[tor-talk] Implement JSONP interface for check.torproject.org

Fabio Pietrosanti (naif) lists at infosecurity.ch
Sun Nov 6 16:00:08 UTC 2011


On 11/6/11 1:46 PM, tor at lists.grepular.com wrote:
> Clearly a lot of people don't even consider these problems though. The
> number of people using Google Analytics is proof enough of that.

We should also consider that a lot of activism organizations promoting
freedom of expression are not technical and are mostly oriented on the
advocacy, marketing and communication skills maintaining multimedia
production tool and rich website.

A lot of such initiative run their "it infrastructure" as PHP web
hosting system + cloud tools (youtube for videos, twitters, etc), so
they cannot run on their servers a "Tor client".

Let's support that AccessNow https://www.accessnow.org/ would like to
implement the privacybadge web widget, they have several options:

a) Check IP with locally installed cached-descriptors of a Tor running
instance. While that's possible it require you to be able to run Tor on
your hosting server, using a local webapplication to make the check.

b) Check IP with remotely installed cached-descriptors, thus "checking
in-the-cloud" for Anonymous/NotAnonymous feedback:

b-1) You have a local webapplication that make a DNS query to a TorDNS BL

b-2) You can call a remote webservices as a web "widget" embedded into
your website like google Analytics, Twitter Widgets, Youtube Widgets

I expect that, because such kind of privacybadge would be useful to
create awareness by the web visitors of tor supporter website, it would
be a very cool way to diffuse and promote Tor and awareness on anonymity .

In such case having something that can be used like a "web widget" "in
the cloud" (so just including some code into your webpage) provide very
usable features.

So a standard "web widget" would be very effective for awareness
campaign diffused on tons of websites.

Additionally if you think web, webmaster could be able (knowing from the
DOM of a webpage if the user is anonymous or not) to even further
customize their web user experience.
They may provide specific Tips and Advice on using Tor, providing direct
download links, putting up a RED or GREEN Web elements (backgrounds,
div, etc) to inform even better the user about his status and conditions
(Not being anonymous or being anonymous).

In theory something like that could also be done by not using JSONP but
by just downloading an Image that represent Tor-OK, Tor-NOT-OK, so that
the webmaster can download it via "<img src=".

If the images representing Anonymous/NotAnonymous are different in size
or pixel, the webmaster can always detect with that data the information
"anonymous/not-anonymous" (es: width 55px anonymous, width 56px
not-anonymous) from javascript and act accordingly by tweaking their
web-page to further inform the user about his status.

However i think that the JSONP approach would be cool :-)


> I'm available for website pen-testing by the way ;)

Man, that's no more than a concept prototype, but for sure a production
code would require some careful coding, even if very simple :-)

-naif


More information about the tor-talk mailing list