Tor network status now available

Further to our last post on May 22, we have now made available an initial step to identify and advise people about the status of the overall Tor network.  This information is now displayed at the top of our pickaproxy.com web site, showing the "current Tor network status" as either Ok, Use With Caution, or Not Considered Safe.  These 3 conditions are initially defined as follows:

"Ok" means there are at least 525 exit nodes ("proxy servers" for the non-Tor-speaking set), 500 relays, 300 guards, 6 version 3 directories, 500 version 2 directories, 32 KB/s mean and average exit bandwidth, and 40 KB/s mean and average relay bandwidth. Any nodes hibernating, marked as "bad", not "valid", or not "running" are excluded from these numbers.

"Use With Caution" means there are less than 1 or more of these thresholds, but at least 375 exit nodes ("proxy servers"), 350 relays, 150 guards, 5 version 3 directories, 250 version 2 directories, 22 KB/s mean and average exit bandwidth, and 30 KB/s mean and average relay bandwidth.

Anything less than any of these Use With Caution thresholds will result in a "Not Considered Safe" status.

Our next step will be to allow people to subscribe to this information, and to define these thresholds for themselves. Our checks to update this status are currently done every 1-2 hours.

Paranoia part 2

Last Monday, Memorial Day in the US, and Victoria Day in Canada, I discovered a potentially troubling anomaly in the Tor network. Between about 10am and 3pm EST the number of computers running the Tor software as a relay or exit dropped to about 400 from the usual range of about 2,000.

This could be nothing serious, but also could be very serious in terms of increased exposure of Tor network traffic to possible monitoring. It is generally acknowledged that the more computers running the Tor software as relays and exits the greater anonymity of it's users. With 80% of the usual Tor servers flagged as out-of-service for 5 hours, this would mean all the normal Tor network traffic would be forced to travel through just 20% of the available servers.  In other words, if an imaginary adversary controlled 4 Tor servers, then instead of having access to just 0.2% of the total Tor network traffic (4 of 2,000), they could have access to 10% of the total Tor network traffic (4 of 400), as long as their 4 were part of the ones that remained in service.

How could all these servers have been flagged as out of service?  Was it an accidental anomaly in the Tor software?  Was someone maliciously manipulating the Tor "running" status flag for this time period, hoping that no one would notice?

We have no answers at this time, although we are convinced that this anomaly was not simply a problem with our own software which monitors the composition and state of the Tor network.  In response to this, we have started development of an alert system to be added to our pickaproxy.com service, so that when (if?) these conditions come up again, our users will be told, so they can make their own choices as to whether to continue using our service (and the Tor network in general) or disconnect until we issue a "Code Green" when more normal conditions return ...

Paranoia part 1

There are 5 very fast proxy servers operated by Performance Systems Inc. (PSI) in Washington, DC that scare me.

They are all exit nodes on the Tor network, providing proxy support for DNS (port 53), POP3 email (port 110), IMAP email (port 143), MSN Messenger (port 1863), ICQ (port 5190), Jabber and/or Google Talk and/or possibly a Tor Hidden Service (port 5222), MMCC (port 5050), Virtual Places (port 1533), and IRC (ports 6660-6667).  One of the 5 also provides proxy support for telnet (port 23).  None of them provide proxy support for http (port 80) or https (port 443), but there is a good chance if you are using the Tor network your traffic will run through 1 of these servers as a relay or guard/entry node.

None of them have any records in the DNS domain name system that I can find, they all have IP Addresses starting with 149.9.0, these are the only  proxy servers on the Tor network operated by PSI, and they all seem to be configured identically, even to the point of using the same out-of-date version of the Tor software.

I would say it is likely they are operated by, or on behalf of, some branch of the US government.

As a result, in order to limit your exposure to the potential of your internet activity being monitored by or through these servers, we have now configured our pickaproxy.com tryout services to always exclude these 5 proxy servers.  This will slow down our proxy service to some degree, but we consider the trade-off to be worth it.  Eventually we will allow our users to decide for themselves if they want to exclude these or any other proxy servers.

Comments are certainly welcome ...

Tuesday stuff

A few items to report today:

(1) The Tor Project announced a fix this morning to a major security vulnerability in Debian's OpenSSL packages. We have now upgraded all the Tor software on our pickaproxy.com servers so you do not have to do anything yourself.

(2) When I first checked the number of Tor proxy servers running the new version this morning I found only 3 of them.  (You can check this yourself anytime by going to http://www.pickaproxy.com/?speak=tor. Look for the "Recommended Version Summary" drop-down list on the left.) After upgrading our own servers I see there are now 8 running the new version as of 13:10 pm EDT, leaving about 160 others needing to be upgraded.  This is pretty cool information to have at your fingertips, eh?

(3) The stunnel settings for the non-China proxies are "accept = 8100" and "connect = nonCN.pickaproxy.com:17231". Your proxy settings would be "localhost port 8100" as it would be for any stunnel users, to indicate stunnel was running on your computer in the background waiting for connections to port 8100 from your browser or whatever other program you may be using. (Yes, you could configure your stunnel to run on a different port than 8100 - it is your choice. Check our May 1 blog for more details on stunnel.)

(4) The stunnel settings for the non-Germany proxies are "accept = 8100" and "connect = nonDE.pickaproxy.com:17233".

(5) The stunnel settings for the non-US proxies are "accept = 8100" and "connect = nonUS.pickaproxy.com:17225"

(6) I see that lots of people have been using our pickaproxy.com geospoofing service over the past 25 days since we launched it on a tryout basis. There have been over 15,000 different web sites accessed through it so far. We are still working on improving it, providing more control and more information to our users, and figuring out how best to define and distinguish our free services from subscription services. We are also currently working on a way to let iPhone and iPod Touch users connect to us, we are working on having proxy auto-configuration PAC files for you to simplify changing your proxy settings, and we are designing an Internet Explorer and Firefox toolbar/addon to let you easily control and monitor your pickaproxy.com settings.

News: non-US, non-China, and non-Germany proxies now available

Ever wanted (or needed) to appear to NOT be somewhere while using the Internet? Whatever your reasons, we can now help you if it's the USA, China, or Germany that you do not want to appear to be in.  Try setting your proxy to:

• nonUS.pickaproxy.com port 18225 to avoid being in the USA
• nonCN.pickaproxy.com port 18231 to avoid being in China
• nonDE.pickaproxy.com port 18233 to avoid being in Germany

In "Tor" speak, we make sure in all 3 of these cases that you neither use Exit nodes nor Entry nodes that are in the specific countries.

That reminds me about something that we have not mentioned before, with respect to all the other country-specific proxy settings: we always use "strict" Entry nodes that are NOT in the same CONTINENT as the "strict" Exit nodes we select for you in that country, in order to increase your chances of staying anonymous. One of the acknowledged risks of using the Tor network is exposure to greater surveillance by entities that believe it is their right and responsibility to do so. By setting strict entry nodes that are geographically dispersed from the strict exit nodes you use, we give you greater protection from this potential threat to your privacy. There is more information on the Tor project web site about this.

"Tor speak"

We recently realized that there are 2 distincts groups of users of our pickaproxy.com site, and we needed to cater to each of these groups. In one corner, are the existing Tor users and Tor developers, while in the other is everyone else.

We initially setup pickaproxy.com with a smattering of Tor-specific terminology such as "exit nodes", "relay nodes", "guard nodes", etc. but then changed tack and replaced "exit nodes" with the more generic term "proxy servers" and hid most of the rest because it was only meaningful to the Tor-ians.  Now we are offering a "Tor speak" version of the site to allow the Tor-ians to better understand what we are talking about. There is a new link on the site to use Tor terminology, or you can manually add the ?speak=tor parameter yourself.

The "Tor speak" version also includes some additional information that only a Tor-ian could appreciate, such as how many users of the Tor network are using each software version, how many of each different "platform" (ie. operating system) are in use, how many guard nodes and relays nodes are in use, etc.

News: faster US proxy settings, and more stable streaming

The US has a fairly large number of faster proxies, so we have increased the minimum speed of the proxies we offer from the United States from 23 KBs to 32 KBs, so that you should see an increase in speed of about 35%. We have also now setup port 80 to be a "long lived" port on all our proxies, which means that in most cases when you are browsing the internet, we will not change your IP address while you are in the middle of using a particular web site. If you have been trying to stream video content and had problems, you might want to try again now.

If anyone is interested in trying out German proxies, please let us know. We have found that there are lots to pick from in Germany.

News: SSL secure access to pickaproxy.com now available

One of the concerns with using pickaproxy.com as your proxy server is that the information you see in your browser, and that you send to web sites, can be monitored more easily than if you did not use a proxy server. The connection between your computer and our server is a single point of access, and if we were so inclined we could watch the content coming and going. This is true for much of the internet, and for any proxy server, and especially true in some countries such as those singled out by Reporters Without Borders (Reporters sans frontières) in their November 2005 article The 15 Enemies of the Internet.

We are not doing any such monitoring, first off, and have no plans to do so. But we are now offering a way for you to secure this data flowing between you and our server. This can be done by installing and configuring the open source "stunnel" software on your computer. stunnel has been available for many year, and works by using OpenSSL to encrypt all communication between your computer and our server. You then configure your "proxy" settings and your "stunnel" settings as follows:

• rather than "tryout.pickaproxy.com" and port "8123" you configure your proxy settings to be "localhost" and port "8100", and your stunnel settings to be "accept = 8100" and "connect = tryout.pickaproxy.com:7123"
• rather than "us.pickaproxy.com" and port "8125" you configure your proxy settings to be "localhost" and port "8100", and your stunnel settings to be "accept = 8100" and "connect = us.pickaproxy.com:7125"
• rather than "uk.pickaproxy.com" and port "8126" you configure your proxy as localhost port 8100, and your stunnel as accept = 8100 and connect = uk.pickaproxy.com:7126
• rather than "fr.pickaproxy.com" and port "8129" you configure your proxy as localhost port 8100, and your stunnel as accept = 8100 and connect = fr.pickaproxy.com:7129
• rather than "ru.pickaproxy.com" and port "8130" you configure your proxy as localhost port 8100, and your stunnel as accept = 8100 and connect = ru.pickaproxy.com:7130
• rather than "cn.pickaproxy.com" and port "8131" you configure your proxy as localhost port 8100, and your stunnel as accept = 8100 and connect = cn.pickaproxy.com:7131
• rather than "ca.pickaproxy.com" and port "8132" you configure your proxy as localhost port 8100, and your stunnel as accept = 8100 and connect = ca.pickaproxy.com:7132

stunnel is available for download from http://www.stunnel.org/download/binaries.html and at this time we are not providing support or assistance with installing or configuring stunnel, but we will eventually offer this service. I will say that stunnel configuration is not that difficult, and is done by making changes to the stunnel.conf file.