Changes between Version 27 and Version 28 of doc/FAQUnanswered


Ignore:
Timestamp:
Apr 23, 2010, 4:48:48 AM (9 years ago)
Author:
trac
Comment:

--

Legend:

Unmodified
Added
Removed
Modified
  • doc/FAQUnanswered

    v27 v28  
    88= Unanswered FAQ Questions =
    99
    10 1) '''Hidden services are currently very vulnerable to attacks by web hosts who come to suspect a machine in their network is being used for Tor. Since they can power cycle the server in question (and likely blame it on technical difficulties without arousing suspicion) they can make an unambiguous identification of a hidden service host.
    11 This could be prevented if the directory servers supported more than one provider for a hidden service and so could direct requests away from a non-responsive server (there may be other solutions). Of course this could also help provide more reliable hidden services in general. Is there any chance of this getting implemented in the near future?'''
    12 
    13 2) '''Why do I keep getting messages telling me that my clock has just jumped ahead and that my circuits will be assumed broken? ''(eg.
    14 Oct 02 10:14:53.619 [notice] Your clock just jumped 1056 seconds forward; assuming established circuits no longer work.'') I've got a cron job to sync the time every eight hours and it's never out by more than a second.'''
    15 
    16 -- On my system, this happens when Vidalia gets into trouble. It seems that when tor and V communicate, tor can wind up waiting for V to respond, or for the V process to be killed.
    17 
    18 
    19 3)'''If an attacker has access to past logs of ISP and any given visted site, does the prng of the tor client allow the attacker to guess which circuit it used next?'''
     10'''If an attacker has access to past logs of ISP and any given visted site, does the prng of the tor client allow the attacker to guess which circuit it used next?'''
    2011
    2112Tor uses cryptographically strong random numbers provided by OpenSSL when choosing nodes to use in a circuit. How OpenSSL implements this is operating system specific. If there's a weakness in Tor's method of choosing nodes, it probably isn't in the random number generator.
     
    5849*** For Gmail for me, it's even worse; I have to try 5 or 6 times before I get a page.
    5950
    60 -- I know that improvements to DNS handling are due in 1.2.x-final (see bug #364).
    61 -- I've just tried a comparison of Firefox loading gmail using privoxy and polipo under Tor 0.1.2.17.  Using privoxy the site did not load, but with polipo it loaded normally.  Can anyone confirm this?
    62 
    6351'''Why is the argument against more than 3 hops that both-ends attacks are the enemy?  Wouldn't it be better to have more than 3 if the enemy cannot mount a both-ends attack?'''
    6452
     
    9684'''How does tor relate to ipv6 and how should typical applications handle ipv6 if they use tor (or tor via Privoxy)?'''
    9785
     86
     87---- /!\ '''Edit conflict - other version:''' ----
    9888Like a dog talking to a quasar... I never was good with similes.
    9989
     
    125115
    126116If you wish to do this, you will need to make a copy of your Privoxy config file, and comment out the line that causes Privoxy to use the Tor service.  Once you have done this, to switch over, just stop Privoxy, swap the config files, and restart it. You can also automate the process with a very simple shell script - an OSX version including sample config files and a shell script can be found [http://idlecircuits.com/privoxyswitcher.zip here], and the script can be used as an example for other *nix systems.
    127 
    128 -- In fact, there is no need to stop/restart privoxy. On my system, I have the privoxy config file owned by me, so I can edit it directly. Changing between tor and no-tor is as simple as editing one line.
    129 
    130 Here's the relevant lines from my privoxy config file:
    131 {{{
    132 # Tor:
    133 #
    134 ## forward-socks4a / localhost:9050 . 
    135 forward-socks4a .onion localhost:9050 .
    136 
    137 # Do not torrify these (high volume/speed concerns, as well as PhP BBS
    138 # systems that consider a changed IP to be a new login.):
    139 forward .blood-bowl.net .
    140 forward .qemu-forum.ipi.fi .
    141 }}}
    142 The line with "##" on it is the line to toggle. Remove those to enable tor, add them to disable tor.
    143 
    144 NB: Every PHP BBS site I've seen will consider you to have logged out and relogged in if your IP address -- as seen by the PHP site -- changes. This means that if tor ever switches circuits and changes exit node, those sites will reset your "unread messages". I have not been able to find a decent way to solve this with TrackHostExits, given that vidalia will overwrite my tor config occasionally (and has no support for adding these internally, so I have two editors trying to change the tor config), the length of time needed to track varies from 30 minutes at some (forced logout after thirty minutes of idle time) to 24 hours at others, dealing with the occasional dead exit node (and then you need to use a new exit node earlier), etc. And, my list of exception sites is currently 26 lines long.
    145117
    146118'''Tor works fine for POP3 email. But, Whistle-blowers and others who need anonymous
     
    176148'''I've got a bug, now what? (votes: 2)'''
    177149
    178 The following is a quick summary of the information already in the [:../TorFAQ#ReportBug: FAQ entry].
    179 
    180 1) Make sure that it is an actual bug with Tor, and not with Privoxy, Vidalia, your OS, etc.
    181 
    182 2) Check to see if it's an unreported bug (at the [http://bugs.noreply.org/flyspray/index.php?tasks=all&project=4 bug tracker]).
    183 
    184 2a) If it's already reported, then see if you can add anymore information (in the comments of that bug) that will help the developers duplicate it and/or track it down. (This step requires you to login to your account at flyspray, or to create a new account.)
    185 
    186 2b) If it's not already reported, then start a new report with as much relevant information as possible. Relevant information includes tor version number, OS used, any relevant lines from the log, and what you were trying to do that caused the bug. (This step requires you to login to your account at flyspray, or to create a new account.) You may want to read [http://www.chiark.greenend.org.uk/~sgtatham/bugs.html How to Report Bugs Effectively].
    187 
    188150'''How does Tor relate to the Freedom Project? (votes: 1)'''
    189151
    190 This question is answered in this [:../TorFAQ#ComparisonFreedom: FAQ entry].
    191 
    192152'''Is there any way to forward an ident response via TOR so that the ident doesn't come back as whatever the end server wants, but your normal response? (votes: 1)'''
    193153
     
    212172Yes. Indeed, if all the servers in a circuit are compromised then they need not even be communicated with.. the entry node can decipher for all the (possibly even non-existent) nodes. In order to maintain a superficial view of anonymity, it would probably be good to forward it to the exit server however.
    213173
    214 '''What system resources does a TOR server use?  The FAQ already discusses memory a bit.  What about CPU?  Encryption is CPU-intensive.  Specific question I'd like answered: I'll be setting up a TOR node bandwidth-limited to about 256kbps (half my upstream bandwidth).  Will an old 300MHz G3 Mac easily handle this, or will a faster processor be needed? How 'bout a P90?  Presumably, TOR's disk usage and I/O is minimal.''' (Votes: 1)
     174'''What system resources does a TOR server use?  The FAQ already dicusses memory a bit.  What about CPU?  Encryption is CPU-intensive.  Specific question I'd like answered: I'll be setting up a TOR node bandwidth-limited to about 256kbps (half my upstream bandwidth).  Will an old 300MHz G3 Mac easily handle this, or will a faster processor be needed? How 'bout a P90?  Presumably, TOR's disk usage and I/O is minimal.''' (Votes: 1)
    215175
    216176
    217177== Cannot resolve Foo.onion/Resolve requests to hidden services not allowed ==
    218178
    219 tor-resolve doesn't seem to work, i get this:
     179tor-resolve doesnt seem to work, i get this:
    220180{{{connection_ap_handshake_process_socks():  Resolve requests to hidden services not allowed. Failing.}}}
    221181from the copy of tor running locally. Please help!
    222182
    223 (from original questioner: thank you.  I got the mistaken idea that this would work because it is suggested in the 'how to torrify an application' article on this wiki.  It makes more sense now.  Someone who understands better might want to update that document)
    224 
    225 This question is answered; see [:../TorFAQ#AccessHiddenService: How Do I Access Tor Hidden Servers.]  You get this message when you try to use tor-resolve to resolve the address of a hidden service.  But hidden services are ''hidden'' - they don't *have* an IP address you can use.  Instead, you need to pass the hostnames to Tor directly.
     183(from original questioner: thank you.  I got the mistaken idea that this would work because it is suggested in the 'how to torrify an application' article on this wiki.  It makes more sense now.  Someone who understands better might want to upate that document)
     184
     185This question is answered; see 'How Do I Access Tor Hidden Servers.'  You get this message when you try to use tor-resolve to resolve the address of a hidden service.  But hidden services are ''hidden'' - they don't *have* an IP address you can use.  Instead, you need to pass the hostnames to Tor directly.
    226186
    227187== Clock Skew ==
     
    275235'''Answer''': No, Tor itself is all or nothing, a request either goes through it or it does not.
    276236
    277 For privoxy, however, you can use forward lines to make some hosts use tor, some use the normal system, and others use whatever other proxy you want.
    278 {{{
    279 forward-socks4a / localhost:9050 .
    280 forward-socks4a .onion localhost:9050 .
    281 
    282 # Do not torrify these (high volume/speed concerns, as well as PhP BBS
    283 # systems that consider a changed IP to be a new login.):
    284 forward .blood-bowl.net .
    285 forward .youtube.com .
    286 forward .qemu-forum.ipi.fi .
    287 forward .vidalia-project.net .
    288 }}}
    289 
    290 Here is an example. This uses privoxy for all sites (ad filtering, etc), and then specifies that some sites go through tor, and some do not.
    291 
    292 Privoxy uses the LAST match. So, the first line says "Use Tor by default". It can be turned off. The second line says "Always use Tor for .onion". After that are lines for "Never use Tor for these".
    293 
    294 Older, wrong information:
    295237Privoxy is also all or nothing in the sense that if a request has made it to Privoxy then either Privoxy is set up to go through Tor or it's not, there does not appear to be a way to program Privoxy so it will use Tor for some requests but not others.
    296238
     
    334276Anyway, you should probably block their IP rather than ports that happen to be theirs ;) (which don't exist - surprised tor let you do that..)
    335277
    336 To clarify, the syntax is ''ip-address'':''port'', so reject *:66.35.250.15 is blocking all requests to exit port number 66.35.250.15 at all ip addresses. This obviously doesn't make sense. What you want to do is reject 66.35.250.15:* to block all slashdot traffic.
    337 
    338 Also, the fourth line of this page reads: ''this is '''not the place''' for random it doesn't work or how do I do foo questions.''
    339278
    340279'''What is the significance of the changes in the Bittorrent Torify HOWTO?'''
    341280
    342 I noticed I can't connect with btdownloadcurses through proxychains any more. Looking for answers, I went back to the Torify HOWTO and noticed that it had been altered. Where it used to explain about using proxychains to run bittorrent through TOR, which I used successfully for over a year, it now says that Bittorrent "uses a mechanism similar to TOR." That was certainly news to me. How is the generic Bittorrent client technically similar to TOR in any way? I have always heard that the generic Bittorrent client offers almost no anonymity at all. Now I'm reading that Bittorrent and TOR are practically the same thing and it would be redundant to use them together. Seems a bit curious.
     281I noticed I can't connect with btdownloadcurses through proxychains any more. Looking for answers, I went back to the Torify HOWTO and noticed that it had been altered. Where it used to explain about using proxychains to run bittorrent through TOR, which I used successfully for over a year, it now says that Bittorrent "uses a mechanism similar to TOR." That was certainly news to me. How is the generic Bittorrent client technically similar to TOR in any way? I have always heard that the generic Bittorrent client offers almost no anonimity at all. Now I'm reading that Bittorrent and TOR are practically the same thing and it would be redundant to use them together. Seems a bit curious.
    343282
    344283As a sub-question, let me just ask directly: Is it true that Bittorrent through TOR via proxychains no longer works?
    345284
    346 Also, the same page now mentions a technique of using Tor to connect to the tracker only, as opposed to the peers, by including the line --tracker-proxy 127.0.0.1:8118: on the command line. However, I see no documentation of this option in the btdownloadcurses client and I find it a bit suspicious that the format of this option uses a hyphen rather than an underscore as all the other command line options that are listed as being compatible with btdownloadcurses use underscores to separate options with two words such as --check_hashes <arg> or --report_hash_failures <arg>. Is that a typo or an undocumented option that just happens to deviate from the naming convention of all the other options?
     285Also, the same page now mentions a technique of using Tor to connect to the tracker only, as opposed to the peers, by including the line --tracker-proxy 127.0.0.1:8118: on the command line. However, I see no documentation of this option in the btdownloadcurses client and I find it a bit suspicious that the format of this option uses a hyphen rather than an underscore as all the other command line options that are listed as being compatible with btdownloadcurses use underscores to separate options with two words such as --check_hashes <arg> or --report_hash_failures <arg>. Is that a typo or an undocumented option that just happens to deviate from the naming convetion of all the other options?
    347286
    348287'''How do you start and stop Tor and Privoxy in OS X (Panther) if you did not install the startup script? (needs to be added to installation instructions)'''
    349288
    350 
    351 On my system, the privoxy startup file ultimately runs
    352 {{{sudo $INSTALLDIR/privoxy --pidfile $pidfile }}}
    353 
    354 with INSTALLDIR being where you installed it, and pidfile being a filename that will hold the process ID.
    355 
    356 Tor can be started as a normal user -- just run the tor program. On my system, it runs as
    357 {{{/usr/bin/tor ControlPort 9051}}}
    358 
    359 Note that Vidalia is responsible for starting tor, normally.
    360 
    361289'''How do you configure the proxy if you are using Tor and Privoxy in OS X (Panther) with a router's firewall and the built-in OS X firewall, e.g. when using Wi-fi to connect to wireless router?  (needs to be added to installation instructions)'''
    362290
    363 I'm not sure that this is OS X specific. For any firewall, you need to add two incoming ports, 9001 and 9030 by default, to the list of approved ports.
    364 
    365 For Mac OS X, go to control panel, sharing, firewall, and then click "new" twice. The first one is port 9001, label "Tor Server", the second is port 9030, label "Tor Directory Mirror". Both of these are TCP ports, and the "port name" field should be "other".
    366 
    367 If you have BOTH the Os X firewall, and the router firewall, then you also need to open those ports on the router. Details are router specific.
    368 
    369291'''What to do (troubleshooting) if browsing slows to a crawl with Tor and Privoxy running in OS X?'''
    370 
    371 Somebody proposed the following solution, which ''should not be used'' as it will break Tor for everyone else.
    372 
    373 {{{CircuitBuildTimeout 6
    374 NewCircuitPeriod 3
    375 ExcludeNodes charlesbabbage,tutzing,TFTor,freetux4ever
    376 LongLivedPorts 80,23,21,22,706,1863,5050,5190,5222,5223,6667,8300,8888}}}
    377 
    378 CircuitBuildTimeout causes the client to drop an uncompleted circuit after 6 seconds; it will cause your tor to build circuits more aggressively than other nodes.  The default value is 60.
    379 
    380 Finally, port 80 is added to the "long lived ports" list. This will overload long lived ports, making tor unusable for people who need to use ssh over tor.
    381 
    382 
    383 '''I am running a Tor server on one computer on a network. Can I stop the other PCs on the same network from being k-lined on QuakeNet?'''
    384 
    385 
    386 '''Would it make sense to support binding to multiple ports in Tor server (e.g. to bind to ports 443, 22, 5190 etc.) for clients behind _really_ restrictive firewalls? If this was implemented one day, maybe you could also support binding to multiple specific IP addresses on multihomed servers?'''
    387 
    388 The changelog indicates that this has been possible since "version 0.0.7pre1 - 2004-06-02":
    389 ''Allow multiple instances of each BindAddress config option, so you can bind to multiple interfaces if you want.''
    390 
    391 The [http://tor.eff.org/tor-manual.html.en manual] says this about the ''ORListenAddress'' configuration option:
    392 ''... This directive can be specified multiple times to bind to multiple addresses/ports.''
    393 
    394 It also says this about the ''DIRListenAddress'' configuration option:
    395 ''... This directive can be specified multiple times to bind to multiple addresses/ports.''
    396 
    397292----
    398293CategoryHomepage