Delivery-Date: Thu, 18 Jun 2015 20:58:30 -0400
Return-Path: <tor-talk-bounces@lists.torproject.org>
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on moria.seul.org
X-Spam-Level: 
X-Spam-Status: No, score=-4.2 required=5.0 tests=BAYES_00,RCVD_IN_DNSWL_MED,
	T_RP_MATCHES_RCVD autolearn=ham version=3.3.1
X-Original-To: archiver@seul.org
Delivered-To: archiver@seul.org
Received: from eugeni.torproject.org (eugeni.torproject.org [38.229.72.13])
	(using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by khazad-dum.seul.org (Postfix) with ESMTPS id D65111E0E75;
	Thu, 18 Jun 2015 20:58:27 -0400 (EDT)
Received: from eugeni.torproject.org (localhost [127.0.0.1])
	by eugeni.torproject.org (Postfix) with ESMTP id E9CE7363AB;
	Fri, 19 Jun 2015 00:58:21 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
 by eugeni.torproject.org (Postfix) with ESMTP id 386383639C
 for <tor-talk@lists.torproject.org>; Fri, 19 Jun 2015 00:58:17 +0000 (UTC)
X-Virus-Scanned: Debian amavisd-new at 
Received: from eugeni.torproject.org ([127.0.0.1])
 by localhost (eugeni.torproject.org [127.0.0.1]) (amavisd-new, port 10024)
 with ESMTP id LgqOfEkbRbO4 for <tor-talk@lists.torproject.org>;
 Fri, 19 Jun 2015 00:58:17 +0000 (UTC)
Received: from mout.gmx.net (mout.gmx.net [212.227.17.20])
 (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by eugeni.torproject.org (Postfix) with ESMTPS id E223236398
 for <tor-talk@lists.torproject.org>; Fri, 19 Jun 2015 00:58:13 +0000 (UTC)
Received: from localhost ([79.136.42.226]) by mail.gmx.com (mrgmx102) with
 ESMTPSA (Nemesis) id 0ME47n-1ZLP9a3Lzz-00HMYY for
 <tor-talk@lists.torproject.org>; Fri, 19 Jun 2015 02:58:10 +0200
Date: Fri, 19 Jun 2015 02:56:47 +0200
From: =?utf-8?B?w4dhxJ/EsWwgUC4gxZ5lc3Rv?= <secpost@abwesend.de>
To: tor-talk@lists.torproject.org
Message-ID: <20150619005646.GA12681@localhost.localdomain>
MIME-Version: 1.0
Content-Disposition: inline
User-Agent: Mutt/1.5.23 (2014-03-12)
X-Provags-ID: V03:K0:WmD87TdKMcrRTq0cBERDNTDGYhhr8QFhjCNAwW1UliywWfo5cWp
 qI2NQX3PcSB0DpT56f4Y0lMnQYrAGgr9lLihHqitJ2AuD+hGrLuwbP85YJDpX2AHJ1fwyvr
 r/cnev6IU41aynXRfTMpIXouhdaamB36KcLObLDnE5XvCXtOTGc2L0anFVDvE5Dik9nIorX
 0YTPzbG70XKLo8yPFiG1g==
X-UI-Out-Filterresults: notjunk:1;
Subject: [tor-talk] Some observations running tor and privoxy
X-BeenThere: tor-talk@lists.torproject.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: tor-talk@lists.torproject.org
List-Id: "all discussion about theory, design,
 and development of Onion Routing" <tor-talk.lists.torproject.org>
List-Unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-talk>, 
 <mailto:tor-talk-request@lists.torproject.org?subject=unsubscribe>
List-Archive: <http://lists.torproject.org/pipermail/tor-talk/>
List-Post: <mailto:tor-talk@lists.torproject.org>
List-Help: <mailto:tor-talk-request@lists.torproject.org?subject=help>
List-Subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk>, 
 <mailto:tor-talk-request@lists.torproject.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: tor-talk-bounces@lists.torproject.org
Sender: "tor-talk" <tor-talk-bounces@lists.torproject.org>

Greetings,

if you (still) use privoxy version 3.0.11 or higher, you may notice
that the actions (regexes) like img-reorder are not really white-space
friendly. If you run/use a webservices that sign or checksum entites
or checks signatures on static content, you get a lot of false positives
like in "OMG!11!1, the government, the nsa, my isp, that exitnode
manipulates/injects data into every bit I receive via Tor". :)

An application we did for a printshop, which detects if images
were tampered with (proxies for mobile phones do that), made some people
really paranoid.

Anyway, since everybody is using TLS nowadays or very soon, I reduced
my actions to a few lines and my family and I are very happy with the
results:

# 1- Remove x-forwarded-for
{ +change-x-forwarded-for{block} }
/
# 2- Hide Tor exit notation in Host and Referer Headers
{ +client-header-filter{hide-tor-exit-notation} }
/
# 3- Remove expiry from cookies
{ +session-cookies-only }
/
# 4- Remove DNT Header
{ +crunch-client-header{DNT:} }
/

1) if you run more proxies like personal firewalls or whatever
antiviri, these headers may get added and they need to go away.
They leak information of your internal network, which may be very unique.
2) nobody wants to say, hey watch me, I am using tor and this
exit with your site. They have blacklists and CDNs for that. :)
3) is very helpful if you have clients, that fetch data like weather
via http, or feedreaders and IOT-thingies. The embedded browsing-engines
usually don't care or don't manage cookies, so most cookies will
expire when you close the application (I am talking about you liferea
and any other tablet that uses webkit).
4) it is more effective to turn the geoapi off.

Another Option is to rewrite all clientheaders like:
{ +hide-user-agent{ spoofed chrome or apple header work fine} }
/

Since privoxy can only rewrite non-TLS Traffic, its perfectly fine for
us.

Tor and CDNs: Someone told me a joke about tor devs/users waving signs
with captchas at cloudflare employees and denying them passage until
they solve them. I didn't got it at that time. 
Since I use tor more often, I feel tempted to do the same.

Another complaint about Tor, I hear very often, that tor is slow. A
great countermeasure against CDNs and tor being slow is a caching
proxy like squid. Within our family is is usually like:
Alice: look at that cute cat picture at ...
Bob, Mallory and Trent doesn't need to solve another captcha, since the
image comes directly from the proxy.

Squid runs fine with a little space in tmpfs chained behind
privoxy and logging to /dev/null. Btw., Grandma runs a client and a 
hidden service so we can connect to her, the hiddenservice is much more
reliable than most of the Dyn-DNS services we tried.

I felt like I share some insight of us using tor,
along with problems we encountered with the privoxy regexes.

If you have questions about our setup, feel free to ask.

Happy realying.
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

