Hacker News new | past | comments | ask | show | jobs | submit login
A Tor proxy that runs in your browser (stanford.edu)
152 points by mmastrac on Jan 3, 2013 | hide | past | favorite | 30 comments



> "Flash proxy" is a name that should make you think "quick" and "short-lived." Our implementation uses standard web technologies: JavaScript and WebSocket.

I get it, but there's another (widely reviled) in-browser technology that goes by the name Flash, and it's entirely plausible that this could be written with it. Sometimes you need to be able to let go of a name.


Actually, when the project started they used Flash to set up connections. I guess the name stuck on. :-)


gotta agree here, I had the same reaction as probably every one else and instantly assumed it was using Adobe Flash before I read more.


I like how to name implies (accidentally or not) that term "flash" is not anymore solely bound to doomed battery-eating technology from 00s but can be used as a generic word.


Does this not require Flash Player at all then?


From a cursory investigation of the source, this is WebSockets only.


Time for a stupid question: what prevents the censor from simply blocking the facilitator? It isn't ephemeral like the "flash proxy"... so it seems like you'd have the same problem as you have with the relays.


It's a good question, discussed a bit in the PETS paper: https://crypto.stanford.edu/flashproxy/flashproxy.pdf (section 6). The short answer is that communicating a small amount of information outside of the censored region to a blocked facilitator is an easier problem than full connectivity.


Yeah, it was a stupid question in that I should have read the paper ;-) Laziness on my part, sorry.

Right, their idea is to basically leverage some protocols that allow unblocked entities forward information from the client to the facilitator (which is assumed to be directly blocked always). That seems to make sense.

It seems to be that the flash proxy must be able to connect to the client directly (the client is not behind NAT), which seems like a pretty big assumption... though that might be fine in the real world use cases that they are targeting.


Doesn't the requirement that the client not be behind NAT render this somewhat useless?

Isn't the vast majority of the internet behind NAT?


Two words: port forwarding :) Yes, it makes using TOR a bit more difficult, but not by very much...


Plus IPv6 could drastically reduce the need for NAT (particularly in mobile where they're basically out of IPs and basically NAT the entire mobile network)


From how I understand it this is not a javascript Tor implementation at all. It's an entirely different piece of software that allows you to create a whole lot of volatile short lived proxy servers that can then be used to connect to actual tor relays. The idea being that it will be really hard for censors to block proxy servers that only exist for a short period of time.


How can I block this? For reals. I have no desire to run a Tor proxy and be shafted with CP charges.

Edit: my understanding is that this can be put into any web page and then make anyone visiting that page a Tor exit node.


It makes me extremely sad - and somewhat angry - that a lot of people just associate Tor with CP and criminals. Tor enabled and helped carry out fucking revolutions. Hundreds, if not thousands of (not only) chinese dissidents use it to communicate safely. It protects lives. Tor is a blessing upon humanity, and a big, fat, thorn in the side of every oppressive government on this planet.

The fact that some individuals use Tor for accessing child pornography is sad, but that constitutes a miniscule amount of its entire traffic. Stop looking at the few bad apples and look at the big picture.

Oh, and if you're at it, watch Jacob and Roger's talk at the 29c3 as soon as it is available. They explained this awesome piece of software a bit more in detail there, amongst all the other amazing projects related to the Tor Project.


> The fact that some individuals use Tor for accessing child pornography is sad, but that constitutes a miniscule amount of its entire traffic.

Do you have a citation for this? Specifically, that illegal activities in general are a minuscule amount of its traffic?


I agree with you about how awesome Jacob Appelbaum makes Tor sound, but you could still make a case about not wanting your computer to be used without your consent for stuff like that.

For example, as much as cancer research can benefit from extra computing power, I wouldn't want web sites to start including secret javascript code meant to "reap the spare cpu cycles" available when I visit their site.


It's equally debatable whether it's okay to put stupid advertisements or tracking technology on your website - which have infinitely less positive benefits for humanity than Tor.

Anyways, my answer wasn't about Flash-Proxy at all (which is, polemics aside, indeed debatable). I was pissed about the attitude that Tor == CP, which is a dishonest fallacy thrown around by supporters of surveillance and spying.


There are at least three actual possibilities there:

1. People afraid of being tracked down and prosecuted because someone used their exit node for criminal behavior

2. People concerned about limiting criminal behavior

3. People who want to stop free speech

Assuming #3 seems like a stretch even if it is easy to conclude that people pushing for constraints on free speech for the sake of limiting criminal behavior under-appreciate the vital importance of vigorous anonymous public discourse, even in countries without dictators.


>1. People afraid of being tracked down and prosecuted because someone used their exit node for criminal behavior

Again, Flash Proxy is not an exit node, it's a bridge. It merely helps people to access the Tor network, and does not relay traffic back out (which, as far as I know, is not even technically possible). There's zero risks involved. Also, why are you not running at least a relay, anyways?

>2. People concerned about limiting criminal behavior

Limiting criminal behavior is fine, but never at the cost of essential liberties and rights. This is inarguable. People rallying against Tor for "criminal behavior" are the very same people we need Tor to protect ourselves against.

>3. People who want to stop free speech

I you[1] are such a person, I hate you and you more than deserve to have your browser turned into a powerful weapon of the very thing you want to stop.

[1] This is the general you, I'm not talking to the parent poster specifically.


I agree about the debatable status of the stupid advertisements running without my permission. As you're pointing out, the worse aspect of them is that they're involved in a large-scale tracking scheme. It wouldn't be as bad if you got your ads and nothing else (no tracking on top of the ads).

The "Tor == CP" reasoning is as absurd as saying "Free Speech == Rampant Nazi Propaganda". =)


You are not an end node, so nothing but encrypted data is passed between a Tor user and another Tor node. These bridges help people in countries who block access to the tor network enter the Tor network. They don't use you to access any actual content.

That said. Don't go to websites that put the iframe in if you don't want to be one. It's not like it's going to be a common practice to throw that on your webpage.


the traffic does not exit the tor network via this method. You are simply fuctioning as another intermediate node.

websockets have no ability no function as an exit node.


While OP is wrong about this specific implementation, is there anything stopping someone from modifying it to make you an exit node?

While the authors clearly have good intentions, the basic idea of my browser relaying traffic transparently that I am not aware of is indeed disturbing.


No, I'm pretty sure that is not technically possible.


Same way you'd block downloading CP in general: only visit trusted sites.


Use NoScript.


Seconded


that's great!


I thought I saw a similar project somewhere else on HN... interesting non the less.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: