"Secure Connection Failed"

[VerdantGreen]

hi there

this has been happening for a while, and it makes an already slow process even slower. when trying to upload pics i always get this:

Secure Connection Failed

An error occurred during a connection to www.icmag.com.

SSL received a record with an incorrect Message Authentication Code.

(Error code: ssl_error_bad_mac_read)
* The page you are trying to view can not be shown because the authenticity of the received data could not be verified.

* Please contact the web site owners to inform them of this problem. Alternatively, use the command found in the help menu to report this broken site.

there is a 'try again' button underneath and when i hit that, and ok sending the info again, it nearly always works.
but it un-nerves me a little having to send it twice like double jeopardy or something
using mac, firefox with vidalia/torbutton


anything im doing wrong ??


thanks


VG

 

[Honkytonk]

using mac, firefox with vidalia/torbutton
anything im doing wrong ??

Nope, same here when using the vidalia/tor/proxy things.
Doesn't happen when TOR is not in use.

 

[KharmaGirl]

Using a proxy will sometimes give weird errors...I've been told so will macs

 

[mugenbao]

This problem is not specific to ICMag, it is a general error and not something to be overly concerned about. The previous link mentions Firefox, but it's also not exclusive to that browser. You might see it more when using a Tor proxy because there are multiple levels of SSL (hence the Onion metaphor), but even so it's merely annoying rather than a security concern in most cases.

 

[Brother Bear]

Ah i wondered why that happened sometimes lately. Thanks now i know

 

[VerdantGreen]

excellent, thanks.

i'll stop listening out for the cops outside the door now when i hit 'try again'

 

[mugenbao]

FWIW, if any of you use TOR, remote third-party anonymous proxies, or open-source proxies, this might be of interest :

Nov 16 2010 - There's a new buffer overflow vulnerability in versions of OpenSSL from 0.9.8f through 0.9.8o, and 1.0.0 through 1.0.0a. You can read the security advisory for the whole story.

So far as we can tell from our current analysis, Tor is not affected. Here's why:

The advisory says:

Any OpenSSL based TLS server is vulnerable if it is multi-threaded and uses OpenSSL's internal caching mechanism. Servers that are multi-process and/or disable internal session caching are NOT affected.

Tor qualifies for both of the safe cases: Tor does disable OpenSSL's internal session caching. This happens in the file src/common/tortls.c, when we call SSL_CTX_set_session_cache_mode(result->ctx,SSL_SESS_CACHE_OFF). Tor has done this since since version 0.0.2pre6 back in 2003.

Also, though Tor is multithreaded, Tor only calls SSL functionality from a single thread. Thus, no thread other than the main thread will examine or alter the TLS session cache, or any TLS session at all.

So it would appear that Tor itself is in the clear. Nonetheless, your other applications might not be. If you're running other SSL services that might be affected, be sure to apply patches from your OS and/or your application to stay safe.

 

[spurr]

hi there

this has been happening for a while, and it makes an already slow process even slower. when trying to upload pics i always get this:

there is a 'try again' button underneath and when i hit that, and ok sending the info again, it nearly always works.
but it un-nerves me a little having to send it twice like double jeopardy or something
using mac, firefox with vidalia/torbutton


anything im doing wrong ??


thanks


VG

hey bro,

The problem is Polipo, the HTTP/S proxy the sits between your browser and Tor. I have been testing Privoxy for a while now, it used to be the default HTTP/S proxy for Tor, but Tor switched to Polipo because Polipo is lighter and faster. However, Polipo is not under as active development as Privoxy. After using Privoxy and not Polipo for the last few weeks I have had zero errors you listed above. But, when I used Polipo again, I get the errors often.

If you or others are interested I can tell you how to setup Privoxy for use with Tor, and how to setup Vidalia so it auto-starts Privoxy and not Polipo.

 

[Honkytonk]

Confirmed.

 

[spurr]

Cool, thanks Honkytonk. Glad to see it worked for you too.

I get really frustrated when I get caught in the "secure connection failed" loop due to Polipo. I am going to open a bug report ticket at the Tor flyspray site. Hopefully phobos, or Chris, or whomever is handling Polipo now its original author, Juliusz Chroboczek, has stopped developing it, will be able to figure out a fix...

The problem with using Privoxy vs. Polipo is it makes those who use Privoxy stand out 'of the crowd' of other Tor users due to fingerprinting attacks (e.x. "Panopticlick" http://panopticlick.eff.org/ ). That means it opens us up to easier identification (ex. via. rouge exit nodes) vs. using using Polipo and 'blending in' with other Tor users.

As the true adage goes "anonymity loves company"...


Here is some good info on browser fingerprint:

It's important to use TorButton and Firefox and Polipo to 'blend into the crowd'...

1. "Browser Fingerprinting Can ID You Without Cookies"
http://www.networkworld.com/news/2010/012910-browser-fingerprinting-can-id-you.html


2. "Help EFF Research Web Browser Tracking"
https://www.eff.org/deeplinks/2010/01/help-eff-research-web-browser-tracking


3. "A Primer on Information Theory and Privacy"
https://www.eff.org/deeplinks/2010/01/help-eff-research-web-browser-tracking




FWIW, here are the Firefox add-ons I use to increase my security and anonymity:

Using un-common add-ons can also make your browser fingerprint stand out from the crowd of other Tor users:

1. BetterPrivacy (a must have)

2. RefControl (a must have, and needs to be properly configured)

3. HTTPS-Everywhere

4. Flashbock

5. NoScript

6. RequestPolicy (prevent cross-site scripting, etc)

7. TorButton (of course, the uber must have)



About "EverCookies"

These are very dangerous and can not be deleted by normal methods and can be used even through TorButton, to identify users.

1. "BleachBit" (that is a very good file shredding tool, it's the only way to remove EverCookies at this time)

2. Anonymizer is releasing a new add-on for Firefox soon that will prevent setting and will remove EverCookies.

 

[mugenbao]

If you or others are interested I can tell you how to setup Privoxy for use with Tor, and how to setup Vidalia so it auto-starts Privoxy and not Polipo.

That would be good info for everyone to have available. Yes, please

 

[spurr]

That would be good info for everyone to have available. Yes, please

Sure, here is quick and dirty info for windows, next post will be for Mac. Those on *nix should be able to build Privoxy on their own and use the Mac directions for the config files, etc.


1. Download Privoxy here


2. Install privoxy in SystemRoot (i.e. C:\): C:\Program Files\Privoxy


3. Download the zip folder I made with Privoxy config files here; password is "ilovecanna" (without quotes).


4. Put the three files "config", "default" and "match-all" into C:\Program Files\Privoxy; overwrite the three files with the same name already in C:\Program Files\Privoxy.


5. Configure Privoxy so it does not start with a window, as so: Start > Programs > Privoxy > [right click] Privoxy icon > [highlight] Properties > [click arrow next to] Run > [select] Minimized > Apply > OK.


6a. When Vidalia starts it also auto-starts Polipo. I could tell you all how to configure Vidalia to auto-start Privoxy instead, but I don't want to do that becuaser it best to use Polipo whenever possible.


6b. To use Privoxy, start Vialida and then open up Windows Task Manager via pressing the buttons "Ctrl", "Alt" and "Delete" at the same time. Then find the process "polipo.exe" and right click on it, then choose "end process", and choose "yes".


6c. Start Privoxy via the start menu, i.e., Start > Programs > Privoxy > Privoxy icon.


7. In Firefox toggle Torbutton in the lower right hand corner so the text goes from being red ("Tor Disabled") to green ("Tor Enabled"). Done, now you are using Privoxy instead of Polipo for Tor and Firefox.


Here is the "config" file for Windows, I setup Privoxy so it is only acting as a proxy and is not filtering any traffic. I also reduced the buffer-limit (which doesn't really matter because Privoxy isn't set up to filter traffic), I changed the keep-alive to 600 seconds (that makes few websites/webpages time-out). Using Privoxy only in proxy mode makes Privoxy break less sites and makes it faster and makes it better for use with Tor and Torbutton.

#+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+
# PRIOVXY SETTINGS FOR USE WITH TOR
#
# Configured for Windows operating sytem file path.
#
# If using non-Windows operating system uncomment the "confdir" path line
# for path to Privoxy installation on your system. To uncomment a line
# remove the hash tag (#) from in front of the line.
#+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+
#
#
#
#
# 2.1. confdir
# =============
#
# Specifies:
#
# The directory where the other configuration files are located.
#
# Type of value:
#
# Path name
#
# Default value:
#
# /etc/privoxy (Unix) or Privoxy installation dir (Windows)
#
# Effect if unset:
#
# Mandatory
#
# Notes:
#
# No trailing "/", please.
#
# UNCOMMENT FOLLOWING LINE FOR WINDOWS DIRECTORY HOLDING CONFIG FILES:
#
confdir C:\Program Files\Privoxy
#
# UNCOMMENT FOLLOWING LINE FOR MAC DIRECTORY HOLDING CONFIG FILES:
#
#confdir /usr/local/etc/privoxy/config
#
# UNCOMMENT FOLLOWING LINE FOR UNIX DIRECTORY HOLDING CONFIG FILES:
#
#confdir /etc/privoxy
#
#
#
#
# 2.3. logdir
# ============
#
# Specifies:
#
# The directory where all logging takes place (i.e. where the
# logfile is located).
#
# Type of value:
#
# Path name
#
# Default value:
#
# /var/log/privoxy (Unix) or Privoxy installation dir (Windows)
#
# Effect if unset:
#
# Mandatory
#
# Notes:
#
# No trailing "/", please.
#
logdir .
#
#
#
#
# 2.4. actionsfile
# =================
#
# Specifies:
#
# The actions file(s) to use
#
# Type of value:
#
# Complete file name, relative to confdir
#
# Default values:
#
# match-all.action # Actions that are applied to all sites and maybe overruled later on.
#
# default.action # Main actions file
#
# user.action # User customizations
#
# Effect if unset:
#
# No actions are taken at all. More or less neutral proxying.
#
# Notes:
#
# Multiple actionsfile lines are permitted, and are in fact
# recommended!
#
# The default values are default.action, which is the "main"
# actions file maintained by the developers, and user.action,
# where you can make your personal additions.
#
# Actions files contain all the per site and per URL configuration
# for ad blocking, cookie management, privacy considerations,
# etc. There is no point in using Privoxy without at least one
# actions file.
#
# Note that since Privoxy 3.0.7, the complete filename, including
# the ".action" extension has to be specified. The syntax change
# was necessary to be consistent with the other file options and
# to allow previously forbidden characters.
#
actionsfile match-all.action # Actions that are applied to all sites and maybe overruled later on.
#actionsfile default.action # Main actions file
#actionsfile user.action # User customizations
#
#
#
#
# 2.5. filterfile
# ================
#
# Specifies:
#
# The filter file(s) to use
#
# Type of value:
#
# File name, relative to confdir
#
# Default value:
#
# default.filter (Unix) or default.filter.txt (Windows)
#
# Effect if unset:
#
# No textual content filtering takes place, i.e. all +filter{name}
# actions in the actions files are turned neutral.
#
# Notes:
#
# Multiple filterfile lines are permitted.
#
# The filter files contain content modification rules that use
# regular expressions. These rules permit powerful changes on the
# content of Web pages, and optionally the headers as well, e.g.,
# you could try to disable your favorite JavaScript annoyances,
# re-write the actual displayed text, or just have some fun
# playing buzzword bingo with web pages.
#
# The +filter{name} actions rely on the relevant filter (name)
# to be defined in a filter file!
#
# A pre-defined filter file called default.filter that contains a
# number of useful filters for common problems is included in the
# distribution. See the section on the filter action for a list.
#
# It is recommended to place any locally adapted filters into a
# separate file, such as user.filter.
#
filterfile default.filter
#filterfile user.filter # User customizations
#
#
#
#
# 2.6. logfile
# =============
#
# Specifies:
#
# The log file to use
#
# Type of value:
#
# File name, relative to logdir
#
# Default value:
#
# Unset (commented out). When activated: logfile (Unix) or
# privoxy.log (Windows).
#
# Effect if unset:
#
# No logfile is written.
#
# Notes:
#
# The logfile is where all logging and error messages are
# written. The level of detail and number of messages are set with
# the debug option (see below). The logfile can be useful for
# tracking down a problem with Privoxy (e.g., it's not blocking
# an ad you think it should block) and it can help you to monitor
# what your browser is doing.
#
# Depending on the debug options below, the logfile may be a
# privacy risk if third parties can get access to it. As most
# users will never look at it, Privoxy 3.0.7 and later only log
# fatal errors by default.
#
# For most troubleshooting purposes, you will have to change that,
# please refer to the debugging section for details.
#
# Your logfile will grow indefinitely, and you will probably
# want to periodically remove it. On Unix systems, you can do
# this with a cron job (see "man cron"). For Red Hat based Linux
# distributions, a logrotate script has been included.
#
# Any log files must be writable by whatever user Privoxy is
# being run as (on Unix, default user id is "privoxy").
#
logfile privoxy.log
#
#
#
#
# 3.1. debug
# ===========
#
# Specifies:
#
# Key values that determine what information gets logged.
#
# Type of value:
#
# Integer values
#
# Default value:
#
# 0 (i.e.: only fatal errors (that cause Privoxy to exit) are logged)
#
# Effect if unset:
#
# Default value is used (see above).
#
# Notes:
#
# The available debug levels are:
#
# debug 1 # Log the destination for each request Privoxy let through. See also debug 1024.
# debug 2 # show each connection status
# debug 4 # show I/O status
# debug 8 # show header parsing
# debug 16 # log all data written to the network
# debug 32 # debug force feature
# debug 64 # debug regular expression filters
# debug 128 # debug redirects
# debug 256 # debug GIF de-animation
# debug 512 # Common Log Format
# debug 1024 # Log the destination for requests Privoxy didn't let through, and the reason why.
# debug 2048 # CGI user interface
# debug 4096 # Startup banner and warnings.
# debug 8192 # Non-fatal errors
# debug 32768 # log all data read from the network
#
#
# To select multiple debug levels, you can either add them or
# use multiple debug lines.
#
# A debug level of 1 is informative because it will show you each
# request as it happens. 1, 1024, 4096 and 8192 are recommended
# so that you will notice when things go wrong. The other levels
# are probably only of interest if you are hunting down a specific
# problem. They can produce a hell of an output (especially 16).
#
# Privoxy used to ship with the debug levels recommended above
# enabled by default, but due to privacy concerns 3.0.7 and later
# are configured to only log fatal errors.
#
# If you are used to the more verbose settings, simply enable
# the debug lines below again.
#
# If you want to use pure CLF (Common Log Format), you should set
# "debug 512" ONLY and not enable anything else.
#
# Privoxy has a hard-coded limit for the length of log messages. If
# it's reached, messages are logged truncated and marked with
# "... [too long, truncated]".
#
# Please don't file any support requests without trying to
# reproduce the problem with increased debug level first. Once
# you read the log messages, you may even be able to solve the
# problem on your own.
#
#debug 1 # Log the destination for each request Privoxy let through.
#debug 1024 # Log the destination for requests Privoxy didn't let through, and the reason why.
debug 4096 # Startup banner and warnings
debug 8192 # Non-fatal errors
#
#
#
#
# 4.1. listen-address
# ====================
#
# Specifies:
#
# The IP address and TCP port on which Privoxy will listen for
# client requests.
#
# Type of value:
#
# [IP-Address]ort
#
# Default value:
#
# 127.0.0.1:8118
#
# Effect if unset:
#
# Bind to 127.0.0.1 (IPv4 localhost), port 8118. This is suitable
# and recommended for home users who run Privoxy on the same
# machine as their browser.
#
# Notes:
#
# You will need to configure your browser(s) to this proxy address
# and port.
#
# If you already have another service running on port 8118, or
# if you want to serve requests from other machines (e.g. on your
# local network) as well, you will need to override the default.
#
# IPv6 addresses containing colons have to be quoted by brackets.
#
# If you leave out the IP address, Privoxy will bind to all IPv4
# interfaces (addresses) on your machine and may become reachable
# from the Internet. In that case, consider using access control
# lists (ACL's, see below), and/or a firewall.
#
# If you open Privoxy to untrusted users, you will also
# want to make sure that the following actions are disabled:
# enable-edit-actions and enable-remote-toggle
#
# Example:
#
# Suppose you are running Privoxy on a machine which has the
# address 192.168.0.1 on your local private network (192.168.0.0)
# and has another outside connection with a different address. You
# want it to serve requests from inside only:
#
# listen-address 192.168.0.1:8118
#
# Suppose you are running Privoxy on an IPv6-capable machine and
# you want it to listen on the IPv6 address of the loopback device:
#
# listen-address [::1]:8118
#
listen-address 127.0.0.1:8118
#
#
#
#
# 4.2. toggle
# ============
#
# Specifies:
#
# Initial state of "toggle" status
#
# Type of value:
#
# 1 or 0
#
# Default value:
#
# 1
#
# Effect if unset:
#
# Act as if toggled on
#
# Notes:
#
# If set to 0, Privoxy will start in "toggled off" mode,
# i.e. mostly behave like a normal, content-neutral proxy
# with both ad blocking and content filtering disabled. See
# enable-remote-toggle below.
#
# The windows version will only display the toggle icon in the
# system tray if this option is present.
#
toggle 0
#
#
#
#
# 4.3. enable-remote-toggle
# ==========================
#
# Specifies:
#
# Whether or not the web-based toggle feature may be used
#
# Type of value:
#
# 0 or 1
#
# Default value:
#
# 0
#
# Effect if unset:
#
# The web-based toggle feature is disabled.
#
# Notes:
#
# When toggled off, Privoxy mostly acts like a normal,
# content-neutral proxy, i.e. doesn't block ads or filter content.
#
# Access to the toggle feature can not be controlled separately by
# "ACLs" or HTTP authentication, so that everybody who can access
# Privoxy (see "ACLs" and listen-address above) can toggle it
# for all users. So this option is not recommended for multi-user
# environments with untrusted users.
#
# Note that malicious client side code (e.g Java) is also capable
# of using this option.
#
# As a lot of Privoxy users don't read documentation, this feature
# is disabled by default.
#
# Note that you must have compiled Privoxy with support for this
# feature, otherwise this option has no effect.
#
enable-remote-toggle 0
#
#
# 4.4. enable-remote-http-toggle
# ===============================
#
# Specifies:
#
# Whether or not Privoxy recognizes special HTTP headers to change
# its behaviour.
#
# Type of value:
#
# 0 or 1
#
# Default value:
#
# 0
#
# Effect if unset:
#
# Privoxy ignores special HTTP headers.
#
# Notes:
#
# When toggled on, the client can change Privoxy's behaviour by
# setting special HTTP headers. Currently the only supported
# special header is "X-Filter: No", to disable filtering for
# the ongoing request, even if it is enabled in one of the
# action files.
#
# This feature is disabled by default. If you are using Privoxy in
# a environment with trusted clients, you may enable this feature
# at your discretion. Note that malicious client side code (e.g
# Java) is also capable of using this feature.
#
# This option will be removed in future releases as it has been
# obsoleted by the more general header taggers.
#
enable-remote-http-toggle 0
#
#
# 4.5. enable-edit-actions
# =========================
#
# Specifies:
#
# Whether or not the web-based actions file editor may be used
#
# Type of value:
#
# 0 or 1
#
# Default value:
#
# 0
#
# Effect if unset:
#
# The web-based actions file editor is disabled.
#
# Notes:
#
# Access to the editor can not be controlled separately by
# "ACLs" or HTTP authentication, so that everybody who can access
# Privoxy (see "ACLs" and listen-address above) can modify its
# configuration for all users.
#
# This option is not recommended for environments with untrusted
# users and as a lot of Privoxy users don't read documentation,
# this feature is disabled by default.
#
# Note that malicious client side code (e.g Java) is also capable
# of using the actions editor and you shouldn't enable this
# options unless you understand the consequences and are sure
# your browser is configured correctly.
#
# Note that you must have compiled Privoxy with support for this
# feature, otherwise this option has no effect.
#
enable-edit-actions 0
#
#
#
#
# 4.8. buffer-limit
# ==================
#
# Specifies:
#
# Maximum size of the buffer for content filtering.
#
# Type of value:
#
# Size in Kbytes
#
# Default value:
#
# 4096
#
# Effect if unset:
#
# Use a 4MB (4096 KB) limit.
#
# Notes:
#
# For content filtering, i.e. the +filter and +deanimate-gif
# actions, it is necessary that Privoxy buffers the entire document
# body. This can be potentially dangerous, since a server could
# just keep sending data indefinitely and wait for your RAM to
# exhaust -- with nasty consequences. Hence this option.
#
# When a document buffer size reaches the buffer-limit, it is
# flushed to the client unfiltered and no further attempt to filter
# the rest of the document is made. Remember that there may be
# multiple threads running, which might require up to buffer-limit
# Kbytes each, unless you have enabled "single-threaded" above.
#
buffer-limit 265
#
#
#
#
# 5.2. forward-socks4, forward-socks4a and forward-socks5
# ========================================================
#
# Specifies:
#
# Through which SOCKS proxy (and optionally to which parent HTTP
# proxy) specific requests should be routed.
#
# Type of value:
#
# target_pattern socks_proxy[ort] http_parent[ort]
#
# where target_pattern is a URL pattern that specifies to which
# requests (i.e. URLs) this forward rule shall apply. Use / to
# denote "all URLs". http_parent and socks_proxy are IP addresses
# in dotted decimal notation or valid DNS names (http_parent may
# be "." to denote "no HTTP forwarding"), and the optional port
# parameters are TCP ports, i.e. integer values from 1 to 65535
#
# Default value:
#
# Unset
#
# Effect if unset:
#
# Don't use SOCKS proxies.
#
# Notes:
#
# Multiple lines are OK, they are checked in sequence, and the
# last match wins.
#
# The difference between forward-socks4 and forward-socks4a
# is that in the SOCKS 4A protocol, the DNS resolution of the
# target hostname happens on the SOCKS server, while in SOCKS 4
# it happens locally.
#
# With forward-socks5 the DNS resolution will happen on the remote
# server as well.
#
# socks_proxy and http_parent can be a numerical IPv6 address
# (if RFC 3493 is implemented). To prevent clashes with the port
# delimiter, the whole IP address has to be put into brackets. On
# the other hand a target_pattern containing an IPv6 address has
# to be put into angle brackets (normal brackets are reserved
# for regular expressions already).
#
# If http_parent is ".", then requests are not forwarded to another
# HTTP proxy but are made (HTTP-wise) directly to the web servers,
# albeit through a SOCKS proxy.
#
# Examples:
#
# From the company example.com, direct connections are made to all
# "internal" domains, but everything outbound goes through their
# ISP's proxy by way of example.com's corporate SOCKS 4A gateway
# to the Internet.
#
# forward-socks4a / socks-gw.example.com:1080 www-cache.isp.example.net:8080
# forward .example.com .
#
#
# A rule that uses a SOCKS 4 gateway for all destinations but no
# HTTP parent looks like this:
#
# forward-socks4 / socks-gw.example.com:1080 .
#
#
# To chain Privoxy and Tor, both running on the same system,
# you would use something like:
#
forward-socks5 / 127.0.0.1:9050 .
#
#
# The public Tor network can't be used to reach your local network,
# if you need to access local servers you therefore might want
# to make some exceptions:
#
# forward 192.168.*.*/ .
# forward 10.*.*.*/ .
# forward 127.*.*.*/ .
#
#
# Unencrypted connections to systems in these address ranges will
# be as (un) secure as the local network is, but the alternative
# is that you can't reach the local network through Privoxy at
# all. Of course this may actually be desired and there is no
# reason to make these exceptions if you aren't sure you need them.
#
# If you also want to be able to reach servers in your local
# network by using their names, you will need additional exceptions
# that look like this:
#
# forward localhost/ .
#
#
#
#
# 6.4. keep-alive-timeout
# ========================
#
# Specifies:
#
# Number of seconds after which an open connection will no longer
# be reused.
#
# Type of value:
#
# Time in seconds.
#
# Default value:
#
# None
#
# Effect if unset:
#
# Connections are not kept alive.
#
# Notes:
#
# This option allows clients to keep the connection to Privoxy
# alive. If the server supports it, Privoxy will keep the
# connection to the server alive as well. Under certain
# circumstances this may result in speed-ups.
#
# By default, Privoxy will close the connection to the server if
# the client connection gets closed, or if the specified timeout
# has been reached without a new request coming in. This behaviour
# can be changed with the connection-sharing option.
#
# This option has no effect if Privoxy has been compiled without
# keep-alive support.
#
# Note that a timeout of five seconds as used in the default
# configuration file significantly decreases the number of
# connections that will be reused. The value is used because some
# browsers limit the number of connections they open to a single
# host and apply the same limit to proxies. This can result in a
# single website "grabbing" all the connections the browser allows,
# which means connections to other websites can't be opened until
# the connections currently in use time out.
#
# Several users have reported this as a Privoxy bug, so the default
# value has been reduced. Consider increasing it to 300 seconds
# or even more if you think your browser can handle it. If your
# browser appears to be hanging it can't.
#
# Examples:
#
# keep-alive-timeout 300
#
keep-alive-timeout 600

 

[spurr]

Directions for Privoxy with Mac:


1a. Mac users need to build (i.e. compile) Privoxy for their systems. If using Snow Lepard see the directions for building Privoxy here.


1b. Make sure to build the most current version of Privoxy. In the directions above the author is using v3.0.16, but right now v3.0.17 is current, so use v3.0.17; get the source code here.


2. Download the zip folder I made with Privoxy config files for Mac here; password is "ilovecanna" (without quotes).


3. Put the three files "config", "default" and "match-all" into /usr/local/etc/privoxy/config; overwrite the three files with the same name already in /usr/local/etc/privoxy/config.


4a. When Vidalia starts it also auto-starts Polipo. I could tell you all how to configure Vidalia to auto-start Privoxy instead, but I don't want to do that because it best to use Polipo whenever possible.


4b. To use Privoxy, start Vidalia and kill the Polipo process by following the directions here.


4c. Start Privoxy by hand, or use the batch file from step one. If using the batch file see the direction from step 1 on starting the file via command line: $ sudo launchctl load /Library/LaunchDaemons/org.privoxy.plist


5. In Firefox toggle Torbutton in the lower right hand corner so the text goes from being red ("Tor Disabled") to green ("Tor Enabled"). Done, now you are using Privoxy instead of Polipo for Tor and Firefox.

 

[spurr]

Making Firefox work better with Tor:

(do not use pipelining because Privoxy doesn't support it and I find browsing is faster without pipelining even with Polipo)


1. Start Firefox.


2. Type the following into the URL bar: "about:config" (without quotes)


3. Then copy the bolded text below, one by one, into the text bar next to "filter" (see first image below for an example). For both settings below, right click on the text and choose "modify", then enter the approximate number (i.e., 600 and 16, respectively) and click OK after configuring each setting. Then re-start Firefox.


network.http.keep-alive.timeout:600
network.http.max-persistent-connections-per-proxy:16

 

[spurr]

How to configure Firefox add-ons for use with Tor and Icmag:

See the list of add-ons I made in a post above, install all of them either via the add-ons own website or via Mozilla add-ons website (the latter can have out of date add-ons). After all of them are installed re-start Firefox. Only NoScript and RefControl need to be configured, all others can be left in their default state.

Oh yea, don't install "NeverCookie", it is a add-on that protects from EverCookies by "sandboxing" the browser, but it's not a good solution. Instead just use the program "BleachBit", I will make a post about using BleachBit to remove EverCookies next.


NoScript:

1. In Firefox go to: Tools > Add-ons > [click on] NoScript > Options > Advanced > HTTPS > Behavior. Then click the arrow and choose "Always". Then enter the two main URLs for ICamg as in the screen shot below:

​

2. Now click the "Cookies" tab next to "Behavior", click the box (so a check mark appears) next to "Enable Automatic Secure Cookies Management". Then enter the two main URLs for ICamg as in the screen shot below:

​

RefControl:


1. In Firefox go to: Tools > RefControl Options. Click on the button "edit" and then click the empty circle next to "Forge - send the root of this site (http://SITE/)"; then click OK and OK. This setting will make RefControl forge the referrer for every site. See the screen shots below:

​

 

[spurr]

Problems you will encounter using using the add-ons I listed:

Of all the add-ons I listed, only "RequestPolicy" and "NoScript" will 'break' some sites.


Part 1: RequestPolicy:

In terms of ICmag, make sure to keep RequestPoilcy so it does not allow off-site destination requests from ICamg. The reason is some people like to post pics they uploaded to off-site image hosts like ImageShack, etc. When people post URLs to images on off-site hosts they are endangering your anonymity, and that is not good for various reasons.

Thus, we can use RequestPolicy to block all non-ICmag images and other junk (like YouTube videos) that people post, which can endanger our anonymity. But there is a trade-off: you cannot see the images in posts that are located on off-site hosts, instead you see an off-white vertical line, i.e. and image placeholder. I for one never allow Icmag to run off-site links (like YouTube) or images, etc., and I suggest others do the same...

By default RequestPolicy blocks all off-site destinations, so if a site doesn't look right, see if the RequstPolicy flag is red, if so, choose if you want to allow all, or just some off-site destinations to run on whatever site you are viewing.

When using Tor and Firefox to browse the Internet, many sites rely on cross-site scripting/images/etc, and thus ReqeustPolicy makes those sites unreadable for the most part. In that case, you need to choose if you want to allow cross-site scripting to run, and if you do, then right click on the flag icon in the Firefox system tray (see image below), and choose "Temporally allow all requests from FOO.com" ("FOO.com" is a generic term of any website, on ICmag, FOO.com would read "icmag.com")

When using RequestPolicy you can also choose what specific destinations are allowed to run on the site you are viewing, e.g., I could allow ImageShack to run on Icmag, but disallow any other site via sites listed under "Allowed Destinations" when I right click on the RequestPolicy flag in the lower right hand corner. It's a good idea to mess around with RequestPolicy so people understand how it's works.

Below are two examples of Huffingtonpost.com with ReqeustPolicy blocking all destinations, and then an example of Huffingtonpost.com with RequestPolicy allowing all destinations.

When the RequestPolicy flag in the lower right hand corner is gray that means it is not blocking any off-site destinations; and when the flag is red it means it is blocking some/all off-site destinations.


1. RequestPolicy blocking Huffingtonpost from running off-site destinations:

​

2. RequestPolicy allowing Huffingtonpost to run off-site destinations:

 

[spurr]

Problems you will encounter using using the add-ons I listed:

Of all the add-ons I listed, only "RequestPolicy" and "NoScript" will 'break' some sites.


Part 2: NoScript

NoScript blocks all scripts from running on most sites by default, and if it blocks scripts from running on Icmag we can not use BB code tags by clicking the buttons like [size ], [quote ], [bold ], etc., etc. Not allowing JavaScript to run on Icmag makes Icmag a pain in the ass to use.

The good news is TorButton disables Java, and runs 'sanitized' JavaScript so we can use JavaScript with minimal worry about attacks on our anonymity (ex., via a rouge Tor exit node) as long as we trust Icmag to not doing anything nefarious (ex., attacks against our browser fingerprint to identify us out of a crowd of Tor users, etc). I for one trust Gypsy enough to run JavaScript on Icamg as long as I am using TorButton...

That siad, disallowing JavaScript on every site you can, when it doesn't break usage of the site, is the safest route to take.

When using NoScript on icmag for the first time, right click on the "S" with a red line through it in the lower right hand corner of Firefox (that is the NoScript icon). Then highlight "Allow icamg.com" and the page should auto-reload with JavaScript allowed on icmag.com, and the "S" icon will not have a red line through it. That means ICmag is now allowed to run all local (i.e. on-site) JavaScript in your Firefox.

If you are using other sites that require JavaScript, like your web-based email, etc., you can enable JavaScript on a per-site basis the same way as above. Right click on the "S" with a red line through it in the lower right hand corner and choose "Temporarily allow FOO.com" or "Allow FOO.com". Sometimes if RequestPolicy is blocking a site you want to allow via NoScript you first need to allow the site via RequestPolicy, then via NoScript.

Example of Icmag disallowed via NoScipt:

Example of Icmag allowed via NoScript:

 

[spurr]

Note:

I believe in a current update to NoScript the code for forcing encryption of cookies sent over HTTPS is buggy. When I use NoScript whilst I have "Automatic Secure Cookies Management" enabled for ICmag, my login session dies. I assume this has something to due with how NoScript is encrypting the Icmag cookies. When that feature is not used my login sessions are not killed. I suggest others do not use the cookie encryption feature of NoScipt.

I will try to find out how icmag handles cookies over HTTPS; it might already properly secure them over HTTPS.

 

[mugenbao]

Wow spurr, that's much more detailed than I expected, thanks

I think that most of this thread should be extracted, turned into a separate thread, made into a sticky, then presented during the sign-up process as mandatory reading (like the TOS) before ICMag finalizes a member's registration, hehe.

 

[VerdantGreen]

agreed, spurr's rundown of tor, firefox and how to streamline it is the best and most detailed that ive ever read.

i for one am glad he's still here to share such valuable knowledge with the community

VG