Discussion:
[tor-dev] Tor port restriction option was removed
Keifer Bly
2018-07-04 07:44:29 UTC
Permalink
Hello,

On the newer versions of tor browser, I have noticed that the “does this computer’s internet connection go through a firewall that only allows certain ports?” was removed. I think this should be put back in the tor browser configuration options for users who are trying from behind firewalls that only allow certain ports.

Thanks.
Jonathan Marquardt
2018-07-04 09:44:33 UTC
Permalink
Post by Keifer Bly
On the newer versions of tor browser, I have noticed that the “does this
computer’s internet connection go through a firewall that only allows
certain ports?” was removed. I think this should be put back in the tor
browser configuration options for users who are trying from behind firewalls
that only allow certain ports.
The option is still there. Attached to this email, you'll find a screenshot of
it that I just took from the most recent version of Tor Browser.
--
OpenPGP Key: 47BC7DE83D462E8BED18AA861224DBD299A4F5F3
https://www.parckwart.de/pgp_key
Keifer Bly
2018-07-04 10:52:10 UTC
Permalink
Yes, but for me the option only appears when the tor browser is already successfully connected and I can click on the “tor network settings”. It does not appear in the “configure” option when first starting tor browser. And for that matter the configure option only seems to appear the first time tor browser is run and impossible to access anytime after on newest tor browser.


In short the “tor network settings” option seems impossible to access as it only appears when the tor browser is successfully running which is problematic for users attempting to configure blocked ports or bridges right off the bat.
From: Jonathan Marquardt
Sent: Wednesday, July 4, 2018 2:53 AM
To: tor-***@lists.torproject.org
Subject: Re: [tor-dev] Tor port restriction option was removed
Post by Keifer Bly
On the newer versions of tor browser, I have noticed that the “does this
computer’s internet connection go through a firewall that only allows
certain ports?” was removed. I think this should be put back in the tor
browser configuration options for users who are trying from behind firewalls
that only allow certain ports.
The option is still there. Attached to this email, you'll find a screenshot of
it that I just took from the most recent version of Tor Browser.
--
OpenPGP Key: 47BC7DE83D462E8BED18AA861224DBD299A4F5F3
https://www.parckwart.de/pgp_key
Jonathan Marquardt
2018-07-04 12:01:30 UTC
Permalink
Post by Keifer Bly
Yes, but for me the option only appears when the tor browser is already
successfully connected and I can click on the “tor network settings”. It
does not appear in the “configure” option when first starting tor browser.
And for that matter the configure option only seems to appear the first time
tor browser is run and impossible to access anytime after on newest tor
browser.
In short the “tor network settings” option seems impossible to access as it
only appears when the tor browser is successfully running which is
problematic for users attempting to configure blocked ports or bridges right
off the bat.
That's not true. You can access these settings by clicking the "Cancel" button
when Tor is establishing the connection. Although, I admit, a seperate button
that says "Configure" there could really be benefitial to avoid confusion.
--
OpenPGP Key: 47BC7DE83D462E8BED18AA861224DBD299A4F5F3
https://www.parckwart.de/pgp_key
Keifer Bly
2018-07-04 12:46:48 UTC
Permalink
➢ I admit, a separate button that says “Configure” there could really be beneficial to void confusion.
I agree, I think that future tor browser s having a dedicated “configure” button is a good idea for this reason.

And, upon clicking the “configure “ button at start up, this is what I get (see the screenshot).

As you can see the options “tor is censored in my country” and “I use a proxy to connect to the internet” options are there, but the “this computer goes through a firewall that only allows connections on certain ports” option is not there, only appearing when I click the “tor network settings” button on the tor browser tab; I would suggest putting this option back in the configure button window as this current layout may be troublesome for people trying to connect from firewalls that only allow certain ports.

From: Jonathan Marquardt
Sent: Wednesday, July 4, 2018 5:01 AM
To: tor-***@lists.torproject.org
Subject: Re: [tor-dev] Tor port restriction option was removed
Post by Keifer Bly
Yes, but for me the option only appears when the tor browser is already
successfully connected and I can click on the “tor network settings”. It
does not appear in the “configure” option when first starting tor browser.
And for that matter the configure option only seems to appear the first time
tor browser is run and impossible to access anytime after on newest tor
browser.
In short the “tor network settings” option seems impossible to access as it
only appears when the tor browser is successfully running which is
problematic for users attempting to configure blocked ports or bridges right
off the bat.
That's not true. You can access these settings by clicking the "Cancel" button
when Tor is establishing the connection. Although, I admit, a seperate button
that says "Configure" there could really be benefitial to avoid confusion.
--
OpenPGP Key: 47BC7DE83D462E8BED18AA861224DBD299A4F5F3
https://www.parckwart.de/pgp_key
Jonathan Marquardt
2018-07-04 13:24:08 UTC
Permalink
Post by Keifer Bly
Post by Keifer Bly
I admit, a separate button that says “Configure” there could really be
beneficial to void confusion. I agree, I think that future tor browser s
having a dedicated “configure” button is a good idea for this reason.
And, upon clicking the “configure “ button at start up, this is what I get
(see the screenshot).
As you can see the options “tor is censored in my country” and “I use a
proxy to connect to the internet” options are there, but the “this computer
goes through a firewall that only allows connections on certain ports”
option is not there, only appearing when I click the “tor network settings”
button on the tor browser tab; I would suggest putting this option back in
the configure button window as this current layout may be troublesome for
people trying to connect from firewalls that only allow certain ports.
Oh, you're right! That's weird! Was this done on purpose or is it a bug?
--
OpenPGP Key: 47BC7DE83D462E8BED18AA861224DBD299A4F5F3
https://www.parckwart.de/pgp_key
Keifer Bly
2018-07-04 13:56:05 UTC
Permalink
For me it’s been like that for the last few versions of tor browser
.

From: Jonathan Marquardt
Sent: Wednesday, July 4, 2018 6:24 AM
To: tor-***@lists.torproject.org
Subject: Re: [tor-dev] Tor port restriction option was removed
Post by Keifer Bly
Post by Keifer Bly
I admit, a separate button that says “Configure” there could really be
beneficial to void confusion. I agree, I think that future tor browser s
having a dedicated “configure” button is a good idea for this reason.
And, upon clicking the “configure “ button at start up, this is what I get
(see the screenshot).
As you can see the options “tor is censored in my country” and “I use a
proxy to connect to the internet” options are there, but the “this computer
goes through a firewall that only allows connections on certain ports”
option is not there, only appearing when I click the “tor network settings”
button on the tor browser tab; I would suggest putting this option back in
the configure button window as this current layout may be troublesome for
people trying to connect from firewalls that only allow certain ports.
Oh, you're right! That's weird! Was this done on purpose or is it a bug?
--
OpenPGP Key: 47BC7DE83D462E8BED18AA861224DBD299A4F5F3
https://www.parckwart.de/pgp_key
Georg Koppen
2018-07-04 17:05:00 UTC
Permalink
Post by Jonathan Marquardt
Post by Keifer Bly
Post by Keifer Bly
I admit, a separate button that says “Configure” there could really be
beneficial to void confusion. I agree, I think that future tor browser s
having a dedicated “configure” button is a good idea for this reason.
And, upon clicking the “configure “ button at start up, this is what I get
(see the screenshot).
As you can see the options “tor is censored in my country” and “I use a
proxy to connect to the internet” options are there, but the “this computer
goes through a firewall that only allows connections on certain ports”
option is not there, only appearing when I click the “tor network settings”
button on the tor browser tab; I would suggest putting this option back in
the configure button window as this current layout may be troublesome for
people trying to connect from firewalls that only allow certain ports.
Oh, you're right! That's weird! Was this done on purpose or is it a bug?
There are some considerations on

https://trac.torproject.org/projects/tor/ticket/24452

why this is currently the case.

Georg
Keifer Bly
2018-07-04 17:17:21 UTC
Permalink
Ok I see the ticket. However if not a window, I think the option should be
available in done form for people who do need it.
Post by Keifer Bly
Post by Jonathan Marquardt
Post by Keifer Bly
Post by Keifer Bly
I admit, a separate button that says “Configure” there could really be
beneficial to void confusion. I agree, I think that future tor browser
s
Post by Jonathan Marquardt
Post by Keifer Bly
Post by Keifer Bly
having a dedicated “configure” button is a good idea for this reason.
And, upon clicking the “configure “ button at start up, this is what I
get
Post by Jonathan Marquardt
Post by Keifer Bly
(see the screenshot).
As you can see the options “tor is censored in my country” and “I use a
proxy to connect to the internet” options are there, but the “this
computer
Post by Jonathan Marquardt
Post by Keifer Bly
goes through a firewall that only allows connections on certain ports”
option is not there, only appearing when I click the “tor network
settings”
Post by Jonathan Marquardt
Post by Keifer Bly
button on the tor browser tab; I would suggest putting this option back
in
Post by Jonathan Marquardt
Post by Keifer Bly
the configure button window as this current layout may be troublesome
for
Post by Jonathan Marquardt
Post by Keifer Bly
people trying to connect from firewalls that only allow certain ports.
Oh, you're right! That's weird! Was this done on purpose or is it a bug?
There are some considerations on
https://trac.torproject.org/projects/tor/ticket/24452
why this is currently the case.
Georg
_______________________________________________
tor-dev mailing list
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev
Roger Dingledine
2018-07-05 03:31:29 UTC
Permalink
Post by Jonathan Marquardt
Oh, you're right! That's weird! Was this done on purpose or is it a bug?
It was an intentional simplification of the interface. You can read the
reasoning here:

https://trac.torproject.org/projects/tor/ticket/11405#comment:7

Our helpdesk (back when we had one) was interacting with many users who
were doing the wrong thing with the old interface.

The reasoning in short is that if 443 is one of your available ports
then your Tor will bootstrap pretty quickly anyway, and if 443 and 9001
aren't available you're probably going to need some bridge or proxy or
something in order to bootstrap.

--Roger
Keifer Bly
2018-07-05 06:20:31 UTC
Permalink
So tor will automatically use port 80 or 443 if Those are the only ones open?

Sent from my iPhone
Post by Roger Dingledine
Post by Jonathan Marquardt
Oh, you're right! That's weird! Was this done on purpose or is it a bug?
It was an intentional simplification of the interface. You can read the
https://trac.torproject.org/projects/tor/ticket/11405#comment:7
Our helpdesk (back when we had one) was interacting with many users who
were doing the wrong thing with the old interface.
The reasoning in short is that if 443 is one of your available ports
then your Tor will bootstrap pretty quickly anyway, and if 443 and 9001
aren't available you're probably going to need some bridge or proxy or
something in order to bootstrap.
--Roger
_______________________________________________
tor-dev mailing list
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev
Roger Dingledine
2018-07-05 07:14:00 UTC
Permalink
Post by Keifer Bly
So tor will automatically use port 80 or 443 if Those are the only ones open?
Tor will choose Guard relays at random until one of them works(*).

It looks like around 844 Guard relays are listening on port 443 right now,
out of the 1858 available Guard relays.

% grep -B1 Guard cached-consensus |grep "^r "|grep " 443 "|wc -l
844
% grep -B1 Guard cached-consensus |grep "^r "|wc -l
1858

So if 443 works for you, it won't be many tries until you try a relay
that works for you.

And once you reach a Guard that works, it will become one of your guards
that you keep using, so you'll only do the "flail around trying to find
one" step when you need to replace your guard.

Are you concerned that we have the wrong design for general users, or
are you having a specific problem?

--Roger

(*) Actually, before Tor starts attempting to reach Guards, it first
needs to bootstrap the consensus document from either the directory
authorities or the fallback directory servers -- but they have a pretty
similar distribution of ports they listen on.
Keifer Bly
2018-07-05 08:03:08 UTC
Permalink
No problems here, and if tor handles blocked ports and port blocking
firewalls without issue then it's not something to worry about. But it
might not hurt to have a text box explaining this for those who are
concerned about what ports they are using.
Post by Roger Dingledine
Post by Keifer Bly
So tor will automatically use port 80 or 443 if Those are the only ones
open?
Tor will choose Guard relays at random until one of them works(*).
It looks like around 844 Guard relays are listening on port 443 right now,
out of the 1858 available Guard relays.
% grep -B1 Guard cached-consensus |grep "^r "|grep " 443 "|wc -l
844
% grep -B1 Guard cached-consensus |grep "^r "|wc -l
1858
So if 443 works for you, it won't be many tries until you try a relay
that works for you.
And once you reach a Guard that works, it will become one of your guards
that you keep using, so you'll only do the "flail around trying to find
one" step when you need to replace your guard.
Are you concerned that we have the wrong design for general users, or
are you having a specific problem?
--Roger
(*) Actually, before Tor starts attempting to reach Guards, it first
needs to bootstrap the consensus document from either the directory
authorities or the fallback directory servers -- but they have a pretty
similar distribution of ports they listen on.
_______________________________________________
tor-dev mailing list
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev
nusenu
2018-07-05 10:06:00 UTC
Permalink
Post by Roger Dingledine
It looks like around 844 Guard relays are listening on port 443 right now,
out of the 1858 available Guard relays.
guard probability for all guards having ORPort on 80 or 443:
45.99%


guard probability per ORPort:

+---------+-------------------+
| or_port | guard_probability |
+---------+-------------------+
| 443 | 44.4 |
| 9001 | 39.1 |
| 80 | 1.5 |
| 9002 | 1.3 |
| 8080 | 1.1 |
| 8443 | 0.9 |
+---------+-------------------+

(onionoo data as per 2018-07-05 07:00 UTC)
Post by Roger Dingledine
(*) Actually, before Tor starts attempting to reach Guards, it first
needs to bootstrap the consensus document from either the directory
authorities or the fallback directory servers -- but they have a pretty
similar distribution of ports they listen on.
unfortunately onionoo does not have fallbackdir data, so I can't
provide the same table as above for fallbacks without
creating it myself first
--
https://twitter.com/nusenu_
https://mastodon.social/@nusenu
teor
2018-07-05 10:39:49 UTC
Permalink
Post by nusenu
Post by Roger Dingledine
It looks like around 844 Guard relays are listening on port 443 right now,
out of the 1858 available Guard relays.
45.99%
+---------+-------------------+
| or_port | guard_probability |
+---------+-------------------+
| 443 | 44.4 |
| 9001 | 39.1 |
| 80 | 1.5 |
| 9002 | 1.3 |
| 8080 | 1.1 |
| 8443 | 0.9 |
+---------+-------------------+
(onionoo data as per 2018-07-05 07:00 UTC)
Post by Roger Dingledine
(*) Actually, before Tor starts attempting to reach Guards, it first
needs to bootstrap the consensus document from either the directory
authorities or the fallback directory servers -- but they have a pretty
similar distribution of ports they listen on.
unfortunately onionoo does not have fallbackdir data, so I can't
provide the same table as above for fallbacks without
creating it myself first
Here's the list of fallbacks, if you'd like to run a script on it:
https://gitweb.torproject.org/tor.git/tree/src/or/fallback_dirs.inc

The script that selects fallbacks also logs the ports that fallbacks are on.
For the current list, we ran the script twice, and merged the lists:
75/143 = 52% of fallbacks are on IPv4 ORPort 443
49/143 = 34% of fallbacks are on IPv4 ORPort 9001
19/143 = 13% of fallbacks are on other IPv4 ORPorts
18/48 = 38% of IPv6 fallbacks are on IPv6 ORPort 443
15/48 = 31% of IPv6 fallbacks are on IPv6 ORPort 9001
15/48 = 31% of IPv6 fallbacks are on other IPv6 ORPorts
https://trac.torproject.org/projects/tor/attachment/ticket/24801/fallback_dirs_2018_01_06_CA.log

73/139 = 53% of fallbacks are on IPv4 ORPort 443
49/139 = 35% of fallbacks are on IPv4 ORPort 9001
17/139 = 12% of fallbacks are on other IPv4 ORPorts
18/46 = 39% of IPv6 fallbacks are on IPv6 ORPort 443
13/46 = 28% of IPv6 fallbacks are on IPv6 ORPort 9001
15/46 = 33% of IPv6 fallbacks are on other IPv6 ORPorts
https://trac.torproject.org/projects/tor/attachment/ticket/24801/fallback_dirs_2018_01_06_2323_UTC_44aa1adf35_AU.log

T

Loading...