Changes between Version 1 and Version 2 of doc/FAQUnanswered


Ignore:
Timestamp:
Apr 23, 2010, 4:48:47 AM (9 years ago)
Author:
trac
Comment:

--

Legend:

Unmodified
Added
Removed
Modified
  • doc/FAQUnanswered

    v1 v2  
    1 This is a list of questions people wish were answered in the [:../TorFAQ]; please add some more.  Better yet answer one and move it to [:../TorFAQ].  Finally you can vote for a question to be answered by incrementing the number after the question in parens.
    2 
    3 '''Please do not report bugs here; instead, use the [http://bugs.noreply.org/flyspray/index.php?tasks=all&project=4 bug tracker].'''  Soon, we'll designate one of the proposed bug servers as official, and you'll be able to post bugs there too.
    4 
    5 Also, this is '''not the place''' for random ''it doesn't work'' or ''how do I do foo'' questions.  Support questions are really better asked and answered on the
    6 [http://archives.seul.org/or/talk/ or-talk mailinglist].  Also, always a good read: [http://www.catb.org/~esr/faqs/smart-questions.html How To Ask Questions The Smart Way].
     1This is a list of questions people wish were answered in the [[../TorFAQ]]; please add some more. Better yet answer one and move it to [[../TorFAQ]]. Finally you can vote for a question to be answered by incrementing the number after the question in parens.
     2
     3'''Please do not report bugs here; instead, use the [[https://bugs.torproject.org/flyspray/index.php?tasks=all&project=4|bug tracker]].''' Soon, we'll designate one of the proposed bug servers as official, and you'll be able to post bugs there too.
     4
     5Also, this is '''not the place''' for random ''it doesn't work'' or ''how do I do foo'' questions. Support questions are really better asked and answered on the [[http://archives.seul.org/or/talk/|or-talk mailinglist]]. Also, always a good read: [[http://www.catb.org/~esr/faqs/smart-questions.html|How To Ask Questions The Smart Way]].
    76
    87= Unanswered FAQ Questions =
    98
    10 '''If an attacker has access to past logs of ISP and any given visted site, does the prng of the tor client allow the attacker to guess which circuit it used next?'''
     91.)  '''Can I securely connect to my email, bank, and brokerage accounts at unencrypted public WiFi hotspots. 
     10
     11I've read the TOR Overview and the related bits of the FAQ Wiki, but I'm still not sure if I can do this. 
     12
     13If I understand correctly TOR creates an encrypted connection (tunnel) between my client and the first TOR relay and I believe that this means that each entire packet containing my passwords etc. will be encrypted when they leave my laptop and are brodcast via WIFI to the public access point/network.  From there they will be routed to the first TOR relay where they will also be scrubbed of address data. 
     14
     15However, since there is a public server in between me and the first TOR relay I need to be sure that the encrypted tunnel starts at my laptop and runs through the public server/access point to TOR.  My fear being that the tunnel might only run from TOR to the public server/WIFI AP and I would be stupidly broadcasting my financial information unencrypted to my entire neighbourhood, or everyone at an international airport, coffee shop, etc. 
     16
     17Of course I believe most of this is already encrypted because most of the pages are HTTPS, but even so it seems risky when anyone with a WIFI card could intercept the data.  I also realize that the last TOR relay will be able to see my data, but it seems to me this is no different than the servers which are routing my data when I am using a landline, and as I said I believe HTTPS already provides some security.  If my assumptions are wrong please let me know. 
     18
     19Thanks in advance.'''
     20
     21
     222.) '''Hidden services are currently very vulnerable to attacks by web hosts who come to suspect a machine in their network is being used for Tor. Since they can power cycle the server in question (and likely blame it on technical difficulties without arousing suspicion) they can make an unambiguous identification of a hidden service host. This could be prevented if the directory servers supported more than one provider for a hidden service and so could direct requests away from a non-responsive server (there may be other solutions). Of course this could also help provide more reliable hidden services in general. Is there any chance of this getting implemented in the near future?'''
     23
     24
     253.) '''Why do I keep getting messages telling me that my clock has just jumped ahead and that my circuits will be assumed broken? ''(eg. Oct 02 10:14:53.619 [notice] Your clock just jumped 1056 seconds forward; assuming established circuits no longer work.'') I've got a cron job to sync the time every eight hours and it's never out by more than a second.'''
     26
     27-- On my system, this happens when Vidalia gets into trouble. It seems that when tor and V communicate, tor can wind up waiting for V to respond, or for the V process to be killed.
     28
     29
     304.)'''If an attacker has access to past logs of ISP and any given visted site, does the prng of the tor client allow the attacker to guess which circuit it used next?'''
    1131
    1232Tor uses cryptographically strong random numbers provided by OpenSSL when choosing nodes to use in a circuit. How OpenSSL implements this is operating system specific. If there's a weakness in Tor's method of choosing nodes, it probably isn't in the random number generator.
    1333
    14 *** Hmm, if the prng is deterministic, and you can narrow one result of calling it by knowing what host was chosen, can you, knowing the algorithm, however good it is, thereby narrow the result of the next call to it?  This question might be a bit ignorant; for example the prng might use other data on the client computer instead of following an algorithm to return the next item.
     34*** Hmm, if the prng is deterministic, and you can narrow one result of calling it by knowing what host was chosen, can you, knowing the algorithm, however good it is, thereby narrow the result of the next call to it? This question might be a bit ignorant; for example the prng might use other data on the client computer instead of following an algorithm to return the next item.
    1535
    1636*** Thanks for your comments, BTW, as a lot of us are wondering the answers to these FAQU.
     
    1838*** It has nothing todo with determinism. It is a matter of predictability. Without using real entropy, everything done on conventional computers should be deterministic (try teling that to people who use Windows ;). However, the part that we are interested in is whether someone can predict what Tor is going to next choose.
    1939
    20   Cryptographic number generators have the property that they (shouldn't) give up their internal state by their external outputs quickly. So, unless the attacker gets to see a lot of outputs - node choices - without reseeding from real entropy they are pretty much screwed provided the cryptograpphic prng isn't broken.
     40 . Cryptographic number generators have the property that they (shouldn't) give up their internal state by their external outputs quickly. So, unless the attacker gets to see a lot of outputs - node choices - without reseeding from real entropy they are pretty much screwed provided the cryptograpphic prng isn't broken.
    2141
    2242
     
    2545You can connect to Tor's control port and send "authenticateCRLFsignal newnymCRLF" where CRLF is a carriage return line feed pair.
    2646
    27 '''Why does Firefox/Privoxy/Tor return Privoxy 404 pages so frequently -- almost every time -- when properly configured, even on sites like google.com?  How to mitigate?  The tor process is running fine.'''
    28 (Votes: 2)
    29 
    30 The first problem is that Privoxy doesn't retry in case of
    31 DNS errors. It shows the 404 no such domain message right away.
    32 The second problem is that some browser cache Privoxy's error
    33 messages and Firefox is one of them.
    34 
    35 The Privoxy patch described at
    36 http://www.fabiankeil.de/sourcecode/privoxy/
    37 lets Privoxy retry in case of connection problems
    38 and makes sure, the browser doesn't reuse a cached
    39 error message.
    40 
    41 '''For that matter, why is DNS the main failure mode?  Who is timing out and why?  Can Tor (1) change the timeout, (2) deprecate bad servers, or (3) cache DNS locally so it doesn't have to make a long, slow, failure-prone DNS lookup every time?'''
     47'''Why does Firefox/Privoxy/Tor return Privoxy 404 pages so frequently -- almost every time -- when properly configured, even on sites like google.com? How to mitigate? The tor process is running fine.''' (Votes: 2)
     48
     49The first problem is that Privoxy doesn't retry in case of DNS errors. It shows the 404 no such domain message right away. The second problem is that some browser cache Privoxy's error messages and Firefox is one of them.
     50
     51The Privoxy patch described at http://www.fabiankeil.de/sourcecode/privoxy/ lets Privoxy retry in case of connection problems and makes sure, the browser doesn't reuse a cached error message.
     52
     53'''For that matter, why is DNS the main failure mode? Who is timing out and why? Can Tor (1) change the timeout, (2) deprecate bad servers, or (3) cache DNS locally so it doesn't have to make a long, slow, failure-prone DNS lookup every time?'''
    4254
    4355You should be sending hostnames to Tor over SOCKS4a or SOCKS5. In that case, the Tor exit node will resolve the hostname before making a connection for you. Unless the exit node is misconfigured, there shouldn't be a problem with DNS resolves timing out.
    4456
    45 *** Actually, for me this happens most of the time.  I am sending through Privoxy, and tried both sockses.  So why would I be hitting so many exit nodes that FREQUENTLY time out on DNS? Firefox 1.5, most recent stable Tor.
    46 
    47 '''Is the reason that gmail rarely works: gmail, tor, privoxy, firefox, your own bandwidth/latency, tor's bw/latency, or some combination?  Is it fixable?'''
     57*** Actually, for me this happens most of the time. I am sending through Privoxy, and tried both sockses. So why would I be hitting so many exit nodes that FREQUENTLY time out on DNS? Firefox 1.5, most recent stable Tor.
     58
     59'''Is the reason that gmail rarely works: gmail, tor, privoxy, firefox, your own bandwidth/latency, tor's bw/latency, or some combination? Is it fixable?'''
    4860
    4961*** For Gmail for me, it's even worse; I have to try 5 or 6 times before I get a page.
    5062
    51 '''Why is the argument against more than 3 hops that both-ends attacks are the enemy?  Wouldn't it be better to have more than 3 if the enemy cannot mount a both-ends attack?'''
     63-- I know that improvements to DNS handling are due in 1.2.x-final (see bug #364). -- I've just tried a comparison of Firefox loading gmail using privoxy and polipo under Tor 0.1.2.17. Using privoxy the site did not load, but with polipo it loaded normally. Can anyone confirm this?
     64
     65'''Why is the argument against more than 3 hops that both-ends attacks are the enemy? Wouldn't it be better to have more than 3 if the enemy cannot mount a both-ends attack?'''
    5266
    5367This is two questions, really.
     
    5973Now, what information are you - the attacker - trying to find? Who is talking to who? Content of some transmissions? Both?
    6074
    61 Well, for finding content of transmissions your best way is to just listen in on some exit nodes.. or create some malicious ones. That's not the attack threat we're trying to defend against, then.
    62 For finding who is talking to who? Ok, let's say that's what we're trying to find out.
     75Well, for finding content of transmissions your best way is to just listen in on some exit nodes.. or create some malicious ones. That's not the attack threat we're trying to defend against, then. For finding who is talking to who? Ok, let's say that's what we're trying to find out.
    6376
    6477From this perspective, what is needed to mount a both-ends attack? Listening on both ends. If there is some mitigation technique used - like random timing - compromising those both ends could come in handy (at this point, more hops would really be useful). But there isn't - AFAIK - and so we shall suppose that listening on both ends is enough.
     
    7689Despite this, it's possible that having number of hops as an easily configurable option is not a bad idea... I would guess that there is an excess of middle-man nodes with the recent draconian laws in some parts of the Western oh so free world that make people interested in privacy yet at the same time too scared to actually stick their neck out. In this case, Tor as a network would likely not lose much by doing that.
    7790
     91*** I ommitted elaboration of the cases where more hops would be really useful (I think I forgot about it..). These cases are generally when traffic originating from an exit node is wanted to be tracked down and a response can be made quickly, but does not have global observer capabilities. In that case, in order to find the entry node, going through each hop is the only sensible solution in a network with > 50 servers. How much you would gain from extra hops is difficult to answer.. it would depend, I think, on how often circuits rotate and the probability of a hop being out of the grasp of the attackers. Hops are, I think, probably most useful when you - or your data - specifically are being targeted..
     92
    7893'''How can I be sure that sending DNS through tor doesn't get spoofed sites?'''
    7994
     
    8297'''How does tor relate to ipv6 and how should typical applications handle ipv6 if they use tor (or tor via Privoxy)?'''
    8398
    84 
    85 ---- /!\ '''Edit conflict - other version:''' ----
    8699Like a dog talking to a quasar... I never was good with similes.
    87100
     
    94107'''What version of libevent should I be using?'''
    95108
    96 the latest.  at least 1.1
     109the latest. at least 1.1
    97110
    98111'''How to use Tor in squid? For using Tor on a network using Squid as proxy, for example...'''
     
    100113'''How to use Tor with PF (Packet Filter, found in OpenBSD, NetBSD, DragonFlyBSD and FreeBSD)?'''
    101114
    102 
    103 
    104 '''How does Tor work with tabbed browsing, say with Firefox?  Do these requests all follow the same circuit through the Tor network? Can an eavesdropper link a user across all sites opened simultaneously in tabs?'''
     115'''How does Tor work with tabbed browsing, say with Firefox? Do these requests all follow the same circuit through the Tor network? Can an eavesdropper link a user across all sites opened simultaneously in tabs?'''
    105116
    106117ver 1.5 Works fine for me, I use No-Script Plugin to help be even safer. Anyone else have a problem with Firefox. Weither the request follow the same curcuit is out of my realm. My surfing experience is good to just fine. ProBastion
    107118
    108 They will most likely all use the same circuit.  http://wiki.noreply.org/noreply/TheOnionRouter/TorFAQ#ChangePaths
     119They will most likely all use the same circuit. https://wiki.torproject.org/noreply/TheOnionRouter/TorFAQ#ChangePaths
    109120
    110121'''When using the Tor/Privoxy configuration, is there an easy way to switch Privoxy between using Tor and using the standard connection (to allow for secure browsing, but also allowing a more direct connection when needed to keep large file transfers from bogging down in Tor)?'''
    111122
    112 It is possible to do this - however, it involves manually editing the config files for Privoxy, as well as possessing administrative/sudo access for your machine.  Also, once Privoxy is toggled to use a direct connection instead of Tor, your IP will be visible, and Privoxy does n ot provide as much security alone as it does with Tor.
    113 
    114 If you wish to do this, you will need to make a copy of your Privoxy config file, and comment out the line that causes Privoxy to use the Tor service.  Once you have done this, to switch over, just stop Privoxy, swap the config files, and restart it. You can also automate the process with a very simple shell script - an OSX version including sample config files and a shell script can be found [http://idlecircuits.com/privoxyswitcher.zip here], and the script can be used as an example for other *nix systems.
    115 
    116 '''Tor works fine for POP3 email. But, Whistle-blowers and others who need anonymous
    117 political free speech must have reliable SSL smtp email services. How can Tor be used
    118 by them when *all* smtp ports, eg, ports 25, 465, 587, etc are now blocked by Tor exit
    119 servers? Blocking port 25 helps to defeat spammers, but the smtp SSL/TLS ports are not
    120 generally not used by them. Is there any solution with Tor to help the free speech folk
    121 and others who need to use secure, reliable smtp services? (votes: 6)'''
    122 
     123It is possible to do this - however, it involves manually editing the config files for Privoxy, as well as possessing administrative/sudo access for your machine. Also, once Privoxy is toggled to use a direct connection instead of Tor, your IP will be visible, and Privoxy does n ot provide as much security alone as it does with Tor.
     124
     125If you wish to do this, you will need to make a copy of your Privoxy config file, and comment out the line that causes Privoxy to use the Tor service. Once you have done this, to switch over, just stop Privoxy, swap the config files, and restart it. You can also automate the process with a very simple shell script - an OSX version including sample config files and a shell script can be found [[http://idlecircuits.com/privoxyswitcher.zip|here]], and the script can be used as an example for other *nix systems.
     126
     127-- In fact, there is no need to stop/restart privoxy. On my system, I have the privoxy config file owned by me, so I can edit it directly. Changing between tor and no-tor is as simple as editing one line.
     128
     129Here's the relevant lines from my privoxy config file:
     130
     131{{{
     132# Tor:
     133#
     134## forward-socks4a / localhost:9050 .
     135forward-socks4a .onion localhost:9050 .
     136
     137# Do not torrify these (high volume/speed concerns, as well as PhP BBS
     138# systems that consider a changed IP to be a new login.):
     139forward .blood-bowl.net .
     140forward .qemu-forum.ipi.fi .
     141}}}
     142The line with "##" on it is the line to toggle. Remove those to enable tor, add them to disable tor.
     143
     144NB: Every PHP BBS site I've seen will consider you to have logged out and relogged in if your IP address -- as seen by the PHP site -- changes. This means that if tor ever switches circuits and changes exit node, those sites will reset your "unread messages". I have not been able to find a decent way to solve this with TrackHostExits, given that vidalia will overwrite my tor config occasionally (and has no support for adding these internally, so I have two editors trying to change the tor config), the length of time needed to track varies from 30 minutes at some (forced logout after thirty minutes of idle time) to 24 hours at others, dealing with the occasional dead exit node (and then you need to use a new exit node earlier), etc. And, my list of exception sites is currently 26 lines long.
     145
     146'''Tor works fine for POP3 email. But, Whistle-blowers and others who need anonymous political free speech must have reliable SSL smtp email services. How can Tor be used by them when *all* smtp ports, eg, ports 25, 465, 587, etc are now blocked by Tor exit servers? Blocking port 25 helps to defeat spammers, but the smtp SSL/TLS ports are not generally not used by them. Is there any solution with Tor to help the free speech folk and others who need to use secure, reliable smtp services? (votes: 6)'''
     147
     148You could either use an SMTP service running on a nonstandard port (there are a few places that provide these), or the simplest method - use a webmail account instead.  (Remember that using plain POP3 is a really bad idea, especially over Tor - I run an exit node and see dozens of valid cleartext usernames and passwords going to POP3 servers all the time.)
     149
     150[[http://archives.seul.org/or/talk/Sep-2008/msg00025.html|As of September 2008, the default exit policy]] in the alpha versions no longer blocks ports 465 and 587, so you should be able to submit email anonymously by now.
    123151
    124152'''How would one route his email through Tor? My email client (Microsoft Entourage for Mac OS X) has support for SOCKS and TUNNEL proxies, but setting my mail proxy for SOCKS 127.0.0.1 port 9050 or 8118 both produces errors when trying to proxy to SSL SMTP servers via port 25. What am I missing here? Also, setting this proxy doesn't seem to affect incoming POP3 SSL mail, but only affects outgoing mail, albeit without success. A little guidance on how to configure POP3 email clients to use Tor would be much appreciated!'''
    125153
    126 An attempt to answer the smtp email questions above: The Tor exit servers are likely blocking smtp port 25 in an attempt to stop spammers. Some Tor exit servers *sporadically* allow TLS/SSL smtp over ports 587, 995, etc., but at the present time there is no consistent, reliable policy or service.  (Also your remote email provider must support the use of alternate smtp ports such as those above.) You could use the remailer network but there can be reliability problems with them. Of greater importance is the fact that the remailer network does NOT accept large messages, e.g., scanned documents which can easily be many MB each. If you are a whistleblower or other person who needs to send large documents quickly and anonymously, you have a real problem. At this moment, Tor is not the answer.
    127 
    128 
    129 '''Can Tor be used in a network that has NO DEFAULT ROUTE?  The only access method from this network is to use a traditional proxy.  Is there a way to chain proxies so that TOR requests are sent outbound via the standard proxy? (votes: 1)'''
     154An attempt to answer the smtp email questions above: The Tor exit servers are likely blocking smtp port 25 in an attempt to stop spammers. Some Tor exit servers *sporadically* allow TLS/SSL smtp over ports 587, 995, etc., but at the present time there is no consistent, reliable policy or service. (Also your remote email provider must support the use of alternate smtp ports such as those above.) You could use the remailer network but there can be reliability problems with them. Of greater importance is the fact that the remailer network does NOT accept large messages, e.g., scanned documents which can easily be many MB each. If you are a whistleblower or other person who needs to send large documents quickly and anonymously, you have a real problem. At this moment, Tor is not the answer.
     155
     156'''Can Tor be used in a network that has NO DEFAULT ROUTE? The only access method from this network is to use a traditional proxy. Is there a way to chain proxies so that TOR requests are sent outbound via the standard proxy? (votes: 1)'''
    130157
    131158Maybe. If you can get some routes for the Tor servers, then that of course is great.... assuming it must go through the proxy, however, it will need to support sending Tor requests.
     
    139166You could try doing something with OpenVPN; personally, I don't have any experience with it... but I'm guessing you could do something neat with it (I remember someone setting up an OpenVPN with Tor being used to route things.. so it supports socks, I think, in some way. In that case, assuming the proxy is socks... all done :) Oterwise, you could write an interface to make it socks).
    140167
    141 
    142168'''Can I help? (votes: 2)'''
    143169
    144 http://tor.eff.org/volunteer.html
     170https://www.torproject.org/volunteer.html
    145171
    146172'''I've got a bug, now what? (votes: 2)'''
    147173
     174The following is a quick summary of the information already in the [[TheOnionRouter/TorFAQ#ReportBug|FAQ entry]].
     175
     1761) Make sure that it is an actual bug with Tor, and not with Privoxy, Vidalia, your OS, etc.
     177
     1782) Check to see if it's an unreported bug (at the [[https://bugs.torproject.org/flyspray/index.php?tasks=all&project=4|bug tracker]]).
     179
     1802a) If it's already reported, then see if you can add anymore information (in the comments of that bug) that will help the developers duplicate it and/or track it down. (This step requires you to login to your account at flyspray, or to create a new account.)
     181
     1822b) If it's not already reported, then start a new report with as much relevant information as possible. Relevant information includes tor version number, OS used, any relevant lines from the log, and what you were trying to do that caused the bug. (This step requires you to login to your account at flyspray, or to create a new account.) You may want to read [[http://www.chiark.greenend.org.uk/~sgtatham/bugs.html|How to Report Bugs Effectively]].
     183
    148184'''How does Tor relate to the Freedom Project? (votes: 1)'''
    149185
     186This question is answered in this [[TheOnionRouter/TorFAQ#ComparisonFreedom|FAQ entry]].
     187
    150188'''Is there any way to forward an ident response via TOR so that the ident doesn't come back as whatever the end server wants, but your normal response? (votes: 1)'''
    151189
     
    154192'''How can I uninstall tor? (votes: 1)'''
    155193
    156 
    157 
    158 
    159 '''I have legal questions about running Tor. Is there anybody I can contact? ( votes: 1)'''
    160 
    161 Added 2.1.06- The Developers do not provide Legal advice. period! Over at the Tor Legal FAQ there is a written section by EFF lawyers. It aims to give you an overview of some of the legal issues that arise from the Tor project. Read the Disclaimer. The FAQ does provide a dialougue on the legalality & posssible scenarios of operating a Tor Server. They also provide you with contact information to a EFF Lawyer. The Tor FAQ also provides a links to an Abuse FAQ, & Tor Technical FAQ Wiki.  See this address for more information along these lines. http://tor.eff.org/faq.html
    162 
     194'''I have legal questions about running Tor. Is there anybody I can contact? ( votes: 1)'''
     195
     196Added 2.1.06- The Developers do not provide Legal advice. period! Over at the Tor Legal FAQ there is a written section by EFF lawyers. It aims to give you an overview of some of the legal issues that arise from the Tor project. Read the Disclaimer. The FAQ does provide a dialougue on the legalality & posssible scenarios of operating a Tor Server. They also provide you with contact information to a EFF Lawyer. The Tor FAQ also provides a links to an Abuse FAQ, & Tor Technical FAQ Wiki. See this address for more information along these lines. https://www.torproject.org/documentation#Support
    163197
    164198'''If I set up Tor to only act as a router node (reject *:* in torrc) can I still be a contact point for hidden services?'''
     
    170204Yes. Indeed, if all the servers in a circuit are compromised then they need not even be communicated with.. the entry node can decipher for all the (possibly even non-existent) nodes. In order to maintain a superficial view of anonymity, it would probably be good to forward it to the exit server however.
    171205
    172 '''What system resources does a TOR server use?  The FAQ already dicusses memory a bit.  What about CPU?  Encryption is CPU-intensive.  Specific question I'd like answered: I'll be setting up a TOR node bandwidth-limited to about 256kbps (half my upstream bandwidth).  Will an old 300MHz G3 Mac easily handle this, or will a faster processor be needed? How 'bout a P90?  Presumably, TOR's disk usage and I/O is minimal.''' (Votes: 1)
    173 
     206'''What system resources does a Tor server use? The FAQ already discusses memory a bit. What about CPU? Encryption is CPU-intensive. Specific question I'd like answered: I'll be setting up a TOR node bandwidth-limited to about 256kbps (half my upstream bandwidth). Will an old 300MHz G3 Mac easily handle this, or will a faster processor be needed? How 'bout a P90? Presumably, TOR's disk usage and I/O is minimal.''' (Votes: 1)
     207
     208On older machines, probably reliability (antiques belong in museums) and memory are bigger concerns than processor speed. You'll want to avoid swap (Tor's disk usage is rather low, but not if you're swapping...), so make sure your memory's adequate (my server runs with a load about half what you mention and, according to ps, is claiming 65MB of RAM). Based on system loads from newer machines, simple multiplication, and a large margin of error, if you're running an otherwise light load under Linux or BSD, the 300MHz machine should work just fine.
    174209
    175210== Cannot resolve Foo.onion/Resolve requests to hidden services not allowed ==
    176 
    177 tor-resolve doesnt seem to work, i get this:
    178 {{{connection_ap_handshake_process_socks():  Resolve requests to hidden services not allowed. Failing.}}}
    179 from the copy of tor running locally. Please help!
    180 
    181 (from original questioner: thank you.  I got the mistaken idea that this would work because it is suggested in the 'how to torrify an application' article on this wiki.  It makes more sense now.  Someone who understands better might want to upate that document)
    182 
    183 This question is answered; see 'How Do I Access Tor Hidden Servers.'  You get this message when you try to use tor-resolve to resolve the address of a hidden service.  But hidden services are ''hidden'' - they don't *have* an IP address you can use.  Instead, you need to pass the hostnames to Tor directly.
     211tor-resolve doesn't seem to work, i get this: {{{connection_ap_handshake_process_socks():  Resolve requests to hidden services not allowed. Failing.}}} from the copy of tor running locally. Please help!
     212
     213(from original questioner: thank you. I got the mistaken idea that this would work because it is suggested in the 'how to torrify an application' article on this wiki. It makes more sense now. Someone who understands better might want to update that document)
     214
     215This question is answered; see [[TheOnionRouter/TorFAQ#AccessHiddenService|How Do I Access Tor Hidden Servers.]] You get this message when you try to use tor-resolve to resolve the address of a hidden service. But hidden services are ''hidden'' - they don't *have* an IP address you can use. Instead, you need to pass the hostnames to Tor directly.
    184216
    185217== Clock Skew ==
    186 My system clock is behind 3 days and I don't have permission to change it.
    187 Therefore all the certificates are invalid.
    188 Is there a runtime option to skew the time?
     218My system clock is behind 3 days and I don't have permission to change it. Therefore all the certificates are invalid. Is there a runtime option to skew the time?
    189219
    190220This should not a problem as of 0.0.9pre6.
    191221
    192222== Does not connect to port xyz ==
    193 All of a sudden, Tor will no longer let me connect to my distant smtp server.
    194 The smtp port used is 587 and the connection is SSL. Why is this now happening?
    195 
    196 587 isn't in the default exit policy. The tor node known as bollox had an
    197 accept everything policy so your port 587 requests would have always gone through that.
    198 As bollox is no longer around there are no exit nodes that allow port 587. If you
    199 control this smtp server, try changing it's port number to something over 1024.
     223All of a sudden, Tor will no longer let me connect to my distant smtp server. The smtp port used is 587 and the connection is SSL. Why is this now happening?
     224
     225587 isn't in the default exit policy. The tor node known as bollox had an accept everything policy so your port 587 requests would have always gone through that. As bollox is no longer around there are no exit nodes that allow port 587. If you control this smtp server, try changing it's port number to something over 1024.
    200226
    201227== Debian and how to use the package management system ==
    202 
    203228Also would recomend posting default config files for debian online since apt will not reinstall them if they are removed (/etc/init.d/tor and /etc/torrc for example)
    204229
    205 '''Answer''': RTFM.  dpkg differentiatea between two states of package removal.
    206 There's ''remove'', which will just remove the normal files a package comes with,
    207 and there's ''purge'', which will remove configuration files also.  Changes to your
    208 configuration (like you removing them) are kept over a remove/install cycle.  If
    209 you want them to installed anyway, you should install with
    210 {{dpkg --force-confmiss --install tor...deb}}
    211 or just purge tor (which will delete /var/lib/tor with its keys if you are a server!), and then install it again.
     230'''Answer''': RTFM. dpkg differentiatea between two states of package removal. There's ''remove'', which will just remove the normal files a package comes with, and there's ''purge'', which will remove configuration files also. Changes to your configuration (like you removing them) are kept over a remove/install cycle. If you want them to installed anyway, you should install with {{dpkg --force-confmiss --install tor...deb}} or just purge tor (which will delete /var/lib/tor with its keys if you are a server!), and then install it again.
    212231
    213232== . ==
    214 After uninstalling everything then reinstalling on debian (using apt-get of course) nothing loads in a browser or anything, eventually a 503 will come up.  Tor is running and privoxy is running, both correctly configured(I think). If this is a configuration problem, where can I find more information about configuration in debian?
    215 
    216 '''Answer''': Duh.  Have you checked out {{{/etc/tor}}}?  What about {{{/var/log/tor}}} and {{{/usr/share/doc/tor}}}? Why do you think it would be any different than on other OSs?
     233After uninstalling everything then reinstalling on debian (using apt-get of course) nothing loads in a browser or anything, eventually a 503 will come up. Tor is running and privoxy is running, both correctly configured(I think). If this is a configuration problem, where can I find more information about configuration in debian?
     234
     235'''Answer''': Duh. Have you checked out {{{/etc/tor}}}? What about {{{/var/log/tor}}} and {{{/usr/share/doc/tor}}}? Why do you think it would be any different than on other OSs?
    217236
    218237== Privoxy config ==
    219 
    220238Similar to above, on brand new install of sarge with tor and privoxy browser, gaim, etc will spend a long time trying to connect eventually failing with 503, if tor is not running a 503 is instant.
    221239
    222 '''Answer''': Privoxy by default does not allow CONNECT to ports other than 443.  Fix your privoxy config.
    223 
    224 {{{weasel@galaxy:/etc/privoxy$ grep limit.con default.action | grep -v '^#'
     240'''Answer''': Privoxy by default does not allow CONNECT to ports other than 443. Fix your privoxy config.
     241
     242{{{
     243weasel@galaxy:/etc/privoxy$ grep limit.con default.action | grep -v '^#'
    225244+limit-connect{1-} \
    226245}}}
    227 
    228246(If someone writes a proper question, this might actually go into the FAQ)
    229247
     
    231249'''Question''': Can I configure Tor so it will only use the onion routing network for some sites but not others?
    232250
    233 '''Answer''': No, Tor itself is all or nothing, a request either goes through it or it does not.
    234 
    235 Privoxy is also all or nothing in the sense that if a request has made it to Privoxy then either Privoxy is set up to go through Tor or it's not, there does not appear to be a way to program Privoxy so it will use Tor for some requests but not others.
    236 
    237 There is a script for OS X, available [http://idlecircuits.com/privoxyswitcher.zip here], that will make it such that Privoxy never uses Tor but this is an 'all or nothing' mechanism. The script will either start Privoxy such that all requests go through Tor or no requests go through Tor.
    238 
    239 There is one mechanism that is at least useful for web browsers, it's called a pac file. It was invented by Netscape, the original documentation is available [http://wp.netscape.com/eng/mozilla/2.0/relnotes/demo/proxy-live.html here], but it is now supported by all major browsers. One can use a pac file to program the browser to use the Privoxy proxy for certain requests but not others. For example, the following pac file will cause all requests to Google or to the special Privoxy configuration addresses to be sent to Privoxy (and hence Tor) but will allow other other requests to go out without Privoxy/Tor being used:
     251'''Answer''': No, Tor itself is all or nothing, a request either goes through it or it does not.
     252
     253For privoxy, however, you can use forward lines to make some hosts use tor, some use the normal system, and others use whatever other proxy you want.
     254
     255{{{
     256forward-socks4a / localhost:9050 .
     257forward-socks4a .onion localhost:9050 .
     258
     259# Do not torrify these (high volume/speed concerns, as well as PhP BBS
     260# systems that consider a changed IP to be a new login.):
     261forward .blood-bowl.net .
     262forward .youtube.com .
     263forward .qemu-forum.ipi.fi .
     264forward .vidalia-project.net .
     265}}}
     266Here is an example. This uses privoxy for all sites (ad filtering, etc), and then specifies that some sites go through tor, and some do not.
     267
     268Privoxy uses the LAST match. So, the first line says "Use Tor by default". It can be turned off. The second line says "Always use Tor for .onion". After that are lines for "Never use Tor for these".
     269
     270Older, wrong information: Privoxy is also all or nothing in the sense that if a request has made it to Privoxy then either Privoxy is set up to go through Tor or it's not, there does not appear to be a way to program Privoxy so it will use Tor for some requests but not others.
     271
     272There is a script for OS X, available [[http://idlecircuits.com/privoxyswitcher.zip|here]], that will make it such that Privoxy never uses Tor but this is an 'all or nothing' mechanism. The script will either start Privoxy such that all requests go through Tor or no requests go through Tor.
     273
     274There is one mechanism that is at least useful for web browsers, it's called a pac file. It was invented by Netscape, the original documentation is available [[http://wp.netscape.com/eng/mozilla/2.0/relnotes/demo/proxy-live.html|here]], but it is now supported by all major browsers. One can use a pac file to program the browser to use the Privoxy proxy for certain requests but not others. For example, the following pac file will cause all requests to Google or to the special Privoxy configuration addresses to be sent to Privoxy (and hence Tor) but will allow other other requests to go out without Privoxy/Tor being used:
    240275
    241276{{{
    242277function FindProxyForURL(url, host) {
    243         if (shExpMatch(host,"*google.*") ||
    244             shExpMatch(host,"config.privoxy.org") ||
    245             shExpMatch(host,"p.p"))
    246                 return "PROXY 127.0.0.1:8118";
    247         return "DIRECT";
     278        if (shExpMatch(host,"*google.*") ||
     279            shExpMatch(host,"config.privoxy.org") ||
     280            shExpMatch(host,"p.p"))
     281                return "PROXY 127.0.0.1:8118";
     282        return "DIRECT";
    248283}
    249284}}}
    250 
    251285To configure Firefox to use a pac file under OS X go to Firefox->preferences->General->Connection Settings...->Automatic proxy configuration URL:. Enter in a URL (you can use file:// to point to a local file) that points to your pac file and click reload.
    252286
     
    255289The pac file solution is far from ideal. It won't apply to non-web access and it runs into problems such as the bad pac file support in Safari. It also is not secure. A malicious website can trivially bypass this mechanism by placing pictures on its website from domains that it controls but are unlikely to be on a 'black list'. Therefore this mechanism is only useful with Websites that are not in and of themselves malicious but rather, due to their nature, can collect substantial amounts of personal information that one would rather not release. A search engine is a classic example. If and when privacy is a critical concern then the only proper course of action is to get rid of the pac file and instead configure all connections to go through privoxy/tor.
    256290
    257 
    258 
    259 '''I've been banned as an contributor at Slashdot! I run a Win 2003 server, with a decent pipe. They said that if I blocked them they would let me contribute again. I did an edit on my torrc file by adding a line:
     291'''I've been banned as an contributor at Slashdot! I run a Win 2003 server, with a decent pipe. They said that if I blocked them they would let me contribute again. I did an edit on my torrc file by adding a line: '''
    260292
    261293reject *:66.35.250.150 (which is Slashdot.com by using an online DNS 'dig' page
    262294
    263 I add the above right after my default exit. Which was just this:
    264 #ExitPolicy accept *:6660-6667,reject *:* # allow irc ports but no more
    265 ExitPolicy accept *:119 # accept nntp as well as default exit policy
    266 #ExitPolicy reject *:* # middleman only -- no exits allowed
    267 reject *:66.35.250.15
    268 
    269 Is this the way to do this, and just block Slashdot? Any help would be helpful, I've googled, did the tor.eff site, etc. But I'm not real UNIX centric (though thats changing) so just wanted to run it by some community persons. '''
    270 
     295I add the above right after my default exit. Which was just this: #ExitPolicy accept *:6660-6667,reject *:* # allow irc ports but no more ExitPolicy accept *:119 # accept nntp as well as default exit policy #ExitPolicy reject *:* # middleman only -- no exits allowed reject *:66.35.250.15
     296
     297Is this the way to do this, and just block Slashdot? Any help would be helpful, I've googled, did the torproject.org site, etc. But I'm not real UNIX centric (though thats changing) so just wanted to run it by some community persons.
    271298
    272299Well, you don't appear to allow exits on HTTP ports so I don't know why they blocked you. Fascists? [Ed. Fascists put their belief into the state... I doubt Slashdot does. Really, it's authoritarian]
    273300
    274 Anyway, you should probably block their IP rather than ports that happen to be theirs ;) (which don't exist - surprised tor let you do that..)
    275 
     301Anyway, you should probably block their IP rather than ports that happen to be theirs ;-) (which don't exist - surprised tor let you do that..)
     302
     303To clarify, the syntax is ''ip-address'':''port'', so reject *:66.35.250.15 is blocking all requests to exit port number 66.35.250.15 at all ip addresses. This obviously doesn't make sense. What you want to do is reject 66.35.250.15:* to block all slashdot traffic.
     304
     305Also, the fourth line of this page reads: ''this is '''not the place''' for random it doesn't work or how do I do foo questions.''
    276306
    277307'''What is the significance of the changes in the Bittorrent Torify HOWTO?'''
    278308
    279 I noticed I can't connect with btdownloadcurses through proxychains any more. Looking for answers, I went back to the Torify HOWTO and noticed that it had been altered. Where it used to explain about using proxychains to run bittorrent through TOR, which I used successfully for over a year, it now says that Bittorrent "uses a mechanism similar to TOR." That was certainly news to me. How is the generic Bittorrent client technically similar to TOR in any way? I have always heard that the generic Bittorrent client offers almost no anonimity at all. Now I'm reading that Bittorrent and TOR are practically the same thing and it would be redundant to use them together. Seems a bit curious.
    280 
    281 As a sub-question, let me just ask directly: Is it true that Bittorrent through TOR via proxychains no longer works? 
    282 
    283 Also, the same page now mentions a technique of using Tor to connect to the tracker only, as opposed to the peers, by including the line --tracker-proxy 127.0.0.1:8118: on the command line. However, I see no documentation of this option in the btdownloadcurses client and I find it a bit suspicious that the format of this option uses a hyphen rather than an underscore as all the other command line options that are listed as being compatible with btdownloadcurses use underscores to separate options with two words such as --check_hashes <arg> or --report_hash_failures <arg>. Is that a typo or an undocumented option that just happens to deviate from the naming convetion of all the other options?
     309I noticed I can't connect with btdownloadcurses through proxychains any more. Looking for answers, I went back to the Torify HOWTO and noticed that it had been altered. Where it used to explain about using proxychains to run bittorrent through TOR, which I used successfully for over a year, it now says that Bittorrent "uses a mechanism similar to TOR." That was certainly news to me. How is the generic Bittorrent client technically similar to TOR in any way? I have always heard that the generic Bittorrent client offers almost no anonymity at all. Now I'm reading that Bittorrent and TOR are practically the same thing and it would be redundant to use them together. Seems a bit curious.
     310
     311As a sub-question, let me just ask directly: Is it true that Bittorrent through TOR via proxychains no longer works?
     312
     313Also, the same page now mentions a technique of using Tor to connect to the tracker only, as opposed to the peers, by including the line --tracker-proxy 127.0.0.1:8118: on the command line. However, I see no documentation of this option in the btdownloadcurses client and I find it a bit suspicious that the format of this option uses a hyphen rather than an underscore as all the other command line options that are listed as being compatible with btdownloadcurses use underscores to separate options with two words such as --check_hashes <arg> or --report_hash_failures <arg>. Is that a typo or an undocumented option that just happens to deviate from the naming convention of all the other options?
    284314
    285315'''How do you start and stop Tor and Privoxy in OS X (Panther) if you did not install the startup script? (needs to be added to installation instructions)'''
    286316
    287 '''How do you configure the proxy if you are using Tor and Privoxy in OS X (Panther) with a router's firewall and the built-in OS X firewall, e.g. when using Wi-fi to connect to wireless router?  (needs to be added to installation instructions)'''
     317On my system, the privoxy startup file ultimately runs {{{sudo $INSTALLDIR/privoxy --pidfile $pidfile }}}
     318
     319with INSTALLDIR being where you installed it, and pidfile being a filename that will hold the process ID.
     320
     321Tor can be started as a normal user -- just run the tor program. On my system, it runs as {{{/usr/bin/tor ControlPort 9051}}}
     322
     323Note that Vidalia is responsible for starting tor, normally.
     324
     325'''How do you configure the proxy if you are using Tor and Privoxy in OS X (Panther) with a router's firewall and the built-in OS X firewall, e.g. when using Wi-fi to connect to wireless router? (needs to be added to installation instructions)'''
     326
     327I'm not sure that this is OS X specific. For any firewall, you need to add two incoming ports, 9001 and 9030 by default, to the list of approved ports.
     328
     329For Mac OS X, go to control panel, sharing, firewall, and then click "new" twice. The first one is port 9001, label "Tor Server", the second is port 9030, label "Tor Directory Mirror". Both of these are TCP ports, and the "port name" field should be "other".
     330
     331If you have BOTH the Os X firewall, and the router firewall, then you also need to open those ports on the router. Details are router specific.
    288332
    289333'''What to do (troubleshooting) if browsing slows to a crawl with Tor and Privoxy running in OS X?'''
     334
     335Somebody proposed the following solution, which ''should not be used'' as it will break Tor for everyone else.
     336
     337{{{
     338CircuitBuildTimeout 6
     339NewCircuitPeriod 3
     340ExcludeNodes charlesbabbage,tutzing,TFTor,freetux4ever
     341LongLivedPorts 80,23,21,22,706,1863,5050,5190,5222,5223,6667,8300,8888}}}
     342CircuitBuildTimeout causes the client to drop an uncompleted circuit after 6 seconds; it will cause your tor to build circuits more aggressively than other nodes. The default value is 60.
     343
     344Finally, port 80 is added to the "long lived ports" list. This will overload long lived ports, making tor unusable for people who need to use ssh over tor.
     345
     346'''I am running a Tor server on one computer on a network. Can I stop the other PCs on the same network from being k-lined on QuakeNet?'''
     347
     348'''Would it make sense to support binding to multiple ports in Tor server (e.g. to bind to ports 443, 22, 5190 etc.) for clients behind _really_ restrictive firewalls? If this was implemented one day, maybe you could also support binding to multiple specific IP addresses on multihomed servers?'''
     349
     350The changelog indicates that this has been possible since "version 0.0.7pre1 - 2004-06-02": ''Allow multiple instances of each BindAddress config option, so you can bind to multiple interfaces if you want.''
     351
     352The [[https://www.torproject.org/tor-manual.html.en|manual]] says this about the ''ORListenAddress'' configuration option: ''... This directive can be specified multiple times to bind to multiple addresses/ports.''
     353
     354It also says this about the ''DIRListenAddress'' configuration option: ''... This directive can be specified multiple times to bind to multiple addresses/ports.''
     355
     356'''What data does tor store on the hard disk when used as a relay?'''
     357
     358'''Is there a way to change the tor identity using javascript or any other client-side scripting language?'''
     359
     360
     361'''When i try to access Tor via usb on a windows XP comupter with restricted access(trying to give details...), the text above the loading bar, after saying ''connecting to a relay directory'' the words ''failed (no route to host)'' appear. What does this mean and how can I circumnavigate the error? More info would be that the computer I'm trying to use it on has a mass restriction and firewall on internet service(school type) which blocks specific websites or searches for a particular keyword... Anyways, why??'''
     362
     363 * When installing Tor on Ubuntu, the appropriate deb repository and signing keys are needed. I am attempting to produce instructions for the process that have very little, to absolutely no, use of the command line. The first issue is actually carrying out due process to verify the authenticity of the package signing key. The full fingerprint is given in the Ubuntu setup instructions, but little emphasis on the importance of checking it. Then, there are three signatures on this package signing key: EB5A896A28988BF5, DE7AAF6E94C09C7F, and 3B9D093F31B0974B. Where can I find these, and their full fingerprints?  And as a related point, would it not be possible to provide the deb repository over https: just for that extra degree of paranoia?
     364
    290365----
    291366CategoryHomepage