Discussion:
Blocked by Websense
(too old to reply)
John Kimble
2006-11-26 09:10:22 UTC
Permalink
A report from the field, plus questions:

Earlier today I was trying to use Tor from my local library's network,
which uses an HTTP proxy with Websense enabled. It seems Tor is
blocked by Websense with the reason: "proxy avoidance".

The blocking is done by redirecting all HTTP requests with
"/tor/server/" in the path to a local "blocked by Websense" page. I've
tested this by entering arbitrary URLs with "/tor/server/" in the
path, like these two below, which all lead to the "blocked" page:
http://www.google.com/tor/server/blahblah
http://www.arbitrary.net/more-arbirary-path/tor/server/meh.txt

The way Websense works, this "proxy avoidance" rule is likely to be
common across all organisations that choose to turn this rule on.

A couple of questions:

Is there a way I can somehow supply Tor with directory information
when Tor is unable to do a plaintext HTTP download (which is quite
easy to block based on fixed strings in the path) when it starts up?

Provided the first question is solved, once Tor has built its
circuits, can it be configured to download its directory updates
through the Tor circuits, so as to avoid leaving behind these telltale
footprints of periodical Tor directory downloads?

Thanks,
John
Roger Dingledine
2006-11-26 09:31:57 UTC
Permalink
Post by John Kimble
The blocking is done by redirecting all HTTP requests with
"/tor/server/" in the path to a local "blocked by Websense" page. I've
tested this by entering arbitrary URLs with "/tor/server/" in the
http://www.google.com/tor/server/blahblah
http://www.arbitrary.net/more-arbirary-path/tor/server/meh.txt
Oh boy. Looks like they have started that particular arms race.
Do you know what version of Websense they were using?

We know what the next few steps of the arms race will be on our side,
and we have some guesses about what they'll be on the opposing sides,
but I'm not sure how quickly we want the arms race to proceed. I suppose
we should give that some thought now.
Post by John Kimble
Is there a way I can somehow supply Tor with directory information
when Tor is unable to do a plaintext HTTP download (which is quite
easy to block based on fixed strings in the path) when it starts up?
Get a cached-routers file and the cached-status/* files from
somewhere. Bring them from home on a USB stick if you like. I'm not
sure how recent they need to be -- if you're using 0.1.1.x it needs
to be from within 24 hours. I believe 0.1.2.3-alpha is more forgiving,
but not by much. Let me know if you get it working and what it takes.

Future versions of Tor will bootstrap better with whatever files it
starts with; and will avoid the particular fingerprinting vulnerability
you describe above.
Post by John Kimble
Provided the first question is solved, once Tor has built its
circuits, can it be configured to download its directory updates
through the Tor circuits, so as to avoid leaving behind these telltale
footprints of periodical Tor directory downloads?
Set "__AllDirActionsPrivate 1" in your torrc.
(This config option is intended for controllers that bootstrap your
initial circuits themselves, but it should work fine as a manual
workaround for now.)

Hope that helps,
--Roger
Watson Ladd
2006-11-26 13:06:24 UTC
Permalink
Post by Roger Dingledine
Post by John Kimble
The blocking is done by redirecting all HTTP requests with
"/tor/server/" in the path to a local "blocked by Websense" page. I've
tested this by entering arbitrary URLs with "/tor/server/" in the
http://www.google.com/tor/server/blahblah
http://www.arbitrary.net/more-arbirary-path/tor/server/meh.txt
Oh boy. Looks like they have started that particular arms race.
Do you know what version of Websense they were using?
What about by getting tor to use tor to get the directory information?
I don't know how we would bootstrap though without the public key of the
server we use. If it was a signature-based key negotiation we could have
the client ignore the signature until it was able to verify it. Or we
could use the first server we connect to to give the client the
directory. Or we could use a DHT.
Post by Roger Dingledine
We know what the next few steps of the arms race will be on our side,
and we have some guesses about what they'll be on the opposing sides,
but I'm not sure how quickly we want the arms race to proceed. I suppose
we should give that some thought now.
Post by John Kimble
Is there a way I can somehow supply Tor with directory information
when Tor is unable to do a plaintext HTTP download (which is quite
easy to block based on fixed strings in the path) when it starts up?
Get a cached-routers file and the cached-status/* files from
somewhere. Bring them from home on a USB stick if you like. I'm not
sure how recent they need to be -- if you're using 0.1.1.x it needs
to be from within 24 hours. I believe 0.1.2.3-alpha is more forgiving,
but not by much. Let me know if you get it working and what it takes.
Future versions of Tor will bootstrap better with whatever files it
starts with; and will avoid the particular fingerprinting vulnerability
you describe above.
Post by John Kimble
Provided the first question is solved, once Tor has built its
circuits, can it be configured to download its directory updates
through the Tor circuits, so as to avoid leaving behind these telltale
footprints of periodical Tor directory downloads?
Set "__AllDirActionsPrivate 1" in your torrc.
(This config option is intended for controllers that bootstrap your
initial circuits themselves, but it should work fine as a manual
workaround for now.)
Hope that helps,
--Roger
--
They who would give up essential Liberty to purchase a little temporary
Safety, deserve neither Liberty or Safety
--Benjamin Franklin

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 249 bytes
Desc: OpenPGP digital signature
URL: <http://lists.torproject.org/pipermail/tor-talk/attachments/20061126/f020dcdf/attachment.pgp>
John Kimble
2006-11-27 01:22:07 UTC
Permalink
Post by Roger Dingledine
Oh boy. Looks like they have started that particular arms race.
Do you know what version of Websense they were using?
A friend working in a relevant government department says they're
using Websense Enterprise v5.5.
Post by Roger Dingledine
Get a cached-routers file and the cached-status/* files from
somewhere. Bring them from home on a USB stick if you like. I'm not
sure how recent they need to be -- if you're using 0.1.1.x it needs
to be from within 24 hours. I believe 0.1.2.3-alpha is more forgiving,
but not by much. Let me know if you get it working and what it takes.
I'm using 0.1.2.3-alpha. It appear that no matter how recent
cached-routers and cached-status/* are, Tor insists on requesting
directory info afresh on startup, and won't start building circuits
until the directory requests are completed successfully.
Post by Roger Dingledine
Set "__AllDirActionsPrivate 1" in your torrc.
(This config option is intended for controllers that bootstrap your
initial circuits themselves, but it should work fine as a manual
workaround for now.)
This one works like a charm; thank you. The only caveat is that you
cannot set this into torrc, but should only do a "SETCONF
__AllDirActionsPrivate=1" through the control port after Tor has had a
chance to build its circuits. Otherwise Tor goes into an infinite loop
complaining that no circuit is established yet. So the initial burst
of cleartext directory requests can't be avoided, but at least the
subsequent updates are tunneled through Tor.
Post by Roger Dingledine
As Roger implied, working around your network's restrictions is
counter-productive in the long term. The library's admins will see
tor users as a bunch of trouble-makers who try to hide from them.
I would like to suggest that you should go speak with the admins, and
explain what tor is about, that using tor is perfectly legitimate,
nothing personal against them, and doesn't create any new security
issues for their network.
Even if they refuse to un-block tor, they'll most likely be taking
a more friendly view of your further attempts to avoid their restrictions.
Thank you for the sage advice. It's a pretty daunting task though, as
the general attitude of administrators (in the generic sense, not just
network admins) towards privacy advocacy in this part of the world is
of the "what are you trying to hide?" kind. But I'll certainly avoid
using Tor from the library for the time being. (A free wi-fi spot is
just 15 minutes' walk away, anyway.)

Thanks and regards to all,
John
lester psigal
2006-11-27 14:15:49 UTC
Permalink
snip
Post by Roger Dingledine
Post by John Kimble
Is there a way I can somehow supply Tor with directory information
when Tor is unable to do a plaintext HTTP download (which is quite
easy to block based on fixed strings in the path) when it starts up?
Get a cached-routers file and the cached-status/* files from
somewhere. Bring them from home on a USB stick if you like. I'm not
sure how recent they need to be -- if you're using 0.1.1.x it needs
to be from within 24 hours. I believe 0.1.2.3-alpha is more forgiving,
but not by much. Let me know if you get it working and what it takes.
Future versions of Tor will bootstrap better with whatever files it
starts with; and will avoid the particular fingerprinting vulnerability
you describe above.
Post by John Kimble
Provided the first question is solved, once Tor has built its
circuits, can it be configured to download its directory updates
through the Tor circuits, so as to avoid leaving behind these telltale
footprints of periodical Tor directory downloads?
Set "__AllDirActionsPrivate 1" in your torrc.
(This config option is intended for controllers that bootstrap your
initial circuits themselves, but it should work fine as a manual
workaround for now.)
Hope that helps,
--Roger
hi,
wouldn't it be good to have tor keep track of some routers in
'last-known-good-working' circuits plus a bunch of
'average-best-working' routers and keep those in a cache from
which tor starts up from to make the first connections to directory
servers through those or's.
for example from my dialup connection tor uses always the same few
entry servers to start building circuits (i guess those with the
lowest latency), so it would not make any difference (in regard of
predictability) to keep these routers locally cached and fetch the
directory information through circuits composed of those servers.
i know there are some problems with such functionality like
- initial startup (e.g. on a fresh installation)
- startup after a long period of inactivity (cache becomes outdated)

a solution to this could be the establishment of permanent tor servers
which are used to bootstrap from...


lester psigal





___________________________________________________________
Telefonate ohne weitere Kosten vom PC zum PC: http://messenger.yahoo.de
offset
2006-11-26 19:37:26 UTC
Permalink
Post by John Kimble
Earlier today I was trying to use Tor from my local library's network,
which uses an HTTP proxy with Websense enabled. It seems Tor is
blocked by Websense with the reason: "proxy avoidance".
The blocking is done by redirecting all HTTP requests with
"/tor/server/" in the path to a local "blocked by Websense" page. I've
tested this by entering arbitrary URLs with "/tor/server/" in the
http://www.google.com/tor/server/blahblah
http://www.arbitrary.net/more-arbirary-path/tor/server/meh.txt
The way Websense works, this "proxy avoidance" rule is likely to be
common across all organisations that choose to turn this rule on.
Is there a way I can somehow supply Tor with directory information
when Tor is unable to do a plaintext HTTP download (which is quite
easy to block based on fixed strings in the path) when it starts up?
Provided the first question is solved, once Tor has built its
circuits, can it be configured to download its directory updates
through the Tor circuits, so as to avoid leaving behind these telltale
footprints of periodical Tor directory downloads?
Thanks,
John
I've looked at websense before while using tor and then looking through the logs. Some of the exit nodes are categorized as proxies, while others arent. I'm not sure if Websense categorizes based on traffic or its simply over time the websense makers identify exit nodes and categorize them as proxy ip addresses.
--
offset - ubersecurity org
--
Got Tor? Support anonymous Internet communication. http://tor.eff.org/
Juliusz Chroboczek
2006-11-27 00:40:27 UTC
Permalink
Post by John Kimble
Earlier today I was trying to use Tor from my local library's network,
which uses an HTTP proxy with Websense enabled. It seems Tor is
blocked by Websense with the reason: "proxy avoidance".
John,

As Roger implied, working around your network's restrictions is
counter-productive in the long term. The library's admins will see
tor users as a bunch of trouble-makers who try to hide from them.

I would like to suggest that you should go speak with the admins, and
explain what tor is about, that using tor is perfectly legitimate,
nothing personal against them, and doesn't create any new security
issues for their network.

Even if they refuse to un-block tor, they'll most likely be taking
a more friendly view of your further attempts to avoid their restrictions.

Juliusz
Loading...