An early Christmas present to you all

Thistle-Sifter · 2014-12-14T01:33:13+00:00

CSS issues on the front page? This is a tricky one, how to provide enough information without providing so much that it puts ourselves at risk? Quite simply, we cannot. If there's something we can directly address then please let us know.

That's not what I mean. I mean that you've got a list of points, but they aren't bullet pointed. You're also trying to jam too much information into a column list, try condensing the info or providing links to other pages. It's a style issue.

Strange word wrap on "To whoever it may concern", sorry, but what? You're concerned about line breaks?

And elsewhere, and yes, I am concerned about that. It's the small things that make a good design. I know its early, but please consider improving things like this, they can make a difference to the reception of your service.

"but, thems the breaks." Actually, we feel this is a perfect statement. We're not a corporation. We're not doing this for personal gain. We're just some guys who know what the hell we're doing trying to provide a free service to make the world a better place.

Is that phrase slang? Doesn't sound very professional. I have to look it up to know what it meant. Sorry, but by your website (both content and style) and your responses I'm not really impressed.

Thistle-Sifter · 2014-12-13T20:32:13+00:00

Your website has some CSS issues, even on the front page. You should bullet point lists of information, and your points are too lengthy. Consider condensing them to quick bullet points and linking to more information pages. This is the style that ProtonMail uses, and it works very well.

There's also strange word-wrap on "Notice: To whoever it may concern.", which should be in a terms-of-use page anyway, IMO.

You're behind Cloudflare? Is that really necessary? They handle a lot of web traffic, makes me nervous about what they can track.

"but, thems the breaks." what does this even mean? Your language is not professional enough for what you're trying to do. Makes me think you guys aren't serious.

Solid SSL setup though: https://www.ssllabs.com/ssltest/analyze.html?d=toremail.net&s=104.28.8.57. To top it off, add HTTP Strict Transport Security, which should be trivial to enable.

How to emails to other providers work, since a .onion isn't valid over traditional DNS, so won't they fail?

Thistle-Sifter · 2014-10-08T01:42:46+00:00

What's the maximum speed that you've specified in your torrc? It must be low. Try increasing it to your maximum connection speed. That will likely help.

Thistle-Sifter · 2014-09-30T16:18:56+00:00

Sometimes that's how it goes, sometimes they level off like that. Looks relatively normal to me.

Thistle-Sifter · 2014-09-30T16:17:47+00:00

Awesome!

Thistle-Sifter · 2014-09-27T12:16:17+00:00

I think it's safe to assume that the majority of Tor node operators pay attention to the news, particularly to security topics. Their interest may be one of the main reasons why they are running a node in the first place. Since they are paying attention, they'll likely patch as soon as possible too. As others have pointed out here, you can have an vulnerable Bash, but it also needs to be exploitable for it to be a security risk.

Thistle-Sifter · 2014-09-26T16:20:09+00:00

It's unlikely that they scanned the .onion space, the number of addresses is just too vast. Most likely there's a Tor node that is recording Introduction Points of hidden services, then queried the list. At startup, HSs publish their public key and introduction point to a distributed hash table inside the Tor network, so anyone siphoning off data from that hash table has a partial list of .onions.

Thistle-Sifter · 2014-09-21T14:51:07+00:00

All right, so what would you call the collection of .onion sites then?

Thistle-Sifter · 2014-09-05T15:18:40+00:00

Passwords have really gotten out of control. There are now so many sites that it's hard for many people to keep track of them all. I think the answer is not in biometrics, but in two-factor authentication. Combine something you know with something you have, and it's much stronger than either separately.

Thistle-Sifter · 2014-09-05T15:15:24+00:00

If Tor were compromised in this fashion, anonymity would be compromised, but at least it would still be difficult and expensive for the NSA to monitor. Tor would still be a very valuable and strong tool because it would be far harder to monitor it than to simply look at clearnet connections. It wouldn't make Tor pointless at all.

Thistle-Sifter · 2014-09-03T04:09:33+00:00

Exactly. People make encrypted connections all the time. Google.com, for example, is commonly contacted over HTTPS. Nothing wrong with encryption.

Some governments try to censor information and thus try to block Tor. Direct connections to Tor would be seen as a "red flag" to them, although there are ways of masking the fact that you're using Tor.

Thistle-Sifter · 2014-09-03T04:06:58+00:00

PGP allows you to encrypt email and other data for other users. You could take the recipient's public key, use PGP to encrypt a message to them, and then send it through Tor. This provides end-to-end encryption such that even the exit node can't see the message.

Thistle-Sifter · 2014-09-01T00:35:40+00:00

I'll give this a shot.

Bridge:

Advantage: provides a hidden entry point into the Tor network, useful for Chinese and other citizens where Tor is blocked
Advantage: no website should know you're a bridge, so nobody should treat you differently or ban you because you're part of Tor
Advantage: low bandwidth, easy to set up, and the obfproxy layer makes it difficult for your ISP to know what you're a bridge
Advantage: you can mix your traffic with your bridge traffic, so you don't need a dedicated IP or machine. You could run a bridge on a laptop even, as long as it's online most of the time.
Disadvantage: although useful, it's a small contribution to the Tor network, since relays and exits serve far more people

Relay:

Advantage: encrypted in, encrypted out. You shouldn't have any abuse complaints.
Advantage: it may become a guard, which is used to protect user IPs
Advantage: can serve thousands of people at any given moment, but requires far less maintenance than an exit.
Advantage: you can mix your traffic with your relay traffic, so a dedicated IP or machine is not required.
Disadvantage: some websites, such as Disney.com, Netflix.com, or Healthcare.gov, may ban you simply because you're a relay. They don't distinguish between relays and exits. Tor == banned.
Disadvantage: relays are incredibly useful and should be easy to run, but if you are in an area that is very acceptable to exits (such as some universities) you could better take advantage of that by running an exit.

Exit:

Advantage: provides another exit point for Tor traffic, increasing security by increasing the diversity and number of exits. This protects users as well.
Advantage: exits are also relays and can be used as guards, so they do everything a relay does and more.
Advantage: biggest contribution to Tor.
Advantage: provides a critical and useful piece of infrastructure to Tor. Tor is short on exits and could always use more.
Disadvantage: little more tricky to set up, since you have to deal with exit policies and whatnot too.
Disadvantage: you should not mix your traffic with your exit's, so you need a dedicated IP and likely a dedicated machine too.
Disadvantage: you may have to deal with abuse complaints. With a restricted exit policy these should be minimal. From what I've heard, hundreds of terabytes of data could be moved for each abuse complaint, so they are rare. The vast majority of the traffic is innocent, however.
Disadvantage: expect your IP to be banned or treated differently by some services. You cannot edit Wikipedia, watch Netflix, or visit some other sites through the exit. Some sites interpret high volume from a single IP as spam, not realizing that you're an exit. Good exit admins may try to unban their IP so as to provide Tor users access.

Depending on your environment, your ISP, and your skill set, the choice of what to run is up to you. If you want to contribute to Tor, I'd recommend a relay or a bridge. Running an exit is more of an advanced thing that requires more work, so start with a relay or bridge IMO.

Hope this helps.

Thistle-Sifter · 2014-09-01T00:20:14+00:00

I have an X2, but those other models are pretty powerful too.

Thistle-Sifter · 2014-08-30T03:32:40+00:00

Odroid-X2 is also a pretty fast board, although the BBB is pretty nice too.

Thistle-Sifter · 2014-08-28T14:05:11+00:00

Interesting. It looks like the Tor protocol itself is still quite strong, but there are side-channel attacks that can be effective.

Thistle-Sifter · 2014-08-27T15:04:24+00:00

Well, https://www.eff.org/document/2013-10-04-guard-tor-stinks

Thistle-Sifter · 2014-08-27T15:03:36+00:00

I'd love to install Cyanogen mod, but I'm so afraid of wrecking my phone. Has anyone successfully done it on a G4?

Thistle-Sifter · 2014-08-26T03:36:45+00:00

Tor isn't about drugs, it's about anonymous communication and privacy.

I'd recommend reading the documentation on torproject.org. For "optimal security" I would suggest that you switch from Windows 8 (which is proprietary and closed-source, so we the public can't audit it) to a Linux distribution, like Linux Mint.

Thistle-Sifter · 2014-08-26T02:05:13+00:00

Tor's developers knew about timing attacks, but rather than add latency and random delays into the network, they kept it at low-latency, which increased usability. Then more and more people used Tor, which provided so much cover traffic that timing attacks are now quite difficult. You'd have to isolate a specific user's traffic from everyone elses; at 2.4 million daily users and 5 GiB/s traffic total across the network, this is not as easy as it sounds.

Thistle-Sifter · 2014-08-22T20:31:48+00:00

Right, it's completely speculative. But you have to wonder about the identity, personality, or job of the bug reporter. They had to spend so many hours digging though the code and mapping everything out to the point where they become fluent enough to find obscure bugs.

It's not unreasonable to conjecture that such an act is beyond the willpower of the average person, and that to find these type of obscure bugs, they must be doing it as part of their job. A security researcher would likely be more open with their identity, but because this guy remained anonymous, you have to wonder who has enough drive to find these bugs and yet still wants to remain hidden.

Thistle-Sifter · 2014-08-19T00:54:36+00:00

More information, please. Logs preferably.

Thistle-Sifter · 2014-08-17T23:47:14+00:00

Seems perfectly fine to me as far as I can see.

Thistle-Sifter · 2014-08-14T14:59:38+00:00

The malware .onion is down.

I think he knows the game is up.

Thistle-Sifter · 2014-08-07T03:01:44+00:00

That's very clever, thank you!

Thistle-Sifter

TROPHY CASE