeners to the WIFI interface only (I assume they are only needed there)?

#11571 HTTPS Everywhere breaks BBC iPlayer new pde defect Medium
Description

Videos won't load on BBC iPlayer (https://www.bbc.co.uk/iplayer), even if I click on "load unsafe script". The little shield icon remains after I click on it.

The problem disappears if I disable the HTTPS Everywhere plugin.

I'm using HTTPS Everywhere v2014.4.16 on Google Chrome v34.0.1847.116 on Mac OS X 10.9.2.

#11574 flashproxy-client needs to support SOCKS arguments primarily new dcf defect Medium
Description

At the moment, flashproxy-client takes a bunch of command-line arguments, that determine how it registers and talks to the bridge.

These should really be done in the Bridge line (and passed in via SOCKS arguments), since the argument values may change per Bridge. These include:

--facilitator, --facilitator-pubkey
--register, --register-*
--transport.

I would argue that the CLI arguments be deprecated. I would favour complete removal, but AIUI it is required for compatibility with older versions of Tor.

This may require #10671.

#11583 Flash crashes on tubechop.com new pde defect Medium
Description

Flash crashes "Shockwave Flash has encountered an error." when trying to play any video from tubechop.com (for example http://www.tubechop.com/watch/8488). Browser SRWare Iron Version 33.0.1800.0 (260000). New profile with HTTPS Everywhere 2014.4.16 extension only installed. When extension is disabled video plays normally.

#11588 Amazon Web Services rule breaks product info videos on Amazon.com needs_revision pde defect High HTTPS-E next Chrome release
Description

On pages like https://www.amazon.com/Conair-GMT900-iStubble-Facial-Trimmer/dp/B004PXIR1W, the only way the product video can be played is if encrypted connections to "Amazon Web Services" are not forced.

Chrome 34.0.1847.116 HTTPS Everywhere 2014.4.16

#11589 Can't load trailers on IMDB reopened pde defect Medium
Description

Can't load trailers on IMDB with HTTPS Everywhere 2014.4.16 addon on.

Using latest version of chrome, Version 34.0.1847.116 m (not beta) on Windows 7.

#11600 Strange nameserver fail warning in Tor log new defect Medium Tor: 0.2.???
Description

I am running an exit relay on Linux, my Tor version is 0.2.4.21

I checked the log and found this strange warnings: Apr 24 15:14:07.000 [notice] Circuit handshake stats since last time: 91698/91698 TAP, 15988/15988 NTor. Apr 24 17:40:45.000 [warn] eventdns: All nameservers have failed Apr 24 17:40:45.000 [notice] eventdns: Nameserver <ISP-resolver1>:53 is back up Apr 24 18:01:51.000 [warn] eventdns: All nameservers have failed Apr 24 18:01:51.000 [notice] eventdns: Nameserver <ISP-resolver2>:53 is back up Apr 24 18:01:52.000 [warn] eventdns: All nameservers have failed Apr 24 18:01:53.000 [notice] eventdns: Nameserver <ISP-resolver1>:53 is back up Apr 24 18:02:00.000 [warn] eventdns: All nameservers have failed Apr 24 18:02:01.000 [notice] eventdns: Nameserver <ISP-resolver1>:53 is back up Apr 24 18:02:01.000 [warn] eventdns: All nameservers have failed Apr 24 18:02:01.000 [notice] eventdns: Nameserver <ISP-resolver2>:53 is back up Apr 24 19:46:22.000 [warn] eventdns: All nameservers have failed Apr 24 19:46:22.000 [notice] eventdns: Nameserver <ISP-resolver2>:53 is back up Apr 24 20:46:25.000 [warn] eventdns: All nameservers have failed Apr 24 20:46:25.000 [notice] eventdns: Nameserver <ISP-resolver2>:53 is back up Apr 24 21:14:07.000 [notice] Heartbeat: Tor's uptime is 8 days 12:00 hours, with 13940 circuits open. I've sent 549.49 GB and received 543.20 GB.

So I thought it's the fault of the nameservers provided by the ISP. Fair enough, I have configured my own resolver on localhost (where the relay is running) using BIND 9.10 (latest stable) with dnssec-validation and everything. I thought I fixed it. After some time, I checked the logs again and: Apr 24 23:26:03.000 [warn] eventdns: All nameservers have failed Apr 24 23:26:03.000 [notice] eventdns: Nameserver 127.0.0.1:53 is back up Apr 25 02:04:02.000 [warn] eventdns: All nameservers have failed Apr 25 02:04:02.000 [notice] eventdns: Nameserver 127.0.0.1:53 is back up Apr 25 02:04:03.000 [warn] eventdns: All nameservers have failed Apr 25 02:04:04.000 [notice] eventdns: Nameserver 127.0.0.1:53 is back up Apr 25 02:04:04.000 [warn] eventdns: All nameservers have failed Apr 25 02:04:05.000 [notice] eventdns: Nameserver 127.0.0.1:53 is back up Apr 25 02:04:06.000 [warn] eventdns: All nameservers have failed Apr 25 02:04:06.000 [notice] eventdns: Nameserver 127.0.0.1:53 is back up Apr 25 02:04:08.000 [warn] eventdns: All nameservers have failed Apr 25 02:04:08.000 [notice] eventdns: Nameserver 127.0.0.1:53 is back up

Looks like its something Tor related. Why do I get this warning? Does this have any penalty on the performance or over the users who are using this node as an exit point? Should I just leave it alone as it works fine? From what I see nameservers fail and get back online immediately, fail and back on have same timestamp. Advices? Thanks in advance.

#11607 Tumblr buttons/interface not loading properly new pde defect Medium
Description

When Firefox updated to its latest version (28.0) the reblog, favorite, follow, and dashboard buttons that usually show at the top right of any tumblr page stopped appearing. Further, glitching caused the "queue" function not to show any time/dates.

Via Firefox Safemode the problem was traced back to HTTPS everywhere, don't know why.

#11613 httpse-ruleset-bug: Problems with latest Chrome on 8tracks.com new pde defect Medium
Description

I'm using Chrome Version 35.0.1916.69 beta-m under Windows 8.1 x64 with the version of HTTPS Everywhere installed: HTTPS Everywhere 2014.4.16.

When visiting 8tracks with HTTPS Everywhere activated, I can't play music. It simply breaks but I don't know how to deactivate in on 8tracks. Maybe it has something to do with some cross-site music loading on 8tracks (as they dont store the tracks on their own servers AFAIK). When deactivating the extension, 8tracks runs fine without any problems.

Here the screenshot of the activated rules (I didnt change anything about it, so it's default only):

http://i.imgur.com/dqXq5vI.png http://i.imgur.com/llTMPPJ.png

Any suggestions? Maybe you could investigate into it, thanks a lot in advance!

#11614 twitch.tv broken by rule for justin.tv new pde defect Medium
Description

When using the HTTPS Everywhere extension, one must disable the rule for justin.tv in order to view channels on twitch.tv. Many people have reported this issue here: http://help.twitch.tv/customer/portal/questions/5754324-twitch-website-frequently-grey-with-only-the-twitch-logo-in-the-center-

I think this rule should be disabled by default.

#11616 ooni-backend (oonib) doesn't prompt any error when Tor is killed or crashes new hellais defect Medium
Description

It seems that I can always reproduce this case. ooni-backend doesn't report any connection issues with Tor.

  1. Running ooni-backend in virtualenv (debug mode)

# oonib.conf

main:
    report_dir: data/reports/
    archive_dir: data/archive/
    input_dir: data/inputs/
    deck_dir: data/decks/
    policy_file: data/policy.yaml
    bouncer_file: data/bouncer.yaml

    logfile: null
    tor_datadir: null
    database_uri: 'sqlite://oonib_test_db.db'
    db_threadpool_size: 10
    tor_binary: null
    socks_port: 9055
    tor2webmode: false
    pidfile: 'oonib.pid'
    nodaemon: true
    originalname: null
    chroot: null
    rundir: .
    umask: null
    euid: null
    uid: null
    gid: null
    uuid: null
    no_save: true
    profile: null
    debug: true
    stale_time: 3600

    tor_hidden_service: true

helpers:
    http-return-json-headers:
        address: null
        port: 57001
    gid: null
    uuid: null
    no_save: true
    profile: null
    debug: true
    stale_time: 3600

    tor_hidden_service: true

helpers:
    http-return-json-headers:
        address: null
        port: 57001
        server_version: Apache

    tcp-echo:
        address: null
        port: 57002

    daphn3:
        address: null
        yaml_file: null
        pcap_file: null
        port: 57003

    dns:
        address: null
        udp_port: 57004
        tcp_port: 57005
        resolver_address: '8.8.8.8:53'

    ssl:
        address: null
        private_key: 'private.key'
        certificate: 'certificate.crt'
        port: 57006

$ oonib --version Twisted version: 13.2.0

# git commit https://github.com/TheTorProject/ooni-backend/commit/7b35b7fa5a3d81f6574c7494cde0ac705d4e2cea

$ oonib

Starting SSL helper on 57006
Starting TCP DNS Helper on 57005
Starting UDP DNS Helper on 57004
Starting Daphn3 helper on 57003
Starting TCP echo helper on 57002
Starting HTTP return request helper on 57001
Log opened.
HTTPReturnJSONHeadersHelper (TLS) starting on 57006
Starting factory <oonib.testhelpers.http_helpers.HTTPReturnJSONHeadersHelper instance at 0x420fcb0>
DNSTestHelper starting on 57005
Starting factory <oonib.testhelpers.dns_helpers.DNSTestHelper instance at 0x420fd88>
DNSDatagramProtocol starting on 57004
Starting protocol <twisted.names.dns.DNSDatagramProtocol object at 0x4214850>
Daphn3Server starting on 57003
Starting factory <oonib.testhelpers.tcp_helpers.Daphn3Server instance at 0x4219560>
TCPEchoHelper starting on 57002
Starting factory <oonib.testhelpers.tcp_helpers.TCPEchoHelper instance at 0x4219758>
HTTPReturnJSONHeadersHelper starting on 57001
Starting factory <oonib.testhelpers.http_helpers.HTTPReturnJSONHeadersHelper instance at 0x42197e8>
[W] Option 'tor_datadir' in oonib.conf is unspecified!
[W] Using /tmp/tmp1NH5ua
> /home/user/.virtualenvs/oonib/local/lib/python2.7/site-packages/twisted/internet/base.py(1191)run()
-> self.mainLoop()
(Pdb) n
5%: Connecting to directory server
10%: Finishing handshake with directory server
15%: Establishing an encrypted directory connection
20%: Asking for networkstatus consensus
25%: Loading networkstatus consensus
40%: Loading authority key certs
45%: Asking for relay descriptors
50%: Loading relay descriptors
52%: Loading relay descriptors
54%: Loading relay descriptors
56%: Loading relay descriptors
59%: Loading relay descriptors
61%: Loading relay descriptors
63%: Loading relay descriptors
66%: Loading relay descriptors
68%: Loading relay descriptors
70%: Loading relay descriptors
73%: Loading relay descriptors
75%: Loading relay descriptors
77%: Loading relay descriptors
80%: Connecting to the Tor network
90%: Establishing a Tor circuit
100%: Done
Application starting on 64535
Starting factory <cyclone.web.Application instance at 0x3eba7a0>
Exposed collector Tor hidden service on httpo://xxxxxxxxx.onion
Application starting on 16140
Starting factory <cyclone.web.Application instance at 0x3eba560>
Exposed bouncer Tor hidden service on httpo://yyyyyyyyyyyyy.onion
  1. Tor service is being stopped and all instances of Tor killed

$ service tor stop ; killall tor

  1. Running ooniprobe pointing to our collector.

# ~/.ooni/ooniprobe.conf

# This is the configuration file for OONIProbe
# This file follows the YAML markup format: http://yaml.org/spec/1.2/spec.html
# Keep in mind that indentation matters.

basic:
    # Where OONIProbe should be writing it's log file
    logfile: ~/.ooni/ooniprobe.log
privacy:
    # Should we include the IP address of the probe in the report?
    includeip: false
    # Should we include the ASN of the probe in the report?
    includeasn: true
    # Should we include the country as reported by GeoIP in the report?
    includecountry: true
    # Should we include the city as reported by GeoIP in the report?
    includecity: false
    # Should we collect a full packet capture on the client?
    includepcap: false
reports:
    # This is a packet capture file (.pcap) to load as a test:
    pcap: null
    #collector: 'httpo://fyifjaxdhdil6m5f.onion'
    collector: 'httpo://xxxxxxxxx.onion'

advanced:
    geoip_data_dir: /home/user/.virtualenvs/ooniprobe/share/ooni
    debug: false
    # enable if auto detection fails
    #tor_binary: /usr/sbin/tor
    #obfsproxy_binary: /usr/bin/obfsproxy
    # For auto detection
    interface: auto
    # Of specify a specific interface
    #interface: wlan0
    # If you do not specify start_tor, you will have to have Tor running and
    # explicitly set the control port and SOCKS port
   # For auto detection
    interface: auto
    # Of specify a specific interface
    #interface: wlan0
    # If you do not specify start_tor, you will have to have Tor running and
    # explicitly set the control port and SOCKS port
    start_tor: true
    # After how many seconds we should give up on a particular measurement
    measurement_timeout: 60
    # After how many retries we should give up on a measurement
    measurement_retries: 2
    # How many measurments to perform concurrently
    measurement_concurrency: 10
    # After how may seconds we should give up reporting
    reporting_timeout: 80
    # After how many retries to give up on reporting
    reporting_retries: 3
    # How many reports to perform concurrently
    reporting_concurrency: 15
    # Specify here a custom data_dir path
    data_dir: /home/user/.virtualenvs/ooniprobe/share/ooni
    oonid_api_port: 8042
tor:
    #socks_port: 8801
    #control_port: 8802
    # Specify the absolute path to the Tor bridges to use for testing
    #bridges: bridges.list
    # Specify path of the tor datadirectory.
    # This should be set to something to avoid having Tor download each time
    # the descriptors and consensus data.
    #data_dir: ~/.tor/
    torrc:
        #HTTPProxy: host:port
        #HTTPProxyAuthenticator: user:password
        #HTTPSProxy: host:port
        #HTTPSProxyAuthenticator: user:password

$ ooniprobe --version WARNING: running ooniprobe involves some risk that varies greatly

from country to country. You should be aware of this when running the tool. Read more about this in the README.

Twisted version: 13.2.0

# git commit https://github.com/TheTorProject/ooni-probe/commit/2fb54faf3b4e6c08270aba6daa4d212dc9328252

$ ooniprobe blocking/http_requests -u http://www.google.com

# ooniprobe.log

2:31+0200 [-] Starting Tor...
2:33+0200 [TorControlProtocol,client] 10%: Finishing handshake with directory server
2:33+0200 [TorControlProtocol,client] 15%: Establishing an encrypted directory connection
2:33+0200 [TorControlProtocol,client] 20%: Asking for networkstatus consensus
2:33+0200 [TorControlProtocol,client] 25%: Loading networkstatus consensus
2:36+0200 [TorControlProtocol,client] 40%: Loading authority key certs
2:36+0200 [TorControlProtocol,client] 45%: Asking for relay descriptors
2:37+0200 [TorControlProtocol,client] 50%: Loading relay descriptors
2:38+0200 [TorControlProtocol,client] 52%: Loading relay descriptors
2:38+0200 [TorControlProtocol,client] 54%: Loading relay descriptors
2:38+0200 [TorControlProtocol,client] 56%: Loading relay descriptors
2:38+0200 [TorControlProtocol,client] 59%: Loading relay descriptors
2:38+0200 [TorControlProtocol,client] 61%: Loading relay descriptors
2:38+0200 [TorControlProtocol,client] 63%: Loading relay descriptors
2:39+0200 [TorControlProtocol,client] 66%: Loading relay descriptors
2:39+0200 [TorControlProtocol,client] 68%: Loading relay descriptors
2:39+0200 [TorControlProtocol,client] 70%: Loading relay descriptors
2:39+0200 [TorControlProtocol,client] 73%: Loading relay descriptors
2:39+0200 [TorControlProtocol,client] 75%: Loading relay descriptors
2:39+0200 [TorControlProtocol,client] 77%: Loading relay descriptors
2:47+0200 [TorControlProtocol,client] 80%: Connecting to the Tor network
2:47+0200 [TorControlProtocol,client] 90%: Establishing a Tor circuit
2:47+0200 [TorControlProtocol,client] 100%: Done
2:48+0200 [TorControlProtocol,client] Successfully bootstrapped Tor
2:48+0200 [TorControlProtocol,client] Found your IP via Tor 188.4.30.189
2:48+0200 [TorControlProtocol,client] Fetching required net test inputs...
2:48+0200 [TorControlProtocol,client] Looking up test helpers...
4:50+0200 [ParserProtocol,client] [!] Lookup failed. Retrying.
5:16+0200 [ParserProtocol,client] We will include some geo data in the report
5:16+0200 [ParserProtocol,client] Setting collector and test helpers for http_requests_test
5:16+0200 [ParserProtocol,client] Using the default collector: httpo://ihiderha53f36lsd.onion
5:16+0200 [ParserProtocol,client] We will include some geo data in the report
5:16+0200 [ParserProtocol,client] Reporting using collector: httpo://xxxxxxxxx.onion
5:16+0200 [ParserProtocol,client] We will include some geo data in the report
5:16+0200 [ParserProtocol,client] Reporting http://xxxxxxxxx.onion/report
5:16+0200 [ParserProtocol,client] Creating report with OONIB Reporter. Please be patient.
5:16+0200 [ParserProtocol,client] This may take up to 1-2 minutes...
5:30+0200 [ParserProtocol,client] [!] Host is not reachable (HostUnreachable error
5:30+0200 [ParserProtocol,client] [!] Failed to open <ooni.reporter.OONIBReporter object at 0x3c60f50> reporter, giving up...
5:30+0200 [ParserProtocol,client] [!] Reporter <ooni.reporter.OONIBReporter object at 0x3c60f50> failed, removing from report...
5:30+0200 [ParserProtocol,client] Performing GET request to http://www.google.com over Tor
5:30+0200 [ParserProtocol,client] Performing GET request to http://www.google.com
5:31+0200 [ParserProtocol,client] The two body lengths appear to match
5:31+0200 [ParserProtocol,client] censorship is probably not happening
5:31+0200 [ParserProtocol,client] Headers appear to match
5:31+0200 [ParserProtocol,client] Summary for http_requests_test
5:31+0200 [ParserProtocol,client] ------------------------------
5:31+0200 [-] Main loop terminated.
#11617 HTTPS-E v3.5.3 breaks Sape blog/forum login reopened pde defect Medium HTTPS-E 3.5
Description

v3.5.1 accepts user/pass for Sape blog and forum, but then happens nothing after redirect, i.e. user is not logged in. Looking into Sape.xml I found: <!--

Nonfunctional subdomains:

  • blog
  • forum

--> Well, this is true. ...

<securecookie host=".*\.sape\.ru$" name=".+" />

And I think this one line breaks logins because blog.sape.ru and forum.sape.ru are not excluded from secure cookie and have normal cookie in fact.

#11619 HTTPS-E v3.5.3 breaks Livejournal threads, styles, upper bar reopened pde defect Medium HTTPS-E 3.5
Description

Threads can't be expanded (forever busy under FF) and upper bar is not shown when https is used to view someone's post (for logged in user). "Livejournal (partial)" entry should be fixed somehow.

#11621 Pinterest.com doesn't render properly new pde defect Medium
Description

See this screenshot: https://www.dropbox.com/s/7f1zhqer2363mkt/Screenshot%202014-04-26%2022.37.40.png Note that it says "Whoops! Something went wrong. Try again." at the bottom; that shouldn't be there (in fact, there should be more pictures of watches there).

Also, lots of important-looking messages appear in the console; here are a few of them:

Failed to load resource: the server responded with a status of 400 (Bad Request) https://a248.e.akamai.net/webapp/style/sprites/webapp-common-main-1x.2b10c974.png 3 XMLHttpRequest cannot load https://www.pinterest.com/resource/ContextLogResource/create/. No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://www.pinterest.com' is therefore not allowed access. (index):1 [Report Only] Refused to load the stylesheet 'https://a248.e.akamai.net/passets.pinterest.com.s3.amazonaws.com/webapp/style/app/desktop/bundle1.e55ce4e7.css' because it violates the following Content Security Policy directive: "default-src 'self' *.pinterest.com *.pinimg.com *.google.com connect.facebook.net *.google-analytics.com https://*.facebook.com *.facebook.com www.googleadservices.com googleads.g.doubleclick.net *.tiles.mapbox.com *.4sqi.net media.pinterest.com.s3.amazonaws.com 'unsafe-inline' 'unsafe-eval'". Note that 'style-src' was not explicitly set, so 'default-src' is used as a fallback.

(index):1

[Report Only] Refused to load the stylesheet 'https://a248.e.akamai.net/f/1586/2045/10m/passets-ak.pinterest.com/webapp/style/app/desktop/bundle2.139567db.css' because it violates the following Content Security Policy directive: "default-src 'self' *.pinterest.com *.pinimg.com *.google.com connect.facebook.net *.google-analytics.com https://*.facebook.com *.facebook.com www.googleadservices.com googleads.g.doubleclick.net *.tiles.mapbox.com *.4sqi.net media.pinterest.com.s3.amazonaws.com 'unsafe-inline' 'unsafe-eval'". Note that 'style-src' was not explicitly set, so 'default-src' is used as a fallback.

Disabling HTTPS Everywhere makes things work again.

A few other people have also run into this: https://productforums.google.com/forum/#!topic/chrome/gf9-NjZxGjk

#11624 Malicious relays may be able to be assigned Exit flag without exiting anywhere new defect Medium Tor: 0.2.???
Description

The IANA for Multicast addresses indicates there are many /8's that are not yet allocated[0], such as 232.0.0.0-232.255.255.255.

The current voting mechanism in exit_policy_is_general_exit_helper allows an Exit flag to be assigned if it supports exiting to at least one /8 for 2 out of 3 ports of [80, 443, 6667]. exit_policy_is_general_exit_helper calls tor_addr_is_internal, this function only looks for the following IPv4 spaces: 10/8, 0/8, 127/8, 169.254/16, 172.16/12, 192.168/16.

A relay could put one of the unallocated IPv4 blocks and fool the Directory Authorities. Of course, if such a relay really wanted to do this, they could also set their relay up to exit to an uninteresting /8 no one would ever visit, such as one of the many military/DoD /8's.

Zack Weinberg's thread on tor-relays seems to have a good collection of addresses[1]. Other sources are the exclude list from massscan[2] and the IANA registry[3].

This would probably doubly true for IPv6, which only looks for fc00/7, fe80/10, fec0/10 - but right now exit_policy_is_general_exit_helper ignores IPv6.

[0] http://www.iana.org/assignments/multicast-addresses/multicast-addresses.xhtml [1] https://lists.torproject.org/pipermail/tor-relays/2014-April/004431.html [2] https://github.com/robertdavidgraham/masscan/blob/master/data/exclude.conf [3] http://www.iana.org/assignments/ipv4-address-space/ipv4-address-space.xhtml

#11625 Tor DNSPORT returns NXDOMAIN for AAAA records? new defect Medium Tor: 0.2.???
Description

On #11603, mickeyc reports:

Behaviour has changed with 0.2.5.4, but it is still broken. Now I'm getting an NXDOMAIN
 instead whenever I do any AAAA lookups. A record lookups are still fine:
mike@glue:~$ dig aaaa gmail.com @localhost -p 5304
; <<>> DiG 9.9.5-3-Debian <<>> aaaa gmail.com @localhost -p 5304
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 19056
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;gmail.com. IN AAAA
;; Query time: 249 msec
;; SERVER: ::1#5304(::1)
;; WHEN: Sun Apr 27 11:37:35 BST 2014
;; MSG SIZE rcvd: 27
mike@glue:~$ dig +short a gmail.com @localhost -p 5304
173.194.70.18
mike@glue:~$
#11626 HTTPS Everywhere 3.5.1 does not work in Firefox 28 on Mac OS X 10.6.8 new pde defect Medium
Description

I am using Firefox 28, on Mac OS X 10.6.8 Snow Leopard on a MacBook Pro 6,2.

The drop-down menu for HTTPS Everywhere 3.5.1 under the "Tools" menu in Firefox does not appear at all when I hover my mouse over the "HTTPS Everywhere" menu item. When I look at the preferences for HTTPS Everywhere, the redirection rules are all blank. I tried clicking "reset to defaults". It had no effect.

When I try to connect to a site, such as www.youtube.com, I get the normal http version, not the https version. If I manually enter https://www.youtube.com, I get the https version.

I tried un-installing and re-installing HTTPS Everywhere 3.5.1, as well as installing 4.0development.15, and 4.0development.16. The problem still persists.

My active Firefox add-ons are: Adblock Edge 2.1.1 BetterPrivacy 1.68 Download YouTube Videos as MP4 1.7.18 DownloadHelper 4.9.22 DownThemAll! 2.0.16 DuckDuckGo Plus 0.3.16 Firebug 1.12.8 FxIF 0.4.7.1 Ghostery 5.2.1 HTTPS-Everywhere 3.5.1 Screengrab (fix version) 0.97.24c User Agent Switcher 0.7.3

I also use Tor Browser 3.5.4, which includes the HTTPS Everywhere 3.5.1 add-on. HTTPS Everywhere works properly in Tor Browser 3.5.4.

I also tried using HTTPS Everywhere 3.5.1 in Firefox 28 on OS X 10.9.2 Mavericks. HTTPS Everywhere works properly in Firefox on Mavericks.

My active Firefox add-ons in Mavericks are: Adblock Plus 2.5.1 BetterPrivacy 1.68 DuckDuckGo Plus 0.3.16 Firebug 1.12.8 Ghostery 5.2.1 HTTPS-Everywhere 3.5.1 User Agent Switcher 0.7.3

#11631 HTTPS-Everywhere Firefox add-on breaks BBC news videos new pde defect Medium
Description

When HTTPS-Everywhere (v3.5.1) is enabled in Firefox (v28.0 running on 64-bit Windows 7), embedded BBC news videos fail to play. The video component either shows a static image, is completely black, or is black with the words "media selection request failed".

Examples of BBC webpages containing video: http://www.bbc.co.uk/news/uk-27192600 http://www.bbc.co.uk/news/health-27184630 http://www.bbc.co.uk/news/health-27187172

#11640 bwauth, aggregate.py fails on freebsd new aagbsn defect Medium
Description

bwauth is up and running, but aggregate fails to run. It returns the following error:

./cron-mine.sh 
ERROR[Mon Apr 28 19:24:08 2014]:Exception during aggregate: No section: 'TorCtl'
Traceback (most recent call last):
  File "/usr/home/torflow/torflow/NetworkScanners/BwAuthority/aggregate.py", line 876, in <module>
    main(sys.argv)
  File "/usr/home/torflow/torflow/NetworkScanners/BwAuthority/aggregate.py", line 364, in main
    TorUtil.read_config(argv[1]+"/scanner.1/bwauthority.cfg")
  File "../../TorCtl/TorUtil.py", line 119, in read_config
    tor_port = config.getint('TorCtl', 'tor_port')
  File "/usr/local/lib/python2.7/ConfigParser.py", line 359, in getint
    return self._get(section, int, option)
  File "/usr/local/lib/python2.7/ConfigParser.py", line 356, in _get
    return conv(self.get(section, option))
  File "/usr/local/lib/python2.7/ConfigParser.py", line 607, in get
    raise NoSectionError(section)
NoSectionError: No section: 'TorCtl'

#11644 Tweakers.net Ruleset breaking page jump returning to posted comment new pde defect Medium
Description

Build number: 3.5.1 Useragent: Gecko/20100101 Firefox/28.0

When visiting Tweakers.net and reading an article and it's comments below the article, you sometimes want to respond to someone's comment. When you have commented on someone's post (you must be logged-in) and submitted this comment to the page you want to continue to read the comments from the point where you posted your latest comment. This is done by a HTML page jump (by a script after posting your comment?).

Description: When you don't use the HTTPS Everywhere ruleset for Tweakers.net you're nicely returned to your latest comment. For example to:

http://tweakers.net/nieuws/"number article"/"article title".html#r_6907153

where #_6907153 is the number of your comment.

But when the Tweakers ruleset is used and you post a comment, you are returned to the top of the comment section, in stead of your latest submitted comment. The link shown in the address bar then looks like this:

https://tweakers.net/nieuws/"number article"/"article title".html#reacties

where #reacties (comments in Dutch) is the position at the top of the comments section, so no redirect / jump to latest position.

Expected result: In stead of jumping to the generic #reacties position (top of comments section) on a news article page, jump to the position of the comment the logged-in person just posted.

#11645 Can't add loans to basket on kiva.org with HTTPS-E enabled (4.0-dev-16) new zyan defect Medium HTTPS-E next Firefox dev release
Description

You'll need a kiva account for this. Once logged in, using FF 28.0 on Fedora 20, trying to add a loan to my account has no effect. Disabling HTTPS-E for kiva.org alone works around it.

4.0-development-16

#11651 with Firefox 28 - Cannot update Amazon.co.uk basket new zyan defect Medium
Description

I've been having problems over the last few days putting items in my

Amazon.co.uk basket. I managed to identify the problem by disabling add-ons in firefox. Https everywhere dated 15Apr14 stops the cookies working for the basket. Having spent some time clearing cookies, cache etc and constantly being unable to put anything in the basket. Switching off https everywhere allowed the basket to be filled and when I then re-enabled Https I couldn't add to the basket again. under the add-on options "more" field I unchecked the "amazon.co.uk" and I am now able to run https everywhere AND add to the amazon basket. So I believe there may be a problem with the rules for this site which others may also be experiencing same problem.

#11660 Make tor_spawn_background and related interfaces work the same on windows and *nix new defect Medium Tor: 0.2.???
Description

Have a look at the tor_spawn_background unit tests. That's sure a lot of #ifdefs! It would be nice if our portability code actually let us write code to be portable across platforms: we should fix tor_spawn_background and tor_read_all_handle to act the same across platforms.

#11662 Breaks zillow.com needs_information zyan defect Medium
Description

Go to zillow.com and do a search for any region. Homes will not show up on the map or in the list. If you disable Https Everywhere and refresh, you will be able to see them.

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20
Note: See TracQuery for help on using queries.