Search Mailing List Archives


Limit search to: Subject & Body Subject Author
Sort by: Reverse Sort
Limit to: All This Week Last Week This Month Last Month
Select Date Range     through    

[liberationtech] repress wordpress plugin

Collin Anderson collin at averysmallbird.com
Thu Jan 19 10:11:27 PST 2012


Sacha,


> also if you use https the url is not sent in the clear, so it cannot be
> filtered.


My guess is that most Wordpress blogs do not run HTTPS services. For this
reason, I hope that the RePress project takes seriously the lessons learned
by similar projects such as Glype and Psiphon.

Proxified URLs need to be encoded when they are transmitted to the server.
Most sufficiently competent filtering equipment will pull not only the
'repress.php' keyword, but the blocked site from the POST/GET. Equally
important, the page content is currently transfered without obfuscation --
while this isn't perfect secrecy, I believe that it's a useful measure to
evading runtime content inspection. Lastly, think heavily about stripping
javascript.

Web proxies are a difficult balance in privacy/security and usability. My
hope is that you study the design and shortcomings of both Glype, which is
popular but insecure, and Psiphon, which is not heavily used but a little
better, well before Beta. I look forward to watching the progress of
RePress and wish you well.

Cordially,
Collin

On Thu, Jan 19, 2012 at 11:19 AM, Sacha van Geffen <sacha at greenhost.nl>wrote:

> On 01/19/12 16:32, Fabio Pietrosanti (naif) wrote:
>
> >
> > Your approach is very cool!
> >
> thanks
>
> > We should probably consider:
> > - how to allow people in censored countries to find free proxy?
> > How a chinese guy would find that proxy and start using it?
> >
> That is an interesting question, it should not be too easy to find
> (thaat would make blocking too easy to) but also not too hard. For now
> manual propagation is the tool to use ;) but i would appreciate any
> feedback on this.
>
> > - how to avoid to get the free-proxy get easily blacklisted by
> governments?
> > For example if the webapp get diffused (inshalla!), but it have a unique
> > name (ex: repress.php) with identifiable URL parameters, then repressive
> > government would censor it very easily.
> At this moment the proxy is limited to a list of sites you add to it (a
> default small list is included) on the settings page.
> A setting to extend this to all sites will be added in the future (after
> more code and security reviews)
>
> If you browse to yoursite.org/[repress permalink]/ a list will be shown
> of sites that are made available through the proxy.
>
> so this can be changed on a per install basis. also if you use https the
> url is not sent in the clear, so it cannot be filtered.
>
> >
> > There was a discussion about having Tor Bridge TCP Forwarder concept
> > available as a Wordpress plug-in for the same reason (a lot of
> > installations and almost zero maintenance):
> > https://lists.torproject.org/pipermail/tor-talk/2012-January/022797.html
> >
>
> that is also an interesting idea
>
> > -naif
> > _______________________________________________
> > liberationtech mailing list
> > liberationtech at lists.stanford.edu
> >
> > Should you need to change your subscription options, please go to:
> >
> > https://mailman.stanford.edu/mailman/listinfo/liberationtech
> >
> > If you would like to receive a daily digest, click "yes" (once you click
> above) next to "would you like to receive list mail batched in a daily
> digest?"
> >
> > You will need the user name and password you receive from the list
> moderator in monthly reminders.
> >
> > Should you need immediate assistance, please contact the list moderator.
> >
> > Please don't forget to follow us on http://twitter.com/#!/Liberationtech
>
> _______________________________________________
> liberationtech mailing list
> liberationtech at lists.stanford.edu
>
> Should you need to change your subscription options, please go to:
>
> https://mailman.stanford.edu/mailman/listinfo/liberationtech
>
> If you would like to receive a daily digest, click "yes" (once you click
> above) next to "would you like to receive list mail batched in a daily
> digest?"
>
> You will need the user name and password you receive from the list
> moderator in monthly reminders.
>
> Should you need immediate assistance, please contact the list moderator.
>
> Please don't forget to follow us on http://twitter.com/#!/Liberationtech
>



-- 
*Collin David Anderson*
averysmallbird.com | @cda | Washington, D.C.



More information about the liberationtech mailing list