TOR browser

General philosophy message board for Discussion and debate on other philosophical issues not directly related to veganism. Metaphysics, religion, theist vs. atheist debates, politics, general science discussion, etc.
User avatar
brimstoneSalad
neither stone nor salad
Posts: 9519
Joined: Wed May 28, 2014 9:20 am
Religion: None (Atheist)
Diet: Vegan

Re: TOR browser

Post by brimstoneSalad » Sun Jul 21, 2019 1:59 pm

teo123 wrote:
Sun Jul 21, 2019 4:39 am
brimstoneSalad wrote:I think the fundamental difference here is a company vs. more of a non-profit/public service.
What difference does that make? GitHub, for example, is owned by Microsoft now.
Didn't know Microsoft bought GitHub.
What happens if it stops being profitable?
teo123 wrote:
Sun Jul 21, 2019 4:39 am
Besides, wouldn't it be more useful for somebody wanting to decipher HTTPS to intercept the TLS handshake than to intercept some large piece of ciphered data that doesn't actually contain the keys?
My point is that if you know what data is ciphered then you can derive the key even if you don't have access to it.

Concerns over quantum computing may or may not be overblown, I don't know.

teo123
Master in Training
Posts: 519
Joined: Tue Oct 27, 2015 3:46 pm
Religion: None (Atheist)
Diet: Vegan

Post by teo123 » Mon Jul 22, 2019 5:31 am

brimstoneSalad wrote:What happens if it stops being profitable?
I don't know. How does Microsoft make money? I suppose most of the revenue comes from selling Nokia phones (since Nokia is a part of Microsoft), selling Azure servers and perhaps from the Visual Studio services you need to pay to use.
brimstoneSalad wrote:My point is that if you know what data is ciphered then you can derive the key even if you don't have access to it.
Well, that's another reason ESNIs and TOR are good: the hacker doesn't know which websites you visit to guess the content you download.

teo123
Master in Training
Posts: 519
Joined: Tue Oct 27, 2015 3:46 pm
Religion: None (Atheist)
Diet: Vegan

Post by teo123 » Tue Jul 23, 2019 7:52 am

@brimstoneSalad, what do you think is the reason it's considered bad to have just one part of your website served over HTTPS (passwords, for example), while having other parts served over HTTP? As far as I understand, it's primarily to prevent this form of attack:
First, the hacker intercepts all the HTTP pages (which is trivial) and modifies the "login" link to point to some page he has made. Or, it intercepts the GET requests referring to the log-in page and responds to them with the "redirect" command (also not hard to do). Second, the hacker's log-in page is an HTTPS page, modified to include some script from the hacker's server (to suppress the browser cross-scripting-attack-defense), and to do an AJAX to the hacker's server revealing the password, along with POST-ing the password to the original website.
So, indeed, serving only a part of the web-site with passwords in HTTPS is better than nothing (it prevents the hacker from merely intercepting all connections to a server and extrapolating the passwords with regular expressions), but it's much better to serve a whole website, which requires passwords, over HTTPS. It might be counter-productive since it's lulling people into false sense of security.
I mean, to be honest, I am not really the biggest expert in this part of informatics. I wouldn't know how to implement, for example, the RSA algorithm or the elliptic-curve cryptography myself. My website requires a password to reset the back-end of the on-line compiler (to prevent the denial-of-service-attack by somebody resetting the back-end again and again). To protect my password from being intercepted, I implemented the following easy-to-implement algorithm (you can see the code here, it's from the 1507th to the 1548th line):
1) The browser sends a randomly-generated one-byte session-key to the server and requests (using AJAX) a two-byte one-time key.
2) The server sends that key plus 257 times the session-key to the browser.
3) The browser sends, using JSON, the password encrypted with the received the one-time two-byte key using the XOR cypher.
4) The server, knowing the one-time two-byte key, deciphers the password, hashes it, and compares the hash to the hash stored on it. Then it informs the browser if the password is right and acts accordingly.
The obvious problem here is that the XOR cypher is symmetric, so the hacker that intercepts the connection three times (both when the session key is communicated, when the key is communicated, and when the password is communicated) has all the knowledge needed to decode the password. I just relied on the hacker not being willing to study my algorithm in order to get my password. An attempt to extrapolate my password by intercepting the connections and using the regular expressions will fail, and the hacker will probably give up.
One recommendation I've seen on-line is that the client shouldn't perhaps attempt to send the encrypted password, but only its hash, hashed using the one-time key given to it by the server. However, in order to implement that, I need to reveal the password to the web-hosting service I use, and they really aren't to be trusted.

User avatar
brimstoneSalad
neither stone nor salad
Posts: 9519
Joined: Wed May 28, 2014 9:20 am
Religion: None (Atheist)
Diet: Vegan

Post by brimstoneSalad » Wed Jul 24, 2019 10:59 pm

Currently serving the whole site by https makes the most sense.

teo123
Master in Training
Posts: 519
Joined: Tue Oct 27, 2015 3:46 pm
Religion: None (Atheist)
Diet: Vegan

Post by teo123 » Fri Jul 26, 2019 3:57 am

brimstoneSalad wrote:
Wed Jul 24, 2019 10:59 pm
Currently serving the whole site by https makes the most sense.
And why wouldn't that be the case in the future, that serving the message boards completely ciphered makes the most sense? Serving only a part of a message board ciphered to fight against hypothetical attacks by quantum computers would make the falsified-login-page-attack possible again, with no need to use quantum computers at all.

I am still not sure if moving Wikipedia to HTTPS was a good thing. Is serving no information at all to the people of Turkey (since all the editions of Wikipedia are banned in Turkey) and the people of China who don't speak foreign languages (since Chinese Wikipedia is banned in China, but Wikipedia in other languages isn't) better than serving censored information? I don't really see why. In this case, using HTTPS (to make it impossible for censors to see which pages you read) but no ESNI (to make it impossible for censors to see you are visiting Wikipedia) is probably worse than serving it in HTTP. Why not just serve censored content to people using clearweb, and serve all the content to people using TOR or VPN? I mean, it's trivial to set up TOR to be able to use Wikipedia (Wikipedia loads very fast even on "meek-azure", no need to mess with the bridges to make it usable), but wouldn't serving some content to the non-tech-savvy users in those countries be better than serving no content at all to them?

teo123
Master in Training
Posts: 519
Joined: Tue Oct 27, 2015 3:46 pm
Religion: None (Atheist)
Diet: Vegan

Post by teo123 » Sun Jul 28, 2019 6:32 am

It's interesting to look at how people behave in response to Internet censorship. A few things that have intrigued me are:

1) Tor usage in Iran is among the highest in the world. Yet, the Internet censorship in China is a lot more pervasive than in Iran, but Tor usage there is much lower there.

2) Banning Twitter caused only a moderate spike of Tor users in Turkey (It's hard to tell why, since FaceBook and Twitter are so slow that they are barely usable in Tor, and they are not useful at all if people you communicate with can't access them.). Banning Wikipedia apparently didn't cause an increase in Tor users at all (Even though it's perfectly usable in Tor, except for editing, which is not what many people do on Wikipedia.). Yet, banning Tor caused the number of Tor users to increase more than 5 times... for a short period of time. Now it's around half as high as it was right after Tor was blocked.
Image

It's hard to tell why Tor usage is so low in China, while it's so high in Iran. My guess is that it's a combination of factors:
a) The number of Internet users in China is greatly overestimated, due to a number of people using Internet only for WeChat and similar apps for VoIP and instant messaging greatly outnumbering the actual, informatically literate, Internet users.
b) China has an Internet culture of its own. Baidu Baike is certainly far more comprehensive than Croatian Wikipedia, probably even more so than Chinese Wikipedia, and perhaps even more so than Encyclopedia Britannica. Chinese Internet users perhaps suffer because of Internet censorship much less than Iranian Internet users do.
c) Perhaps what plays the biggest role here is the language barrier. Perhaps Iranian schools teach English a lot better than Chinese schools do.
d) People in China are more likely to pay for expensive VPNs than to simply use Tor. Obviously, both Tor and VPNs have their pros and cons, VPNs tend to be faster but provide less security features. It appears to me that plays a major role here, but it's hard to get reliable statistics about VPN usage in some country.

teo123
Master in Training
Posts: 519
Joined: Tue Oct 27, 2015 3:46 pm
Religion: None (Atheist)
Diet: Vegan

Post by teo123 » Sun Jul 28, 2019 7:51 am

I mean, a more complicated explanation might be that:
e) People in Iran realize they are being not being told the truth by their media, and seek the information from western media (as if western media were telling the truth), people in China trust their media.
Now, what do you think, @brimstoneSalad, what makes people realize their media is not telling the truth to them? It should be obvious that American media is not telling the truth, it supports ridiculous conspiracy theories (global warming denial, creationism, anti-GMO...) all the time. And the same goes for, if not even more so, Turkish media. Now, you are saying it should also be obvious that Croatian media aren't telling the truth, since they rarely talk about corruption in Croatia, and often state that Germany (where a disproportionate number of Croatians considers moving to) is corrupt, right?

User avatar
brimstoneSalad
neither stone nor salad
Posts: 9519
Joined: Wed May 28, 2014 9:20 am
Religion: None (Atheist)
Diet: Vegan

Post by brimstoneSalad » Sun Jul 28, 2019 8:59 pm

teo123 wrote:
Fri Jul 26, 2019 3:57 am
but wouldn't serving some content to the non-tech-savvy users in those countries be better than serving no content at all to them?
That makes sense. It probably comes down to some kind of idealism of the administration.

On media, only Fox is really bad in the U.S. in terms of political conspiracy theories, most other stations are only accidentally unreliable on science reporting for relatively new things and when something is prone to fear mongering (which boosts rating). You can get over the bad science reporting by visiting science journalism sources which do a better job. Pretty much all media is subject to ratings biases though, it's hard to overcome.

On China, most internet users use phones or net bars to access the net AFAIK, and aren't really aware of what they're missing due to as you said local web resources from inside China being so well developed. I think Iran ultimately has less choice, but I think you'll also find more personally owned (older) computers there. I suspect any country where people use mobile phones and public computers more would have less Tor usage due to technological barriers.

teo123
Master in Training
Posts: 519
Joined: Tue Oct 27, 2015 3:46 pm
Religion: None (Atheist)
Diet: Vegan

Post by teo123 » Mon Jul 29, 2019 12:10 pm

brimstoneSalad wrote:most other stations are only accidentally unreliable on science reporting for relatively new things and when something is prone to fear mongering (which boosts rating).
What do you mean? The mainstream US media is generally supportive of the pseudoscientific policies of Green New Deal, of anti-nuclear-power movement, and of the anti-GMO movement (Fox news isn't supportive of the Green New Deal, but it is of the other two and of much more pseudosciences).
brimstoneSalad wrote:I think you'll also find more personally owned (older) computers there. 
Well, I think it's generally much easier to install Tor on a new smartphone (there is a version of Tor for Android on GitHub, you just need to block some of the security features of Android to install it) than on an old personal computer. The last few tens of versions of Tor (all the versions hosted on GitHub) don't run on Windows versions older than Windows 7. Older versions of Tor are useless in countries with a lot of Internet censorship, since they don't support "meek" or "obfs4". And for Windows 7, you need at least 512 MB of RAM just to install them, and then they run very poorly. Laptops used to have around 512 MB of RAM around 2006 (that's when my Acer laptop with 512 MB of RAM was bought), so you can't run Tor on Windows on a computer much older than that. And I doubt Tor on Linux can actually be used on much less than 512 MB of RAM, it uses much more RAM than Firefox.
It's often said that meek-client and obfs4-client rely only on some parts of the Go runtime library and that they can therefore run even on Windows 98SE. As far as I understand, this information is useless for a few reasons. First, the Tor installer simply refuses to unpack anything even on Windows XP (I've tried it, there is no obvious way to get the "meek-client.exe" file unpacked there.). Second, getting any browser but Tor Browser to use Tor is either very hard or not possible at all, primarily because of the DNS working completely differently on Tor and on the clearweb. Now, I don't know how hard it is to get an archaic version of Tor Browser to use, for example, "meek-client.exe", my guess is that you'd need to modify the source code, which is then probably impossible to compile on Windows 98SE.
Either way, usefully installing Tor on a computer from the early 2000s is not easier than usefully installing it on a smartphone back from 2012 (since the latest version of Tor for Android runs on Android 4.1 or newer).

User avatar
brimstoneSalad
neither stone nor salad
Posts: 9519
Joined: Wed May 28, 2014 9:20 am
Religion: None (Atheist)
Diet: Vegan

Post by brimstoneSalad » Thu Aug 01, 2019 7:18 pm

teo123 wrote:
Mon Jul 29, 2019 12:10 pm
brimstoneSalad wrote:most other stations are only accidentally unreliable on science reporting for relatively new things and when something is prone to fear mongering (which boosts rating).
What do you mean? The mainstream US media is generally supportive of the pseudoscientific policies of Green New Deal, of anti-nuclear-power movement, and of the anti-GMO movement (Fox news isn't supportive of the Green New Deal, but it is of the other two and of much more pseudosciences).
Media has been pretty critical of the impractical and overly-politicized nature of the Green New Deal.
On the science issues like I said fear mongering sells, so many media outlets have sensationalized spills. Usually the content of a piece is less dramatic than the headlines, though.

However:
Top 15 U.S. Newspapers by Circulation
The Wall Street Journal. wsj.com. ...
USA Today. usatoday.com. ...
Los Angeles Times. latimes.com. ...
The New York Times. nytimes.com. ...
Houston Chronicle. chron.com. ...
Chicago Tribune. chicagotribune.com. ...
Tampa Bay Times. tampabay.com. ...
Washington Post. washingtonpost.com.
top two:

https://www.wsj.com/articles/only-nucle ... 1547225861
https://www.usatoday.com/story/opinion/ ... 409096001/

Yeah, LA times is terrible, NYT isn't too bad:
https://www.nytimes.com/2019/04/06/opin ... power.html

I'm not going to search all of them, but it's a pretty mixed bag that at least *generally* leans in the direction of the science.
teo123 wrote:
Mon Jul 29, 2019 12:10 pm
Well, I think it's generally much easier to install Tor on a new smartphone (there is a version of Tor for Android on GitHub, you just need to block some of the security features of Android to install it)
That's a pretty big barrier when you have trouble accessing the how to. Kind of a catch-22. You need TOR to learn how to install TOR.
The phones in these countries may also be running special software courtesy the government regulations there.

We may never know the true cause of the difference, but it's probably a combination of factors.

Post Reply

Who is online

Users browsing this forum: No registered users and 46 guests