Delivery-Date: Tue, 23 Jun 2015 16:39:55 -0400
Return-Path: <tor-talk-bounces@lists.torproject.org>
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on moria.seul.org
X-Spam-Level: 
X-Spam-Status: No, score=-4.2 required=5.0 tests=BAYES_00,RCVD_IN_DNSWL_MED,
	T_RP_MATCHES_RCVD autolearn=ham version=3.3.1
X-Original-To: archiver@seul.org
Delivered-To: archiver@seul.org
Received: from eugeni.torproject.org (eugeni.torproject.org [38.229.72.13])
	(using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by khazad-dum.seul.org (Postfix) with ESMTPS id AF38E1E065C;
	Tue, 23 Jun 2015 16:39:53 -0400 (EDT)
Received: from eugeni.torproject.org (localhost [127.0.0.1])
	by eugeni.torproject.org (Postfix) with ESMTP id 330DE365E9;
	Tue, 23 Jun 2015 20:39:48 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
 by eugeni.torproject.org (Postfix) with ESMTP id 3BFCC365DA
 for <tor-talk@lists.torproject.org>; Tue, 23 Jun 2015 20:39:45 +0000 (UTC)
X-Virus-Scanned: Debian amavisd-new at 
Received: from eugeni.torproject.org ([127.0.0.1])
 by localhost (eugeni.torproject.org [127.0.0.1]) (amavisd-new, port 10024)
 with ESMTP id UmsxgXCibdQf for <tor-talk@lists.torproject.org>;
 Tue, 23 Jun 2015 20:39:45 +0000 (UTC)
Received: from mout.gmx.net (mout.gmx.net [212.227.17.21])
 (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by eugeni.torproject.org (Postfix) with ESMTPS id E4409365D0
 for <tor-talk@lists.torproject.org>; Tue, 23 Jun 2015 20:39:44 +0000 (UTC)
Received: from localhost ([95.130.11.147]) by mail.gmx.com (mrgmx103) with
 ESMTPSA (Nemesis) id 0MOOJl-1ZCjmK0Xu1-005nM7 for
 <tor-talk@lists.torproject.org>; Tue, 23 Jun 2015 22:39:41 +0200
Date: Tue, 23 Jun 2015 22:41:54 +0200
From: =?utf-8?B?w4dhxJ/EsWwgUC4gxZ5lc3Rv?= <secpost@abwesend.de>
To: tor-talk@lists.torproject.org
Message-ID: <20150623204153.GB752@localhost.localdomain>
References: <5584E032.6060001@gmx.com>
 <1434800149.26545.13.camel@larsluthman.net>
 <558621B3.7000403@gmx.com>
 <20150622143619.GA20787@localhost.localdomain>
 <5588A51C.30407@gmx.com>
MIME-Version: 1.0
Content-Disposition: inline
In-Reply-To: <5588A51C.30407@gmx.com>
User-Agent: Mutt/1.5.23+89 (0255b37be491) (2014-03-12)
X-Provags-ID: V03:K0:QEpfrvzy//z/UJNTmzgb4qinfT3ruDOQ6GGsoUgr13fOjD95NvN
 O7+tnjX+iwkGwZtX5WuLdRE/dXNokE1HnV/lpgC25J+xdESiLFcucXYlmlT/Btejq+t+LIr
 I5RxPd7Ak8Na+ZNxnTAuo8vUzrcQcgqe/53rx4/wVEIdJehOzRgK0hnKLb+ZD9OupBq3hDR
 l/kWazwz/n91M9OnvecKQ==
X-UI-Out-Filterresults: notjunk:1;V01:K0:oKKeUHY+les=:8E/xL6YZ0csb7plYS+jx8z
 E53e8PKQ4u1sCb6eRtVa5VrG+v2PZAN1y7YKF5vyYdV725onM32lPF7xHPGoKr7/dWtRSD4q3
 RrRn0qlyw7XK7j95nldePTXKnNc8Cp4ZwElkEPIXwOaA0WNP8UEu5zT1PaQOgXZKYCNV4c6iE
 3lKbYCBuDw2U+7f3zOjwevwwjOgnb4o/bPMCH8QFnIBoaJazbOPPHFxkPzbPkiOwqoL/B6rM9
 +6YmhKr2bZJfnI+Jf67L0SIlH6tSCAcIaJ8W85CpRmEPdTwhbSJNhmDJrmE8YLDTEqUUJ2L9i
 eSKvpGJ5jGGys0pWBNXnB7xQBIEyGjxWFfZngz8DzUe7sXw206MkdocGjFCcRmcnu/vYHuWLd
 gC1qN+bVNLMGt+MuyZmTC8OpqgsQKfHVuo4qeo+W6Ywd/RqTYZXXVoqXnA8TZNgxtHB4nNmnO
 DHWqm2IfFy6srr4sPXWzYyRGnbBuMjvRDf+O3gvZOhe5o9uR0GnWGSgovTNuVQSo+p/Mb/uiM
 fLPjw1Gt6OoBvWyF+pqVCdBkU2WIioFeUujg3xFWi36oDMFl/A1Nb1Dt9mV54ANQzSw8Kdn9b
 9h7iHvsFEafy50nNmBiImHrBLZvuhDzgfbN84C1xNJ54Iq6dCOXPfsTqf1h3zkfKqjG3NFk1J
 DpVMaLvNzYKVEkkoW5T9RC3XxnFqnvVU/iKARjI1Lwz6L5fu2C0FJzm0iqEjALFJeJGI=
Subject: Re: [tor-talk] do Cloudfare captchas ever work?
X-BeenThere: tor-talk@lists.torproject.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: tor-talk@lists.torproject.org
List-Id: "all discussion about theory, design,
 and development of Onion Routing" <tor-talk.lists.torproject.org>
List-Unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-talk>, 
 <mailto:tor-talk-request@lists.torproject.org?subject=unsubscribe>
List-Archive: <http://lists.torproject.org/pipermail/tor-talk/>
List-Post: <mailto:tor-talk@lists.torproject.org>
List-Help: <mailto:tor-talk-request@lists.torproject.org?subject=help>
List-Subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk>, 
 <mailto:tor-talk-request@lists.torproject.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: tor-talk-bounces@lists.torproject.org
Sender: "tor-talk" <tor-talk-bounces@lists.torproject.org>

On Mon, Jun 22, 2015 at 07:15:24PM -0500, Joe Btfsplk wrote:
> Is that actually true?  (they can track you over various exits)
> Is that what the design document says?

Tor can't protect you, if your browser emits cookies or information
about cached content back to an entity that operates global scale cdn
or services:

Lets make it easy:
You are you (joe) and there is google (gog) and cloudflare (clo):
You are ordering pizza via tor-exit1 (tex1) and watch some cats while
eating that pizza on tor-exit2 (tex2).

In your first session, you request content, a picture of said pizza from a 
cdn (clo) and with that request comes caching information and cookies 
from (clo) along with that picture.

(clo) knows you now as an entity, you are emitting cookies back to (clo)
with every use of his cdn.

Lets assume the pizza service uses a website analytics service from
(gog) under the premise of customer statisfaction:

Your browser, requests 1x1pixel from that service, with that pixel comes
another cookie, you are now knowm to (gog) as an pizza eating entity too.
Every time you visit another site using (gog) analytics, you are the
same pizza eating entity.

Its time to go to the loo, and the pizza is delivered. The tor-client did
his awesome job and has build new circuits, (joe) is know using (tex2).

So, whats better than pizza? Pizza and cats:
(joe) requests a embedded catmovie from some catmovie site, bad for him
the catmovie is delivered via (clo) cdn, the browser adds the cookie
to the request and (clo) adds that information to the record they
startet about you earlier. Unfortunately catmovies uses the (gog) analytics
service too (because its free, so who would mind), and (gog) gets their
cookie back from earlier.

Sorry to say, I am under the impression, you have watched to much VPN
advertising, if it comes to your browser, your ip is no longer of
interest. You really should get rid of that misconception that you are
a ip address or somebody uses ip address to track people, since the
inception of tor and vpn networks thats plain stupid.

If you don't like to third parties from knowing that you are into the
cat thing, the right thing to do would to use your browser to order
pizza and using TBB to watch cats - that works.

> But, many Tor Browser users  seem to question allowing all scripts by
> default - including 3rd party.

That example works with plain http or https, were https is recommended
while using tor. There was no active content involved.

> On the _latter point_, I'm not as technically advanced as many on this
> list, to fully understand ALL subtleties in the design document.

It gets nasty and scary with active content involved, tor is only a
network, it can hide your ip, but thats not always the solution.

> On the _latter point_, I'm not as technically advanced as many on this
> list,
> to fully understand ALL subtleties in the design document.

If one only has one tool, lets say a hammer, one tends to see every
problem as nail, thats what you are doing.

Please consider which parts of your personal habits and needs you like
to expose in which way. So order pizza with your whatever browser and do
the lewd cats thing with TBB. I know, not very convenient, but privacy
or anonymity aren't avaliable in a convenient way anymore. Your ip has
nothing to do with that anymore.

That said, it isn't impossible. I still try to convice site owners to
respect visitors and not exclude, track or sell their anonymity or
privacy for some funky graphs.
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

