"Secure Connection Failed"

Secure Connection Failed

An error occurred during a connection to www.icmag.com.

SSL received a record with an incorrect Message Authentication Code.

(Error code: ssl_error_bad_mac_read)
* The page you are trying to view can not be shown because the authenticity of the received data could not be verified.

* Please contact the web site owners to inform them of this problem. Alternatively, use the command found in the help menu to report this broken site.

Click to expand...

VerdantGreen said:

using mac, firefox with vidalia/torbutton
anything im doing wrong ??

Click to expand...

Nov 16 2010 - There's a new buffer overflow vulnerability in versions of OpenSSL from 0.9.8f through 0.9.8o, and 1.0.0 through 1.0.0a. You can read the security advisory for the whole story.

So far as we can tell from our current analysis, Tor is not affected. Here's why:

The advisory says:

Any OpenSSL based TLS server is vulnerable if it is multi-threaded and uses OpenSSL's internal caching mechanism. Servers that are multi-process and/or disable internal session caching are NOT affected.

Tor qualifies for both of the safe cases: Tor does disable OpenSSL's internal session caching. This happens in the file src/common/tortls.c, when we call SSL_CTX_set_session_cache_mode(result->ctx,SSL_SESS_CACHE_OFF). Tor has done this since since version 0.0.2pre6 back in 2003.

Also, though Tor is multithreaded, Tor only calls SSL functionality from a single thread. Thus, no thread other than the main thread will examine or alter the TLS session cache, or any TLS session at all.

So it would appear that Tor itself is in the clear. Nonetheless, your other applications might not be. If you're running other SSL services that might be affected, be sure to apply patches from your OS and/or your application to stay safe.

Click to expand...

VerdantGreen said:

hi there

this has been happening for a while, and it makes an already slow process even slower. when trying to upload pics i always get this:

there is a 'try again' button underneath and when i hit that, and ok sending the info again, it nearly always works.
but it un-nerves me a little having to send it twice like double jeopardy or something
using mac, firefox with vidalia/torbutton


anything im doing wrong ??


thanks


VG

Click to expand...

spurr said:

If you or others are interested I can tell you how to setup Privoxy for use with Tor, and how to setup Vidalia so it auto-starts Privoxy and not Polipo.

Click to expand...

mugenbao said:

That would be good info for everyone to have available. Yes, please

Click to expand...

#+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+
# PRIOVXY SETTINGS FOR USE WITH TOR
#
# Configured for Windows operating sytem file path.
#
# If using non-Windows operating system uncomment the "confdir" path line
# for path to Privoxy installation on your system. To uncomment a line
# remove the hash tag (#) from in front of the line.
#+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+
#
#
#
#
# 2.1. confdir
# =============
#
# Specifies:
#
# The directory where the other configuration files are located.
#
# Type of value:
#
# Path name
#
# Default value:
#
# /etc/privoxy (Unix) or Privoxy installation dir (Windows)
#
# Effect if unset:
#
# Mandatory
#
# Notes:
#
# No trailing "/", please.
#
# UNCOMMENT FOLLOWING LINE FOR WINDOWS DIRECTORY HOLDING CONFIG FILES:
#
confdir C:\Program Files\Privoxy
#
# UNCOMMENT FOLLOWING LINE FOR MAC DIRECTORY HOLDING CONFIG FILES:
#
#confdir /usr/local/etc/privoxy/config
#
# UNCOMMENT FOLLOWING LINE FOR UNIX DIRECTORY HOLDING CONFIG FILES:
#
#confdir /etc/privoxy
#
#
#
#
# 2.3. logdir
# ============
#
# Specifies:
#
# The directory where all logging takes place (i.e. where the
# logfile is located).
#
# Type of value:
#
# Path name
#
# Default value:
#
# /var/log/privoxy (Unix) or Privoxy installation dir (Windows)
#
# Effect if unset:
#
# Mandatory
#
# Notes:
#
# No trailing "/", please.
#
logdir .
#
#
#
#
# 2.4. actionsfile
# =================
#
# Specifies:
#
# The actions file(s) to use
#
# Type of value:
#
# Complete file name, relative to confdir
#
# Default values:
#
# match-all.action # Actions that are applied to all sites and maybe overruled later on.
#
# default.action # Main actions file
#
# user.action # User customizations
#
# Effect if unset:
#
# No actions are taken at all. More or less neutral proxying.
#
# Notes:
#
# Multiple actionsfile lines are permitted, and are in fact
# recommended!
#
# The default values are default.action, which is the "main"
# actions file maintained by the developers, and user.action,
# where you can make your personal additions.
#
# Actions files contain all the per site and per URL configuration
# for ad blocking, cookie management, privacy considerations,
# etc. There is no point in using Privoxy without at least one
# actions file.
#
# Note that since Privoxy 3.0.7, the complete filename, including
# the ".action" extension has to be specified. The syntax change
# was necessary to be consistent with the other file options and
# to allow previously forbidden characters.
#
actionsfile match-all.action # Actions that are applied to all sites and maybe overruled later on.
#actionsfile default.action # Main actions file
#actionsfile user.action # User customizations
#
#
#
#
# 2.5. filterfile
# ================
#
# Specifies:
#
# The filter file(s) to use
#
# Type of value:
#
# File name, relative to confdir
#
# Default value:
#
# default.filter (Unix) or default.filter.txt (Windows)
#
# Effect if unset:
#
# No textual content filtering takes place, i.e. all +filter{name}
# actions in the actions files are turned neutral.
#
# Notes:
#
# Multiple filterfile lines are permitted.
#
# The filter files contain content modification rules that use
# regular expressions. These rules permit powerful changes on the
# content of Web pages, and optionally the headers as well, e.g.,
# you could try to disable your favorite JavaScript annoyances,
# re-write the actual displayed text, or just have some fun
# playing buzzword bingo with web pages.
#
# The +filter{name} actions rely on the relevant filter (name)
# to be defined in a filter file!
#
# A pre-defined filter file called default.filter that contains a
# number of useful filters for common problems is included in the
# distribution. See the section on the filter action for a list.
#
# It is recommended to place any locally adapted filters into a
# separate file, such as user.filter.
#
filterfile default.filter
#filterfile user.filter # User customizations
#
#
#
#
# 2.6. logfile
# =============
#
# Specifies:
#
# The log file to use
#
# Type of value:
#
# File name, relative to logdir
#
# Default value:
#
# Unset (commented out). When activated: logfile (Unix) or
# privoxy.log (Windows).
#
# Effect if unset:
#
# No logfile is written.
#
# Notes:
#
# The logfile is where all logging and error messages are
# written. The level of detail and number of messages are set with
# the debug option (see below). The logfile can be useful for
# tracking down a problem with Privoxy (e.g., it's not blocking
# an ad you think it should block) and it can help you to monitor
# what your browser is doing.
#
# Depending on the debug options below, the logfile may be a
# privacy risk if third parties can get access to it. As most
# users will never look at it, Privoxy 3.0.7 and later only log
# fatal errors by default.
#
# For most troubleshooting purposes, you will have to change that,
# please refer to the debugging section for details.
#
# Your logfile will grow indefinitely, and you will probably
# want to periodically remove it. On Unix systems, you can do
# this with a cron job (see "man cron"). For Red Hat based Linux
# distributions, a logrotate script has been included.
#
# Any log files must be writable by whatever user Privoxy is
# being run as (on Unix, default user id is "privoxy").
#
logfile privoxy.log
#
#
#
#
# 3.1. debug
# ===========
#
# Specifies:
#
# Key values that determine what information gets logged.
#
# Type of value:
#
# Integer values
#
# Default value:
#
# 0 (i.e.: only fatal errors (that cause Privoxy to exit) are logged)
#
# Effect if unset:
#
# Default value is used (see above).
#
# Notes:
#
# The available debug levels are:
#
# debug 1 # Log the destination for each request Privoxy let through. See also debug 1024.
# debug 2 # show each connection status
# debug 4 # show I/O status
# debug 8 # show header parsing
# debug 16 # log all data written to the network
# debug 32 # debug force feature
# debug 64 # debug regular expression filters
# debug 128 # debug redirects
# debug 256 # debug GIF de-animation
# debug 512 # Common Log Format
# debug 1024 # Log the destination for requests Privoxy didn't let through, and the reason why.
# debug 2048 # CGI user interface
# debug 4096 # Startup banner and warnings.
# debug 8192 # Non-fatal errors
# debug 32768 # log all data read from the network
#
#
# To select multiple debug levels, you can either add them or
# use multiple debug lines.
#
# A debug level of 1 is informative because it will show you each
# request as it happens. 1, 1024, 4096 and 8192 are recommended
# so that you will notice when things go wrong. The other levels
# are probably only of interest if you are hunting down a specific
# problem. They can produce a hell of an output (especially 16).
#
# Privoxy used to ship with the debug levels recommended above
# enabled by default, but due to privacy concerns 3.0.7 and later
# are configured to only log fatal errors.
#
# If you are used to the more verbose settings, simply enable
# the debug lines below again.
#
# If you want to use pure CLF (Common Log Format), you should set
# "debug 512" ONLY and not enable anything else.
#
# Privoxy has a hard-coded limit for the length of log messages. If
# it's reached, messages are logged truncated and marked with
# "... [too long, truncated]".
#
# Please don't file any support requests without trying to
# reproduce the problem with increased debug level first. Once
# you read the log messages, you may even be able to solve the
# problem on your own.
#
#debug 1 # Log the destination for each request Privoxy let through.
#debug 1024 # Log the destination for requests Privoxy didn't let through, and the reason why.
debug 4096 # Startup banner and warnings
debug 8192 # Non-fatal errors
#
#
#
#
# 4.1. listen-address
# ====================
#
# Specifies:
#
# The IP address and TCP port on which Privoxy will listen for
# client requests.
#
# Type of value:
#
# [IP-Address]ort
#
# Default value:
#
# 127.0.0.1:8118
#
# Effect if unset:
#
# Bind to 127.0.0.1 (IPv4 localhost), port 8118. This is suitable
# and recommended for home users who run Privoxy on the same
# machine as their browser.
#
# Notes:
#
# You will need to configure your browser(s) to this proxy address
# and port.
#
# If you already have another service running on port 8118, or
# if you want to serve requests from other machines (e.g. on your
# local network) as well, you will need to override the default.
#
# IPv6 addresses containing colons have to be quoted by brackets.
#
# If you leave out the IP address, Privoxy will bind to all IPv4
# interfaces (addresses) on your machine and may become reachable
# from the Internet. In that case, consider using access control
# lists (ACL's, see below), and/or a firewall.
#
# If you open Privoxy to untrusted users, you will also
# want to make sure that the following actions are disabled:
# enable-edit-actions and enable-remote-toggle
#
# Example:
#
# Suppose you are running Privoxy on a machine which has the
# address 192.168.0.1 on your local private network (192.168.0.0)
# and has another outside connection with a different address. You
# want it to serve requests from inside only:
#
# listen-address 192.168.0.1:8118
#
# Suppose you are running Privoxy on an IPv6-capable machine and
# you want it to listen on the IPv6 address of the loopback device:
#
# listen-address [::1]:8118
#
listen-address 127.0.0.1:8118
#
#
#
#
# 4.2. toggle
# ============
#
# Specifies:
#
# Initial state of "toggle" status
#
# Type of value:
#
# 1 or 0
#
# Default value:
#
# 1
#
# Effect if unset:
#
# Act as if toggled on
#
# Notes:
#
# If set to 0, Privoxy will start in "toggled off" mode,
# i.e. mostly behave like a normal, content-neutral proxy
# with both ad blocking and content filtering disabled. See
# enable-remote-toggle below.
#
# The windows version will only display the toggle icon in the
# system tray if this option is present.
#
toggle 0
#
#
#
#
# 4.3. enable-remote-toggle
# ==========================
#
# Specifies:
#
# Whether or not the web-based toggle feature may be used
#
# Type of value:
#
# 0 or 1
#
# Default value:
#
# 0
#
# Effect if unset:
#
# The web-based toggle feature is disabled.
#
# Notes:
#
# When toggled off, Privoxy mostly acts like a normal,
# content-neutral proxy, i.e. doesn't block ads or filter content.
#
# Access to the toggle feature can not be controlled separately by
# "ACLs" or HTTP authentication, so that everybody who can access
# Privoxy (see "ACLs" and listen-address above) can toggle it
# for all users. So this option is not recommended for multi-user
# environments with untrusted users.
#
# Note that malicious client side code (e.g Java) is also capable
# of using this option.
#
# As a lot of Privoxy users don't read documentation, this feature
# is disabled by default.
#
# Note that you must have compiled Privoxy with support for this
# feature, otherwise this option has no effect.
#
enable-remote-toggle 0
#
#
# 4.4. enable-remote-http-toggle
# ===============================
#
# Specifies:
#
# Whether or not Privoxy recognizes special HTTP headers to change
# its behaviour.
#
# Type of value:
#
# 0 or 1
#
# Default value:
#
# 0
#
# Effect if unset:
#
# Privoxy ignores special HTTP headers.
#
# Notes:
#
# When toggled on, the client can change Privoxy's behaviour by
# setting special HTTP headers. Currently the only supported
# special header is "X-Filter: No", to disable filtering for
# the ongoing request, even if it is enabled in one of the
# action files.
#
# This feature is disabled by default. If you are using Privoxy in
# a environment with trusted clients, you may enable this feature
# at your discretion. Note that malicious client side code (e.g
# Java) is also capable of using this feature.
#
# This option will be removed in future releases as it has been
# obsoleted by the more general header taggers.
#
enable-remote-http-toggle 0
#
#
# 4.5. enable-edit-actions
# =========================
#
# Specifies:
#
# Whether or not the web-based actions file editor may be used
#
# Type of value:
#
# 0 or 1
#
# Default value:
#
# 0
#
# Effect if unset:
#
# The web-based actions file editor is disabled.
#
# Notes:
#
# Access to the editor can not be controlled separately by
# "ACLs" or HTTP authentication, so that everybody who can access
# Privoxy (see "ACLs" and listen-address above) can modify its
# configuration for all users.
#
# This option is not recommended for environments with untrusted
# users and as a lot of Privoxy users don't read documentation,
# this feature is disabled by default.
#
# Note that malicious client side code (e.g Java) is also capable
# of using the actions editor and you shouldn't enable this
# options unless you understand the consequences and are sure
# your browser is configured correctly.
#
# Note that you must have compiled Privoxy with support for this
# feature, otherwise this option has no effect.
#
enable-edit-actions 0
#
#
#
#
# 4.8. buffer-limit
# ==================
#
# Specifies:
#
# Maximum size of the buffer for content filtering.
#
# Type of value:
#
# Size in Kbytes
#
# Default value:
#
# 4096
#
# Effect if unset:
#
# Use a 4MB (4096 KB) limit.
#
# Notes:
#
# For content filtering, i.e. the +filter and +deanimate-gif
# actions, it is necessary that Privoxy buffers the entire document
# body. This can be potentially dangerous, since a server could
# just keep sending data indefinitely and wait for your RAM to
# exhaust -- with nasty consequences. Hence this option.
#
# When a document buffer size reaches the buffer-limit, it is
# flushed to the client unfiltered and no further attempt to filter
# the rest of the document is made. Remember that there may be
# multiple threads running, which might require up to buffer-limit
# Kbytes each, unless you have enabled "single-threaded" above.
#
buffer-limit 265
#
#
#
#
# 5.2. forward-socks4, forward-socks4a and forward-socks5
# ========================================================
#
# Specifies:
#
# Through which SOCKS proxy (and optionally to which parent HTTP
# proxy) specific requests should be routed.
#
# Type of value:
#
# target_pattern socks_proxy[ort] http_parent[ort]
#
# where target_pattern is a URL pattern that specifies to which
# requests (i.e. URLs) this forward rule shall apply. Use / to
# denote "all URLs". http_parent and socks_proxy are IP addresses
# in dotted decimal notation or valid DNS names (http_parent may
# be "." to denote "no HTTP forwarding"), and the optional port
# parameters are TCP ports, i.e. integer values from 1 to 65535
#
# Default value:
#
# Unset
#
# Effect if unset:
#
# Don't use SOCKS proxies.
#
# Notes:
#
# Multiple lines are OK, they are checked in sequence, and the
# last match wins.
#
# The difference between forward-socks4 and forward-socks4a
# is that in the SOCKS 4A protocol, the DNS resolution of the
# target hostname happens on the SOCKS server, while in SOCKS 4
# it happens locally.
#
# With forward-socks5 the DNS resolution will happen on the remote
# server as well.
#
# socks_proxy and http_parent can be a numerical IPv6 address
# (if RFC 3493 is implemented). To prevent clashes with the port
# delimiter, the whole IP address has to be put into brackets. On
# the other hand a target_pattern containing an IPv6 address has
# to be put into angle brackets (normal brackets are reserved
# for regular expressions already).
#
# If http_parent is ".", then requests are not forwarded to another
# HTTP proxy but are made (HTTP-wise) directly to the web servers,
# albeit through a SOCKS proxy.
#
# Examples:
#
# From the company example.com, direct connections are made to all
# "internal" domains, but everything outbound goes through their
# ISP's proxy by way of example.com's corporate SOCKS 4A gateway
# to the Internet.
#
# forward-socks4a / socks-gw.example.com:1080 www-cache.isp.example.net:8080
# forward .example.com .
#
#
# A rule that uses a SOCKS 4 gateway for all destinations but no
# HTTP parent looks like this:
#
# forward-socks4 / socks-gw.example.com:1080 .
#
#
# To chain Privoxy and Tor, both running on the same system,
# you would use something like:
#
forward-socks5 / 127.0.0.1:9050 .
#
#
# The public Tor network can't be used to reach your local network,
# if you need to access local servers you therefore might want
# to make some exceptions:
#
# forward 192.168.*.*/ .
# forward 10.*.*.*/ .
# forward 127.*.*.*/ .
#
#
# Unencrypted connections to systems in these address ranges will
# be as (un) secure as the local network is, but the alternative
# is that you can't reach the local network through Privoxy at
# all. Of course this may actually be desired and there is no
# reason to make these exceptions if you aren't sure you need them.
#
# If you also want to be able to reach servers in your local
# network by using their names, you will need additional exceptions
# that look like this:
#
# forward localhost/ .
#
#
#
#
# 6.4. keep-alive-timeout
# ========================
#
# Specifies:
#
# Number of seconds after which an open connection will no longer
# be reused.
#
# Type of value:
#
# Time in seconds.
#
# Default value:
#
# None
#
# Effect if unset:
#
# Connections are not kept alive.
#
# Notes:
#
# This option allows clients to keep the connection to Privoxy
# alive. If the server supports it, Privoxy will keep the
# connection to the server alive as well. Under certain
# circumstances this may result in speed-ups.
#
# By default, Privoxy will close the connection to the server if
# the client connection gets closed, or if the specified timeout
# has been reached without a new request coming in. This behaviour
# can be changed with the connection-sharing option.
#
# This option has no effect if Privoxy has been compiled without
# keep-alive support.
#
# Note that a timeout of five seconds as used in the default
# configuration file significantly decreases the number of
# connections that will be reused. The value is used because some
# browsers limit the number of connections they open to a single
# host and apply the same limit to proxies. This can result in a
# single website "grabbing" all the connections the browser allows,
# which means connections to other websites can't be opened until
# the connections currently in use time out.
#
# Several users have reported this as a Privoxy bug, so the default
# value has been reduced. Consider increasing it to 300 seconds
# or even more if you think your browser can handle it. If your
# browser appears to be hanging it can't.
#
# Examples:
#
# keep-alive-timeout 300
#
keep-alive-timeout 600

Click to expand...