Changes between Version 36 and Version 37 of doc/FAQUnanswered


Ignore:
Timestamp:
Apr 23, 2010, 4:48:48 AM (9 years ago)
Author:
trac
Comment:

--

Legend:

Unmodified
Added
Removed
Modified
  • doc/FAQUnanswered

    v36 v37  
    88= Unanswered FAQ Questions =
    99
    10 '''If an attacker has access to past logs of ISP and any given visted site, does the prng of the tor client allow the attacker to guess which circuit it used next?'''
     101) '''Hidden services are currently very vulnerable to attacks by web hosts who come to suspect a machine in their network is being used for Tor. Since they can power cycle the server in question (and likely blame it on technical difficulties without arousing suspicion) they can make an unambiguous identification of a hidden service host.
     11This could be prevented if the directory servers supported more than one provider for a hidden service and so could direct requests away from a non-responsive server (there may be other solutions). Of course this could also help provide more reliable hidden services in general. Is there any chance of this getting implemented in the near future?'''
     12
     132) '''Why do I keep getting messages telling me that my clock has just jumped ahead and that my circuits will be assumed broken? ''(eg.
     14Oct 02 10:14:53.619 [notice] Your clock just jumped 1056 seconds forward; assuming established circuits no longer work.'') I've got a cron job to sync the time every eight hours and it's never out by more than a second.'''
     15
     16-- On my system, this happens when Vidalia gets into trouble. It seems that when tor and V communicate, tor can wind up waiting for V to respond, or for the V process to be killed.
     17
     18
     193)'''If an attacker has access to past logs of ISP and any given visted site, does the prng of the tor client allow the attacker to guess which circuit it used next?'''
    1120
    1221Tor uses cryptographically strong random numbers provided by OpenSSL when choosing nodes to use in a circuit. How OpenSSL implements this is operating system specific. If there's a weakness in Tor's method of choosing nodes, it probably isn't in the random number generator.
     
    4958*** For Gmail for me, it's even worse; I have to try 5 or 6 times before I get a page.
    5059
     60-- I know that improvements to DNS handling are due in 1.2.x-final (see bug #364).
     61
    5162'''Why is the argument against more than 3 hops that both-ends attacks are the enemy?  Wouldn't it be better to have more than 3 if the enemy cannot mount a both-ends attack?'''
    5263
     
    115126
    116127If you wish to do this, you will need to make a copy of your Privoxy config file, and comment out the line that causes Privoxy to use the Tor service.  Once you have done this, to switch over, just stop Privoxy, swap the config files, and restart it. You can also automate the process with a very simple shell script - an OSX version including sample config files and a shell script can be found [http://idlecircuits.com/privoxyswitcher.zip here], and the script can be used as an example for other *nix systems.
     128
     129-- In fact, there is no need to stop/restart privoxy. On my system, I have the privoxy config file owned by me, so I can edit it directly. Changing between tor and no-tor is as simple as editing one line.
     130
     131Here's the relevant lines from my privoxy config file:
     132{{{
     133# Tor:
     134#
     135## forward-socks4a / localhost:9050 . 
     136forward-socks4a .onion localhost:9050 .
     137
     138# Do not torrify these (high volume/speed concerns, as well as PhP BBS
     139# systems that consider a changed IP to be a new login.):
     140forward .blood-bowl.net .
     141forward .qemu-forum.ipi.fi .
     142}}}
     143The line with "##" on it is the line to toggle. Remove those to enable tor, add them to disable tor.
     144
     145NB: Every PHP BBS site I've seen will consider you to have logged out and relogged in if your IP address -- as seen by the PHP site -- changes. This means that if tor ever switches circuits and changes exit node, those sites will reset your "unread messages". I have not been able to find a decent way to solve this with TrackHostExits, given that vidalia will overwrite my tor config occasionally (and has no support for adding these internally, so I have two editors trying to change the tor config), the length of time needed to track varies from 30 minutes at some (forced logout after thirty minutes of idle time) to 24 hours at others, dealing with the occasional dead exit node (and then you need to use a new exit node earlier), etc. And, my list of exception sites is currently 26 lines long.
    117146
    118147'''Tor works fine for POP3 email. But, Whistle-blowers and others who need anonymous
     
    235264'''Answer''': No, Tor itself is all or nothing, a request either goes through it or it does not.
    236265
     266For privoxy, however, you can use forward lines to make some hosts use tor, some use the normal system, and others use whatever other proxy you want.
     267{{{
     268forward-socks4a / localhost:9050 .
     269forward-socks4a .onion localhost:9050 .
     270
     271# Do not torrify these (high volume/speed concerns, as well as PhP BBS
     272# systems that consider a changed IP to be a new login.):
     273forward .blood-bowl.net .
     274forward .youtube.com .
     275forward .qemu-forum.ipi.fi .
     276forward .vidalia-project.net .
     277}}}
     278
     279Here is an example. This uses privoxy for all sites (ad filtering, etc), and then specifies that some sites go through tor, and some do not.
     280
     281Privoxy uses the LAST match. So, the first line says "Use Tor by default". It can be turned off. The second line says "Always use Tor for .onion". After that are lines for "Never use Tor for these".
     282
     283Older, wrong information:
    237284Privoxy is also all or nothing in the sense that if a request has made it to Privoxy then either Privoxy is set up to go through Tor or it's not, there does not appear to be a way to program Privoxy so it will use Tor for some requests but not others.
    238285
     
    287334'''How do you start and stop Tor and Privoxy in OS X (Panther) if you did not install the startup script? (needs to be added to installation instructions)'''
    288335
     336
     337On my system, the privoxy startup file ultimately runs
     338{{{sudo $INSTALLDIR/privoxy --pidfile $pidfile }}}
     339
     340with INSTALLDIR being where you installed it, and pidfile being a filename that will hold the process ID.
     341
     342Tor can be started as a normal user -- just run the tor program. On my system, it runs as
     343{{{/usr/bin/tor ControlPort 9051}}}
     344
     345Note that Vidalia is responsible for starting tor, normally.
     346
    289347'''How do you configure the proxy if you are using Tor and Privoxy in OS X (Panther) with a router's firewall and the built-in OS X firewall, e.g. when using Wi-fi to connect to wireless router?  (needs to be added to installation instructions)'''
    290348
     349I'm not sure that this is OS X specific. For any firewall, you need to add two incoming ports, 9001 and 9030 by default, to the list of approved ports.
     350
     351For Mac OS X, go to control panel, sharing, firewall, and then click "new" twice. The first one is port 9001, label "Tor Server", the second is port 9030, label "Tor Directory Mirror". Both of these are TCP ports, and the "port name" field should be "other".
     352
     353If you have BOTH the Os X firewall, and the router firewall, then you also need to open those ports on the router. Details are router specific.
     354
    291355'''What to do (troubleshooting) if browsing slows to a crawl with Tor and Privoxy running in OS X?'''
    292356
     357Somebody proposed the following solution, which ''should not be used'' as it will break Tor for everyone else.
     358
     359{{{CircuitBuildTimeout 6
     360NewCircuitPeriod 3
     361ExcludeNodes charlesbabbage,tutzing,TFTor,freetux4ever
     362LongLivedPorts 80,23,21,22,706,1863,5050,5190,5222,5223,6667,8300,8888}}}
     363
     364CircuitBuildTimeout causes the client to drop an uncompleted circuit after 6 seconds; it will cause your tor to build circuits more aggressively than other nodes.  The default value is 60.
     365
     366Finally, port 80 is added to the "long lived ports" list. This will overload long lived ports, making tor unusable for people who need to use ssh over tor.
     367
    293368
    294369'''I am running a Tor server on one computer on a network. Can I stop the other PCs on the same network from being k-lined on QuakeNet?'''
    295370
    296 '''Would it make sense to support binding to multiple ports in Tor server (e.g. to bind to ports 443, 22, 5190 etc.) for clients behind _really_ restrictive firewalls? If this was implemented one day, maybe you could also support binding to multiple IP addresses on multihomed servers?'''
     371'''Would it make sense to support binding to multiple ports in Tor server (e.g. to bind to ports 443, 22, 5190 etc.) for clients behind _really_ restrictive firewalls? If this was implemented one day, maybe you could also support binding to multiple specific IP addresses on multihomed servers?'''
    297372
    298373