Skip to content

Instantly share code, notes, and snippets.

Avatar

Mike Tigas mtigas

View GitHub Profile
@mtigas
mtigas / 0 ProPublica Tor hidden service config.md
Last active Dec 2, 2020
Configuration for ProPublica’s Tor hidden service proxy.
View 0 ProPublica Tor hidden service config.md

These files contain the base configuration for ProPublica’s Tor hidden service mirror.

Of note:

  • We're using the nginx "subs_filter" and "headers more" modules to allow us to rewrite content and update headers, so that we can convert clearnet links into onion links, where possible.

  • Based on feedback we've received, we're using Unix sockets (instead of a 127.0.0.1:___ TCP port) where nginx listens internally for the inbound connection from Tor. This ensures that a firewall misconfiguration can't expose the site running in nginx, which is likely overkill for an already-public (clearnet) website; this may also slightly improve performance and reduce socket overhead, however.

    If you try doing this and have issues using sudo service nginx restart due to leftover connections using the socket, you may have to nuke the previous sockets before starting a new nginx process:

@mtigas
mtigas / gist:952344
Last active Dec 2, 2020
Mini tutorial for configuring client-side SSL certificates.
View gist:952344

Client-side SSL

For excessively paranoid client authentication.


Updated Apr 5 2019:

because this is a gist from 2011 that people stumble into and maybe you should AES instead of 3DES in the year of our lord 2019.

some other notes:

@mtigas
mtigas / onion-svc-v3-client-auth.sh
Last active Nov 13, 2020
experiments with using v3 onions with client auth (as of tor 0.3.5.X)
View onion-svc-v3-client-auth.sh
#!/bin/bash
# needs openssl 1.1+
# needs `basez` https://manpages.debian.org/testing/basez/base32hex.1.en.html
# (but something else that decodes the base64 and re-encodes the raw key bytes
# to base32 is probably fine too)
##### generate a key
openssl genpkey -algorithm x25519 -out /tmp/k1.prv.pem
@mtigas
mtigas / nginx.conf
Last active Nov 4, 2020
Nginx configuration for securedrop.propublica.org. (Based on Ubuntu 13.10 / Nginx 1.4.1 default config.)
View nginx.conf
# This configuration file is provided on an "as is" basis,
# with no warranties or representations, and any use of it
# is at the user's own risk.
#
# You will need to edit domain name information, IP addresses for
# redirection (at the bottom), SSL certificate and key paths, and
# the "Public-Key-Pins" header. Search for any instance of "TODO".
user www-data;
worker_processes 4;
@mtigas
mtigas / 01.md
Last active Sep 25, 2020
HTTPS / SSL certificate config stuff
View 01.md

Normal SSL cert

export DATE=`date +"%Y%m"`
export SITENAME="mike_tig_as"
export KEYNAME="$DATE-$SITENAME"

# Generate private key, make it have no password.
# change to 2048 if you want compatibility with CDNs / aws cloudfront / load balancers, etc
openssl genrsa -aes256 -passout pass:xxxx -out "${KEYNAME}.pass.key" 4096
openssl rsa -passin pass:xxxx -in ${KEYNAME}.pass.key -out ${KEYNAME}.key
@mtigas
mtigas / 0-hidden-service-subdomains.md
Last active Aug 25, 2020
Example code for running a (HTTP/HTTPS) Tor hidden service supporting subdomains.
View 0-hidden-service-subdomains.md

The following files show an example of how to create subdomains for onion site hidden services. (This hasn't been tested for hidden services for anything other than HTTP/HTTPS.)

(You might also want to read our blog post about ProPublica’s Tor hidden service, including a tutorial and notes on running a hidden service: https://www.propublica.org/nerds/item/a-more-secure-and-anonymous-propublica-using-tor-hidden-services )

In general, this works (maybe just in recent Tor clients) because Tor will handle the connection to www.xxxxxxxxxxxxxxxx.onion as a connection to xxxxxxxxxxxxxxxx.onion. The encapsulated HTTP/HTTPS connection contains the subdomain in the Host: header (and in the case of HTTPS, the SNI

@mtigas
mtigas / LICENSE.txt
Created Feb 9, 2011
Script that allows batch-downloading a person's full Facebook photo collection.
View LICENSE.txt
Copyright 2011 Mike Tigas. All rights reserved.
Redistribution and use in source and binary forms, with or without modification, are
permitted provided that the following conditions are met:
1. Redistributions of source code must retain the above copyright notice, this list of
conditions and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright notice, this list
of conditions and the following disclaimer in the documentation and/or other materials
View 0.md

Moved to http://www.propublica.org/nerds/item/is-the-u.s.-government-behind-torsploit

A new version of this report is located at ProPublica. Includes more detail and a comment from Susan Prosser, Vice President of Industry Relations at DomainTools, about the how the DomainTools "IP Explorer" tool gathers the "C block owner" value.


The new version mostly just adds information, but previous versions of this gist can still be seen at the "Revisions" button to the left. Earlier versions should be considered draft quality.


@mtigas
mtigas / sunrise.html
Created Jun 7, 2010
Messing with HTML5 canvas to create a daylight clock visualization.
View sunrise.html
<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml" lang="en-US">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8"/>
<title>Sunlight</title>
<script src="https://ajax.googleapis.com/ajax/libs/jquery/1/jquery.min.js" type="text/javascript"></script>
<script type="text/javascript">/*<![CDATA[*/
// TODO automate getting this data somehow
// http://aa.usno.navy.mil/data/docs/RS_OneDay.php
View 1-ssldump.md

Patches for ssldump

Patches for [ssldump][ssldump] (the last ssldump-0.9b3.tar.gz version).

You can install a Mac OS X version of ssldump with these patches included, using [Homebrew][brew]. Check https://github.com/mtigas/homebrew-ssldump for instructions.


Patch 2-ssldump-tls12.diff adds information about new TLSv1.2 cipher suites

You can’t perform that action at this time.