Discussion:
[tor-talk] alt-svc supported by TBB
Dave Warren
2018-09-18 19:20:30 UTC
Permalink
Can anyone confirm if the current release of TBB supports alt-svc?

I'm testing the Cloudflare alt-svc .onion beta project and I do see the
alt-svc header, but I'm trying to determine whether TBB is actually
using it or not. It seems like not, given that the website can see a tor
exit IP in the Cloudflare headers (I wouldn't expect this since
subsequent requests should be delivered over a .onion address).
--
tor-talk mailing list - tor-***@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinf
nusenu
2018-09-18 19:33:00 UTC
Permalink
Post by Dave Warren
Can anyone confirm if the current release of TBB supports alt-svc?
I'm testing the Cloudflare alt-svc .onion beta project and I do see
the alt-svc header, but I'm trying to determine whether TBB is
actually using it or not. It seems like not, given that the website
can see a tor exit IP in the Cloudflare headers (I wouldn't expect
this since subsequent requests should be delivered over a .onion
address).
TorBrowser is supposed to support alt-svc since version 8 but
we have had mixed results when testing it
https://twitter.com/arthuredelstein/status/1037559553380966400
--
https://twitter.com/nusenu_
https://mastodon.social/@nusenu
Dave Warren
2018-09-18 20:33:31 UTC
Permalink
Post by nusenu
Post by Dave Warren
Can anyone confirm if the current release of TBB supports alt-svc?
I'm testing the Cloudflare alt-svc .onion beta project and I do see
the alt-svc header, but I'm trying to determine whether TBB is
actually using it or not. It seems like not, given that the website
can see a tor exit IP in the Cloudflare headers (I wouldn't expect
this since subsequent requests should be delivered over a .onion
address).
TorBrowser is supposed to support alt-svc since version 8 but
we have had mixed results when testing it
https://twitter.com/arthuredelstein/status/1037559553380966400
Using the test page at https://perfectoid.space/test.php I get either
red or yellow exclusively, no amount of refreshing and/or changing
circuits seems to get green which confirms my own testing on a site I
operate that is participating in the beta.
--
tor-talk mailing list - tor-***@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo
Dave Warren
2018-09-20 18:38:56 UTC
Permalink
Post by Dave Warren
Post by nusenu
Post by Dave Warren
Can anyone confirm if the current release of TBB supports alt-svc?
I'm testing the Cloudflare alt-svc .onion beta project and I do see
the alt-svc header, but I'm trying to determine whether TBB is
actually using it or not. It seems like not, given that the website
can see a tor exit IP in the Cloudflare headers (I wouldn't expect
this since subsequent requests should be delivered over a .onion
address).
TorBrowser is supposed to support alt-svc since version 8 but
we have had mixed results when testing it
https://twitter.com/arthuredelstein/status/1037559553380966400
Using the test page at https://perfectoid.space/test.php I get either
red or yellow exclusively, no amount of refreshing and/or changing
circuits seems to get green which confirms my own testing on a site I
operate that is participating in the beta.
I've been monkeying around a bit, and I can sometimes get this to work,
but very infrequently. It feels like if I open a tunnel to each of their
.onion addresses first then it increases the odds although I'm not sure
if this makes sense since a new hostname (the test site vs their .onion
addresses) should result in a new tunnel anyway.

And maybe this is just a limitation of the test site (although I don't
think so), but it seems that Cloudflare fails to notice many IPv6 exits,
whereas IPv4 exits usually get the country "T1" (meaning Cloudflare
knows this is a Tor exit and adds the Alt-Svc header).

Unfortunately the reliability doesn't seem to be here enough to try and
achieve Cloudflare's stated goals, but hopefully this is just an early
attempt and not the end of the road. On the flip side, maybe it is
working a little more than it appears since I'm not seeing CAPTCHAs when
using TBB 8, but I am from a second machine running TBB 7.

One final note: Are there any other Cloudflare users on the Free or Pro
plans? If so, could you go check if Onion Routing was enabled for you?
Their blog says it is enabled by default, but it is disabled on two of
my three sites -- Maybe this is due to being part of the beta though, I
did manually enable it on that third site and maybe that precluded it
from being enabled on my other two?
--
tor-talk mailing list - tor-***@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/to
Andreas Krey
2018-09-21 13:06:57 UTC
Permalink
On Thu, 20 Sep 2018 12:38:56 +0000, Dave Warren wrote:
...
Post by Dave Warren
Post by Dave Warren
Using the test page at https://perfectoid.space/test.php I get either
red or yellow exclusively, no amount of refreshing and/or changing
circuits seems to get green which confirms my own testing on a site I
operate that is participating in the beta.
I've been monkeying around a bit, and I can sometimes get this to work,
but very infrequently.
It works some of the time. One point: On first load the page
cannot be green - you need one round to fetch the alt-svc
header before you can actually go and use that.

But then it would be helpful if the site showed how it comes
to the conclusion of a color - it seems I'm getting a lot of
red in spite of obviously using tor. (Looks like it is relying
on cloudflare's judgement via IPCOUNTRY.)

Once yellow after a 'new circuit' the reload gives a green page.

Also bad: Firefox doesn't seem to show whether the alt-svc
was used for a request.

- Andreas
--
"Totally trivial. Famous last words."
From: Linus Torvalds <torvalds@*.org>
Date: Fri, 22 Jan 2010 07:29:21 -0800
--
tor-talk mailing list - tor-***@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/li
Mike Tigas
2018-09-21 23:07:12 UTC
Permalink
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Post by Andreas Krey
...
Post by Dave Warren
Post by Dave Warren
Using the test page at https://perfectoid.space/test.php I get either
red or yellow exclusively, no amount of refreshing and/or changing
circuits seems to get green which confirms my own testing on a site I
operate that is participating in the beta.
I've been monkeying around a bit, and I can sometimes get this to work,
but very infrequently.
It works some of the time. One point: On first load the page
cannot be green - you need one round to fetch the alt-svc
header before you can actually go and use that.
But then it would be helpful if the site showed how it comes
to the conclusion of a color - it seems I'm getting a lot of
red in spite of obviously using tor. (Looks like it is relying
on cloudflare's judgement via IPCOUNTRY.)
Once yellow after a 'new circuit' the reload gives a green page.
Right, it doesn't look like https://perfectoid.space/test.php is
consistently setting `alt-svc` for me.

Even when it does, it doesn't *seem* that TBB (8.5a1) isn't going over
.onion there for me? Never see that page turn green, even after a
yellow page. Maybe some issue with that site itself and/or the
particularly complex/long alt-svc that CF is generating? ("alt-svc:
h2="cflarexljc3rw355ysrkrzwapozws6nre6xsy3n4yrj7taye3uiby3ad.onion:443";
ma=86400; persist=1,h2="cflarenuttlfuyn7imozr4atzvfbiw3ezgbdjdldmdx7srterayaozid.onion:443";
ma=86400; persist=1,h2="cflares35lvdlczhy3r6qbza5jjxbcplzvdveabhf7bsp7y4nzmn67yd.onion:443";
ma=86400; persist=1,h2="cflareusni3s7vwhq2f7gc4opsik7aa4t2ajedhzr42ez6uajaywh3qd.onion:443";
ma=86400; persist=1,h2="cflareki4v3lh674hq55k3n7xd4ibkwx3pnw67rr3gkpsonjmxbktxyd.onion:443";
ma=86400; persist=1,h2="cflarejlah424meosswvaeqzb54rtdetr4xva6mq2bm2hfcx5isaglid.onion:443";
ma=86400; persist=1,h2="cflaresuje2rb7w2u3w43pn4luxdi6o7oatv6r2zrfb5xvsugj35d2qd.onion:443";
ma=86400; persist=1,h2="cflareer7qekzp3zeyqvcfktxfrmncse4ilc7trbf6bp6yzdabxuload.onion:443";
ma=86400; persist=1,h2="cflareub6dtu7nvs3kqmoigcjdwap2azrkx5zohb2yk7gqjkwoyotwqd.onion:443";
ma=86400; persist=1,h2="cflare2nge4h4yqr3574crrd7k66lil3torzbisz6uciyuzqc2h2ykyd.onion:443";
ma=86400; persist=1")
Post by Andreas Krey
Also bad: Firefox doesn't seem to show whether the alt-svc
was used for a request.
Yeah, that's already an open issue that's on the roadmap AFAIK: [1]

Also, I don't remember where I saw this, but I believe there's some
hope to get a UX like [2]
(i.e., rather than auto-switch, the user should have explicit input on
it. This is related to some discussion about possibly using alt-svc in
an evil way to get a TBB user to a uniquely-generated onion domain and
do other things with that?)

In any case, I did a quick test on propublica.org *not* using
cloudflare's built-in onion service feature (since we're running our
own with our own EV cert anyway), and wanted to mention it here:

Set `alt-svc: h2="www.propub3r6espa33w.onion:443"; ma=300`, and looks
like TBB (8.5a1) actually did silently switch over to using the onion
for the connection. As above, there'd generally be no outward
indication to the user that this has happened, except I'd actually
configured the onion proxying bits (right now running nginx) to throw
the browser a 302 redirect to the onion domain if the HTTP Host header
isn't the onion domain. So, I'd inadvertently set this up to work
where the user actually does get fully redirected over to the onion.

(I've since taken off the alt-svc header, since that was just a quick
test and I'll need to figure out if that's behavior we want in lieu of
the TBB UI getting an explicit user interaction before moving to the
alt-svc. But figured that's worth mentioning for folks who _do_ want
to easily make a clearnet domain redir TBB to an onion domain.)

[1]: https://trac.torproject.org/projects/tor/ticket/27590
[2]: Loading Image...

- --
Mike Tigas
https://mike.tig.as/
-----BEGIN PGP SIGNATURE-----
Comment: https://mike.tig.as/pgp/

iQIzBAEBCgAdFiEEGzfVMu3Uhpsce8OaFLh4upXaaEoFAluleSoACgkQFLh4upXa
aErVpQ//U36+ZpmgO4sKrc2NF13LFC0rdOxsPfNlEhXX7k/BUPt+VmbRlnOCwpTR
4go2T6i6q3xKnh2WQDsG0JIlmdvEOnMB5iFabvJn/4KOkh2k1TS8SMAwWvl3i2em
7vmomcduj+JasF3JS1TWJ+Wy1UHtnZ3k9snOCpQm2CnUgm9HTL7D2XM59EHtTHb3
PRw3F+m/1BroVV85KHcB4SJXZgMjnp+FMUrZ21bqyhtivmnREJDcktdjjWHiuuUf
sHPC/ytiH9WBDdgUA5Lg1RNajMgNsBFTc4VIit57pbRwUTwQMPxFbDQ2V3uaWbhm
o2ij82fqsYyNT25ROsiQDms2voerBbLw79xPEe5Nxg8F2MgAJ7f+i2eLJfqpAJ19
fsxYWv1WkL57eIN7PJRL8fmyQW8ocbnB3W+Sj58cA1+LXsQVedN0qKYAVa+nKg9Z
/Oa3UUbug/EddPSV02Amxy2VJNlu5Su3QPc3ggspVKiuvr4m9sziNlxo6X0i6cQJ
9F7u3Fu64ffyGuVFEsgsxTc/Q8F+ciK0o7Ds2gS24OjqNFKdTWHuC/AAZpeQqVW8
YAoGmnWdfl/2Q+swzXdUIbRKeHkqTjST4YAUB18O0KzIu6JLgVQo14sD8kzhnL2X
jv1iUpeGyyeXwxHUuHUWImbzWnm85RLCNv3x7eQ79WjSgjbNcI+ItwQBEwoAHRYh
BOk8LVk3LzcQmzAuvZFvvD/f12DEBQJbpXkrAAoJEJFvvD/f12DEW2ECB3wnbQuz
VJrh4VIw0SiRZWn27FCmYgfc72w/CSwdwXZEgrSg4yx+ECCBTLNkou/Jp+DyuBMP
3ZR2bn36niiwJ4ddAgd07PJHBmswtXXhiUtqLSqptZBOvcAHUXMs1DFKnRp9ZOyq
vTGgMSx27RkOpMLozDtNtISBT82eeatn0S10ALpH2Q==
=az6x
-----END PGP SIGNATURE-----
--
tor-talk mailing list - tor-***@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cg
nusenu
2018-09-22 06:58:00 UTC
Permalink
Post by Mike Tigas
Right, it doesn't look like https://perfectoid.space/test.php is
consistently setting `alt-svc` for me.
CF only inserts alt-svc when it detects the client coming from an
tor exit IP. CF's detection of what a tor exit IP is, isn't terribly good at the moment
and they are apparently working on it.

see this thread on twitter:
https://twitter.com/grittygrease/status/1042845076580257792
--
https://twitter.com/nusenu_
https://mastodon.social/@nusenu
TNT BOM BOM
2018-09-18 19:59:00 UTC
Permalink
whythe hell would anyone use anything from Cloudflare with Tor???
Post by Dave Warren
Can anyone confirm if the current release of TBB supports alt-svc?
I'm testing the Cloudflare alt-svc .onion beta project and I do see the
alt-svc header, but I'm trying to determine whether TBB is actually
using it or not. It seems like not, given that the website can see a tor
exit IP in the Cloudflare headers (I wouldn't expect this since
subsequent requests should be delivered over a .onion address).
--
tor-talk mailing list - tor-***@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.tor
Roman Mamedov
2018-09-18 20:05:31 UTC
Permalink
On Tue, 18 Sep 2018 19:59:00 +0000
Post by TNT BOM BOM
whythe hell would anyone use anything from Cloudflare with Tor???
Because people use Tor to browse the Internet, and half of the Internet is
nowadays CloudFlare. If you're looking to advance a point of view such as [1]
-- which may be valid or not -- your post is not the best way to do it.

[1] https://notabug.org/themusicgod1/cloudflare-tor
--
With respect,
Roman
--
tor-talk mailing list - tor-***@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torpr
Alec Muffett
2018-09-18 20:14:19 UTC
Permalink
Post by TNT BOM BOM
whythe hell would anyone use anything from Cloudflare with Tor???
Well — speaking as the former guy from Facebook who built facebookcorewwwi
and helped standardise ".onion" as an official TLD, in order that the
Facebook Onion SSL Certificate could continue to exist, I feel uniquely
qualified to answer this one.

The answer is: I understand that historically the Tor community has had a
lot of hatred for [various companies] for making use of [the related
websites] harder, over Tor; a lot of the actions of the companies came out
of (a) a place of fear and misunderstanding, plus (b) a sense that "civil
society / tor only ever criticise and hate-on us, so why should we bother
doing anything to help them?"; combined with bits and pieces of political &
protest rhetoric.

I personally believe that a lot of this attitude can be laid at the feet of
former members of the core Tor team who are thankfully no longer so.

As I fought (and won) the argument within Facebook, the important thing to
do is ignore the anger and vitriol, and instead to focus on the people
whose lives will be improved by making better access over Tor:

https://www.facebook.com/notes/alec-muffett/how-to-get-a-company-or-organisation-to-implement-an-onion-site-ie-a-tor-hidden-/10153762090530962/

...and I have been preaching this gospel, every single week, since I left
Facebook in 2016 due to burnout and other reasons.

So, in a nutshell, the reason for Tor to engage with Cloudflare and
Facebook is... because Cloudflare and Facebook want to engage with Tor.
Maybe some folk disagree on corporate value propositions, or the value of
services provided, but underneath it all: the more people who use Tor, the
better. And these corporations — in defiance of popular opinion — really
do care about the security and safety of people who access their services.
Tor helps with that.

That's why.

- alec

ps1: anyone who wants to argue this matter ("zomg evil corporations!!1!")
is invited to email me directly, I am not going to argue attempted
point-scoring within this thread.

ps2: my latest video may be of interest:

--
http://dropsafe.crypticide.com/aboutalecm
--
tor-talk mailing list - tor-***@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.
nusenu
2018-09-18 20:15:00 UTC
Permalink
Post by TNT BOM BOM
whythe hell would anyone use anything from Cloudflare with Tor???
to reduce the load on exits
to have to solve fewer captchas
Post by TNT BOM BOM
Post by Dave Warren
Can anyone confirm if the current release of TBB supports alt-svc?
I'm testing the Cloudflare alt-svc .onion beta project and I do see the
alt-svc header, but I'm trying to determine whether TBB is actually
using it or not. It seems like not, given that the website can see a tor
exit IP in the Cloudflare headers (I wouldn't expect this since
subsequent requests should be delivered over a .onion address).
--
https://twitter.com/nusenu_
https://mastodon.social/@nusenu
Dave Warren
2018-09-18 20:22:10 UTC
Permalink
Post by TNT BOM BOM
whythe hell would anyone use anything from Cloudflare with Tor???
Primarily to reduce the load on exits, but Cloudflare putting resources
into being more usable (and less annoying) for Tor users can only be a
good thing for those who use Tor to access the internet.
--
tor-talk mailing list - tor-***@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mai
TNT BOM BOM
2018-09-19 03:17:00 UTC
Permalink
thats nice, but doesnt look akward that the company who blocked Tor and
had that arguements (back then) , went all of a sudden to help Tor? do i
expect the holy ghost democraciz their brains and get the demon of
blocking free internet out from them? i dunno but its for sure
suspecious. but on the same time if they really want to help Tor users
then thats a good sign. (ofcourse that doesnt mean cloudflare dns safe ,
nor im supporting to register any website in their services. just saying
its a good step if they are as they are saying).
Post by Dave Warren
Post by TNT BOM BOM
whythe hell would anyone use anything from Cloudflare with Tor???
Primarily to reduce the load on exits, but Cloudflare putting resources
into being more usable (and less annoying) for Tor users can only be a
good thing for those who use Tor to access the internet.
--
tor-talk mailing list - tor-***@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman
Dave Warren
2018-09-20 18:55:21 UTC
Permalink
Post by TNT BOM BOM
thats nice, but doesnt look akward that the company who blocked Tor and
had that arguements (back then) , went all of a sudden to help Tor? do i
expect the holy ghost democraciz their brains and get the demon of
blocking free internet out from them? i dunno but its for sure
suspecious. but on the same time if they really want to help Tor users
then thats a good sign. (ofcourse that doesnt mean cloudflare dns safe ,
nor im supporting to register any website in their services. just saying
its a good step if they are as they are saying).
I don't really think Cloudflare was ever intentionally actively hostile
to Tor users, but rather it was an unintended consequence of how they
attempted to separate legitimate vs malicious traffic. The reality is
that Tor exits emit both legitimate and malicious traffic, and TBB users
are (by design) indistinguishable from each other by typical browser
fingerprinting techniques, so Cloudflare had no obvious way to separate
malicious vs legitimate requests.

For some time Cloudflare has made it easy for site operators to
whitelist Tor exits (noting that this means site operators absorb the
abuse rather than Cloudflare blocking it, and also noting that only a
tiny fraction of site operations actually do this), they also put effort
into Privacy Pass (a way to reduce the negative impact without giving up
privacy).

Could they have done more, better, or sooner? Maybe. But alt-svc wasn't
supported by TBB until 8.0, and Cloudflare was quick to take advantage
of it for the benefit of Tor users, that's worth noting.

More importantly though, even if your belief is that Cloudflare was
previously actively hostile toward Tor, isn't a corporation changing
their stance a good thing? Isn't a pivot toward being accepting of users
who want more privacy than usual a good thing for both regular users and
Tor users?
--
tor-talk mailing list - tor-***@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.to
Loading...