| |
How can I speed up CGI mode?
Generally, CGI connection mode is the slowest of all possible connection modes. This is due to the way it works, it needs to accumulate data before it sends it off to the other side. But you can adjust a few knobs and try to make it faster. You need to locate the ".ems.cfg" config file first. Have a look at the user guide if you need help with this step. This file can be edited with any text editor, for example Notepad. Ensure the YF client is NOT running when you edit the file or your changes may be lost. It is difficult to break this file so don't hesitate to try... There are four values that control the timing of CGI connections and you can change everyone of them, but I would not recommend changing any other timing but "cgi_uplink_maxdelay". Here are the parameters with their default values and their meaning: - cgi_uplink_maxdelay. Defaults to 500 milliseconds. The YF client will accumulate data for at most this time until it initiates a new uplink connection no matter how much data has been accumulated. You might want to set this to a lower value, maybe 200 milliseconds.
- cgi_uplink_urgentdelay. Defaults to 20 milliseconds. The YF client will use this value instead of the previous value when it has frames to deliver that are considered urgent, for example acknowledgements.
- cgi_uplink_threshold. Defaults to 3. If this many frames (YF data units) are to be delivered, a new uplink connection will be made right away. Setting this to 1 will effectively disable data accumulation and make your connection much more responsive, but it will also create much more overhead. If you don't care about how many connections are made and how much overhead it generates, set this to 1 and don't worry about the rest.
- cgi_uplink_mindelay. Defaults to 1 millisecond. This is the minimum amount of time between two uplink connections. You should not set it to 0 and most people should not have to increase it, but if your network connection drops connection attempts that appear in bursts, try setting it to a higher value!
All these values normally do not appear in the config file and are not configurable through the front end. Just add lines to the file (it does not matter where) that contain the name of the value, a space, and the numeric value to which you would like to set it (no unit). Optimum performance is probably achieved by setting cgi_uplink_threshold to 1 and cgi_uplink_mindelay to maybe 20. Try it, you can't break anything, if it doesn't work just remove the lines again.
What are these strange "U2" addresses?
YF server "names" starting with U2 are encrypted IP addresses. If you ever see them it means that the YF client believes that you are pretty much filtered. It will then try some addresses reserved for desperate people, and these addresses are only distributed in encrypted form. Don't worry about the strange look of them, they work nevertheless. And if they don't, they got filtered as well.
What are "tweaks"? How can I make use of them?
This is a feature added in version 20100204-01. Basically it's a set of rules how a connection between the YF client and the YF server can be made in some special networking situations. Most people don't need these and can safely leave it disabled; in fact if you are able to connect, do not enable tweaks. However if you are unable to connect check whether one of the tweaks seems to match your networking situation. Their names are very explicit. Will we add more of these? Probably. We add them when needed, and we can only add them if we learn about such tweaks. If you've got a clever way to configure the YF client to connect to its servers in some unusual networking situation, please tell us about it. Why are there no such tweaks for Iran, China, and whatnot? Basically because you don't need them there. :-)
What does "use true SSL" do?
It does what the name suggests. 8)
The "HTTPS" communications scheme uses a codec that relies on a transparent TCP connection, as it is normally used to provide HTTP with SSL protection (commonly known as "HTTPS"). Now, while the channel that web proxies and firewalls normally provide to web browsers for HTTPS is typically (but not always) transparent, they sometimes check that the protocol spoken is actually SSLv2 or SSLv3 (TLS) and not something else -- this is to prevent e.g. SSH tunneling through this port. Of course, they detect that our protocol isn't SSL either and disrupt the connection after they have determined this. The symptoms are that the YF client can initially connect to the server, maybe even authenticate, but then the connection freezes and gets re-established after a while, ad nauseam.
A simple and most of the time effective solution to this is to enable the "true SSL" feature. It takes our binary data stream and wraps it in SSLv3 (TLS), making suspicious proxies and firewalls believe that it is really a browser speaking HTTPS.
Two questions remain: a) is it more secure, and b) will it always help? The answer to both is: no. Well, not exactly. Let me explain why.
Using an SSLv3 wrapper does indeed employ additional encryption (in this case it's RC4 with a 128bit key, like it's commonly used for HTTPS). But remember that each encryption is only as good as the key used. The key is negotiated under protection by the public/secret keypair (in this case: an RSA pair). But this only helps if the client side can rely on the public key really belonging to the server and not some man in the middle -- to ensure this, public keys are usually signed with a certificate, the certificate is provided to the requester as well in the negotiation phase, and this certificate carries a signature by a trustworthy party. This last step is something we cannot provide -- our certificate is self-signed (as it is the case with many web sites), which does [i]not[/i] protect in any way against man-in-the-middle attacks. We cannot sign it by a trustworthy party because then we cannot replace the certificate frequently, and this would mean that it's too simple to detect our protocol -- you just need to detect the use of a particular certificate.
This has two consequences. The additional encryption does not protect against man-in-the-middle attacks (but our own encryption does), but it protects against record-and-decrypt-later types of attacks. In this way, using the "true SSL" feature actually makes the connection more secure. If you are expecting someone to eavesdrop on your connection and investing several PC days to decrypt your traffic, enable "true SSL" to make their life absolutely miserable. Contrary to HTTPS, a known-plaintext dictionary attack against RC4 is much more complicated with our protocol because it uses some random seed bytes of random length.
The other consequence is that proxies and firewalls who completely decrypt and re-encrypt all HTTPS traffic, verifying the site certificate and refusing self-signed certificates, will still block our connection. (I hate to promote this technology but if a company is really serious about stopping tunneling, this is a must.) Will this block our service? No. There is still HTTP. :-)
I hope this has clarified what the "true SSL" feature is and what you can use it for. It's for those paranoid about an attack against recorded traffic, and for those who need it because otherwise the connection doesn't work. We haven't enabled it by default because it uses resources on the server and may slightly increase latency. If you are a registered, logged-in user have a look at the "Internals" section in the documentation part of the web site.
Should I tick "use true SSL"?
Only if you have to. It does not make your connection any more secure, it only makes it work at all if your proxy or firewall is picky and notices that without this option, it's not really SSL we are talking. Ticking this box makes your YF client use slightly more CPU and it might make the connection fail every 30 seconds for a fraction of a second.
The reason why "true SSL" is not more secure even though it adds strong additional encryption is very simple: we cannot verify the server certificate, because if we can, "they" can as well and block the connection based on it. The server changes the certificate frequently. But without a verified certificate there is no way we can tell whether the encryption credentials really come from the YF server and not a "man in the middle".
If you are concerned about your privacy, make sure you enable encryption and re-keying, and use a strong password. Checking "use true SSL" will add another layer of obfuscation (which might be beneficial!), but it doesn't make it more secure.
Can I run YF through the Tor network?
Yes you can.
There are three reasons why you would want to do this:
1. You can't reach any YF servers but Tor works.
2. You would like the combined anonymity.
3. You would like to do things through Tor that Tor does not allow/support.
Tor is a mesh of many user supplied servers, with a lot of fluctuation in IP addresses. This makes it virtually unblockable. You install a client application on your local PC that provides a SOCKS proxy (typically on port 9050). This SOCKS proxy can be used as the proxy through which YF builds its tunnel connection (just configure it on the Proxy panel of the Configuration window, and choose SOCKSv5 as the proxy type -- this works with client 20070824-03 and above). Choose HTTPS as the connection mode and port 443, both on the Connection panel of the configuration window.
Don't expect high performance -- this is a very complicated way of connecting to the YF servers, but it is also very effective at hiding what you are doing, and it may work in places where all else fails.
Please note however that you cannot use OpenVPN mode unless the Tor client is set up to connect through a proxy and you have manually excluded the proxy's IP address from OpenVPN routing.
More about Tor can be found on http://tor.eff.org/
Where does YF store my preferences for the YF client?
Everything is stored in a file called ".ems.cfg" in your home directory. On Unix like boxes the concept of a home directory should be known to everyone; under Windows, this is one level up from your desktop. Unfortunately, Windows shows the Desktop as the root of the file system tree in the Explorer -- this is a blatant lie! You'll find your home directory somewhere under "Documents and settings" or "Users" (depending on the localization of your Windows version, this may well be translated to your language).
If you need to be sure, open a command window, then type this: %HOMEDRIVE% cd %HOMEPATH% Or open an Explorer, make sure you've got the editable address line enabled, and type "%HOMEPATH%" in there.
I can't get server port forwarding to work in my P2P application, what am I doing wrong?
Most likely you or your applications are confusing local ports and server ports.
Your application is listening on Port X on your PC for connections.
The Your Freedom server listens on Port Y for you. But do the others know about port Y? Probably not, because your P2P application reports to the trackers that it is listening on port X! The trackers learn about the YF server's IP address from the registration request, but the proper port needs to be within the message, and if your application has no place where you can configure your external port different from the port the app is listening on, then the tracker does not know it and the others will never learn about it. The easiest way around this is to make X = Y. Let your P2P application use the same port number as the YF server! This way your application will still not report info about the YF server port, but that doesn't matter because the number is the same. So if you have the YF port 23456 assigned to your profile, let your P2P application listen on port 23456 and configure a server port forward of 23456 -> localhost 23456.
Another thing that can easily go wrong is that some applications only listen on one IP address instead of all IP addresses. For example, BitSpirit will never listen on the loopback interface IP address 127.0.0.1, so it's no good to forward a serverport to this address! Use the Ethernet IP address instead. To check if your application is listening on all IPs open a command shell and type "netstat -an" (works on Windows, Unix, MacOS, ...). Look out for a TCP LISTEN line having the right port in it on the left hand side -- what's the IP? 0.0.0.0 means "all IPs"; if you don't see 0.0.0.0 you probably cannot use 127.0.0.1 but only the one shown instead.
The Windows firewall can also play tricks on you. Be sure you open the port your application is listening on, or allow the connection when prompted.
Which is my web proxy cache?
You can find out whether your web connection is being proxy cached, and, if so, the address of the web proxy cache, by visiting either of these sites:
Because the ISP might be load-balancing across more than one web proxy cache, your web connections might use different proxy caches for different web destinations. So you might get different answers from the two sites above. And the actual cache used for your other web accesses might be different yet again. When load-balancing is in operation, the above sites will identify an individual cache in a cluster of caches, and the DNS names of the caches will usually have an obvious structure enabling you to deduce the names of other members of the cluster.
For instance, with NTL web proxy cache clusters, the DNS names of the individual caches are of the form: inktomiN-XXX.server.ntl.com, where XXX is a 3 character code for the regional centre; or cacheN-YYYY.server.ntl.com, where YYYY is a 4 character code for the regional centre; and N is the number of the cache within the cluster.
What is FTP connection mode, and can I use it?
We have found that many people in firewalled environments cannot use their web proxy to connect to our servers because of some zealous admin blocking their access to our servers, but can use FTP to connect to our servers. If you are one of them, read on!
Can you use FTP to download (and possibly upload) files from (and to) FTP servers? If you cannot answer this question, there's a simple way to try it out. Start an FTP utility (not the web browser, not an Explorer, use something down-to-earth, command-line driven). With Windows, click on "Start", "Run", and type "cmd". This will bring up a shell window, where you can type "ftp ftp.kernel.org" or something similar. Hit Enter. Does this prompt you for a login? Then log in as "anonymous" and use your email address as "password". Now type "dir" - do you see a directory listing? That's ideal (it means that your firewall supports the classic FTP data connection style, not only passive mode), but don't worry if not - if you see an error message, it probably just means that your firewall only supports passive mode (Your Freedom can cope with this, in fact this is the only mode currently supported but this can quickly change if required - tell us!).
If this does not work for you there might be an FTP proxy somewhere in your network that you can use. Ask your administrator or local guru about it, you can likely come up with a good excuse why you would like to use FTP, it's really nothing obscene. Ask her how exactly to use it with a command line FTP tool. The most likely answer is that you use "ftp ftp-proxy.company.com" and log in as " anonymous@ftp.kernel.org", to use the above example. In this case, configure the proxy's IP or address in Your Freedom and you should be fine.
P.S.: The relevant port is "21", nothing else.
Note that setting up an FTP style connection to our servers takes a bit longer than other connection types take, 5-10 seconds is normal. If it doesn't work after 20 seconds, then it doesn't, simple as that. Note also that the HTTP/HTTPS/CGI proxy setting is completely irrelevant to FTP.
Please note: The FTP connection method is senseless, if you enter a FTP proxy which only embodies FTP requests in an HTTP request (RFC2616-Proxies). RFC2616-Proxies are used in browsers and quite often listen on the following ports: 3128, 8080 or 80. Please use FTP proxies which are accessible from your command prompt instead.
Does someone know the step-by-step instructions to install the YF client on Linux? / I get a gcc-java error when trying to start YF on my Linux machine.
I've been asked these questions a couple of times by mail. So, I'll put this how-to also in the FAQs:
For starting a java archive (e.g. freedom.jar) it's always the same procedure:
java -jar name-of-the-archive.jar
DRAWBACK:
Please note that some distributions like Fedora Core or Ubuntu don't come with Sun's JRE because it's not open source software. Instead, they use gcc-java by default.
You need to have an up-to-date version of Sun's JRE installed to run YF (get it as RPM or tar file from http://java.sun.com/j2se/). If you try to start the YF client using gcc-java, you will most likely get errors like this one:
java.lang.ClassNotFoundException: com.sun.java.swing.plaf.windows.WindowsLookAndFeel not found in gnu.gcj.runtime.SystemClassLoader{urls=[file:freedom.jar,file:./],
I'm not sure for FC4 or Ubuntu. But on FC3 the files in Sun's JRE RPM should be extracted to /usr/java/(your-jre-version). If you choose to install the tar version, just place the files somewhere in your /opt directory.
AFAIK Fedora (maybe also Ubuntu) has some place holders for gcc's java, jar and javac binaries in /bin or /usr/bin. Replace them by symbolic links to the respective programs in usr/java/(your-jre-version)/bin folder (- symbolic links can be created by executing the following command in a terminal: ln -s source_file [target_file]).
You can also create some shell script for starting a java application more conveniently, chmod it to make it executable and put it in your PATH (e.g. /usr/bin).
The installation and configuration steps themselves are basically the same for all the supported OS's. They're treated in our FAQ section: https://ftp.your-freedom.net/26/.
What is local port forward?
From the Forums, by Sandy: ---
In local port forward , you assign a local port to a remote address and port .. So when you connect to the port in your localhost , the connection will be automatically forwarded to the remote host.
This is particularly useful in bypassing proxies that dont allow irc , ftp etc .
For eg , lets say that your proxy doesnot allow any irc connections, and you want to chat with your friend in some channel in Efnet IRC network. So you make a local port forward in Your-Freedom say 2222 to any irc host say,
Local Port : 2222
Remote Host : irc.efnet.net
Remote Port : 6667
Now connect to localhost:2222 in your irc client and you'll be connected to efnet irc network.
I hope that'll clear up the doubt a little bit and as you can see local port forwarding is of no use in p2p applications.
For more info : you may "google" for "ssh port forwarding", which is somewhat similar to this but the basic idea is same for both
What is relaying?
As you know, the YF client does provide a local Socks and HTTP/HTTPS Proxy on your machine. Now if your Profile supports relaying and you turned on the feature in the YF Client (YF Client -> Ports -> Relay conncections) then not only can use these Proxies on your local machine, but also the other people connected to the same network. They can use the YF client on your computer by specifiying your machine's IP address as the proxy address.
Typical use is for roommates in a dorm, collegues in the same office....
How do Server Port Fowards work?
Well, as Server Port Forward is the opposite of the local Port Forwards. A SPF will "permanently (i.e. as long as the YF client is connected) forward a port from our server to your machine.
For example if we have allocated you Port 10000 (YF client -> Profile Tab -> Forwarded Server Ports) and you are connected to ems02.your-freedom.de, then it means that if somebody connecting to ems02.your-freedom.de Port 10000, this would initiate a connection to your PC. - Don't worry, these connections get only allowed if you did set your Client up to do so - You don't need this feature unless you know what it is good for. People use it for remote desktop connections and the like. Please be aware that we block HTTP so you won't be able to make your local web server available on the Internet this way. We just cannot risk having to take responsibility for what you host. NOTE: Server Port Forwards are only included in the TOTAL account type.
Does "Your Freedom" support Proxy Authentication?
Well, yes and no. There are mulitple authentication methods. Your Freedom currently supports "basic" authentication. There is another method called "NTLM", which autorizes against a Windows Domain. Support of this Method is currently in alpha stage - so it's included in the Client but not compleately tested yet. So contact us if it doesn't work.
My most beloved application is not working with Your Freedom, what can I do?
First of all, check that your application is using the SOCKS or Proxy feature of Your Freedom, or that your port forwards are properly set up. If this does not solve your problem, your best option is probably to create a "dump" and send it to us. Start the Your Freedom client from the command line. For both Windows and Unix (and probably Mac OSX too) this means that you have to open a command window and change directory to the path where the freedom.exe file or freedom.jar file resides. Then run the client using this syntax:
freedom --dump=dump.log
or
java -jar freedom.jar --dump=dump.log
Please make sure that your application is the only one running, in order to keep the dump as compact as possible. Let your application run for a while, then terminate it and also close the Your Freedom client. Send the dumped file via email together with a problem description to info@your-freedom.net and we'll see what we can do for you. (Oh, and btw. compressing the dump file with ZIP or GZip is not the worst of ideas.)
Does FTP with client XXXX work via YF?
Yes -
Either use a client which already supports Socks straight away (like CuteFTP, WS-FTP, ...) or use Sockscap to "socksify" the client.
By the way we support both passive and active FTP, so you don't need to worry about settings.
Can I set-up my own Your Freedom Server?
The answer at this moment in time is no.
(Unless you want to pay us a good chunk of money to get the sources:-))
Can't I just use a public proxy server?
This again is a Yes and No answer.
First of all for most people using YF, their firewalls do not allow them to use a public proxy, so they don't have a choice.
For all the others, yes you fundamentally can use a public proxy, which gives you less functionally than YF (e.g. Port Forwards, Session Persistance) but that might be good enough for you. However with public proxy servers, you don't know who is monitoring the traffic and what logfiles are being collected. At least we tell you what we collect and especially what we do NOT collect.
Also, that our base of operation is germany, with it's strong privacy laws is quite a benefit.
Should I use the HTTPS or the HTTP connection method?
Not both method works for every User - that's why we have implemented both in the first place.
However if both work for you, we strongly suggest that you use the HTTPS method. It's better tested, has less protocol overhead and supports encryption.
What is SocksCAP32 for?
Your Freedom provides three methods to connect to a remote server:
- local port forward,
- Socks4/5,
- Http Proxy.
By far the easiest way is to configure your application to use a Socks Server or a HTTP Proxy – if your application supports that.
Whenever your application does not support a Socks/HTTP Proxy, you can try running it via SocksCAP32 – SocksCAP replaces the standard network routines for the application it started with ones that support Socks. In other Words SocksCAP32 enables you to use Socks Servers with Application who do not natively support it.
However there are limitations to that concept, so not every application works via Sockscap but it’s always worth a try
You get SocksCAP32 here
How can I change my password for the Website?
You can change your Password - and actually/see more things by looking into your Userprofile.
When you logged in you will redirect to your user profile, there you can change your password by typing the new password in the password/repeat fields. After that, push the update Button.
Two more things:
- Changing the Website Password also changes the Password on your Your Freedom account.
- For the changes to be dristributed from the Website to all "Your Freedom Server", takes about two minutes ...
CC
|
|