Help and Support
Ask a question, report a problem, request a feature...
<<  Back To Forum

How to convince trackers to whitelist Tixati?

by Guest on 2021/04/11 11:23:25 AM    
As the topic states, how to convince trackers to whitelist tixati if they don't trust it because it's closed source,
so they can't "confirm" it's security or trustworthiness compared to open source clients?

some comments:

Its not about the client having issues, its about the security and trustworthiness of it.
Because it is proprietary, you cant be sure of the security of it.

Compared to open source clients like Deluge,Transmission,qBittorent and rTorrent which all use the already trusted and established libtorrent library.

Just from my brief reading about it, it exposes a lot of user info. Every review I've read said only use it with a VPN (which I recommend in most cases anyway) Since it is not open source there is no way to verify what security measures are built into it (if any) or an easy way to tell if there is any kind of telemetry going on. Totally free, with no ads AND closed source, makes me wonder how they can afford to maintain it. I dont imagine donations cover the cost.  Lots of reports of it crashing often. Not something I would even look at even if it was whitelisted.

Far to many good, well established open source clients for me to bother with a closed source alternative.

So what's the best way to persuade them to see the light that is tixati?
by Guest on 2021/04/12 09:08:34 AM    
Hi, original thread poster Guest,

Some interesting questions you've raised there.

You seem overly worried about it. You are not obliged to use Tixati, or anything else? You don't even have to use anything Torrent in its entirety if you feel this worried perhaps?
Yes Tixati is free and "doesn't install ads or mine crypto" on your machine illicitly like some other client programs do to line the pockets of their author.

I guess, ask yourself, "why do people volunteer" to work for no money or personal reward in charity shops (etc). Why do people participate on Forums like Reddit, Facebook (and here) for free?

The answer is people enjoy it. You don't have to be paid to do something. What about the teams who write Linux operating system. They give it away totally free without ever expecting payment.

For me, Tixati does not crash and I run mine on a Celeron old machine. Yes if you mess with some settings. Like scrollback logs from 100 lines to 10,000 it used a lot more memory and will glitch "Not Responding" every so often, but many settings are for DEBUG purposes only or super experienced users who didn't want to use uTorrent in the first place!


Think about the "other" software you mentioned. The source code is available for all to "see". How many members of society can read code, "verify" nothing bad is present, and then compile their own binary?
So, immediately people download a pre-compiled binary for Deluge, Transmission, qBittorent and rTorrent which, erm, Is THAT trustworthy? Who actually knows!!! Probably OK from the genuine site, but still has exactly the same "risk" as ANY other software downloaded from the net. How can you trust anything? VLC player. SSH tools. sFTP tools. Web Browsers etc. They're all written for free too remember!


Also I've found instances online where I'm seeing weird behavior from Torrent clients and they ALL stem from Open Source software. Stuff that can be "modded" to mess up P2P by bad actors.
If Tixati released their code online it would definitely be abused and malicious versions would appear stuffed with Adware. That would be so ironic. Keeping it closed source may not be so bad afterall?


I believe the author of Tixati is an exceptional master skilled programmer who has significant and extensive understanding P2P protocols ie using UDP for a long time.
Tixati P2P software is much more proactive than other clients. The message boards use encryption which no other client offers. Tixati is certainly NOT the work of a noob.
I have been using Tixati on/off since it was called WinMX around the 2003 era, I suppose.

By the way: Some older clients like Deluge only use TCP which is pretty limiting. I mean Deluge client is so basic, there is no "search" bar to search titles in your download list.


If you want to see telemetry, you can use WireShark and capture what's going on.


If you're this worried you should be running your P2P (whatever it is) perhaps on an old standalone machine or if you're technical, try running it in a Virtual Machine with a VPN connection? ​



About your tracker issue:

How do you know the Tracker dislikes Tixati ?
You could run some tests and report back:

TIXATI > TRANSFERS  button > OPTIONS tab > PEERS button > right side of screen, UNTICK "Local Peer ID"

This should look like:


-TIX281-abcdefghijkl


Change the TIX281 part only to UT355W


-UT355W-abcdefghijkl


For THAT particular single Torrent you should now "trick" your private tracker to thinking you are using "uTorrent 3.5.5"

See if your tracker now accepts that ?


Add your torrents as "stopped", then edit the tag, then start them and see what happens?

Anyway hope you enjoy P2P whatever client you decide is right for you.


Just A Tixati User
by Guest on 2021/04/12 11:34:34 AM    
The best way to persuade is add a global useragent setting.
by Raging_Flames on 2021/04/12 01:04:57 PM    
They've already told you why they won't green light it. I don't think there is much else for you to do here. They do have a point though, they have absolutely no reason to trust tixati because it is closed source. I was only able to convince my PT to allow tixati because their concern was transfer misreporting, and after explaining the difference between MiB and MB, they allowed it.
by notaLamer on 2021/04/13 05:57:26 AM    
some comments:

   (1)Its not about the client having issues, its about the security and trustworthiness of it.
   (1)Because it is proprietary, you cant be sure of the security of it.

   (2)Compared to open source clients like Deluge,Transmission,qBittorent and rTorrent which all use the already trusted and established libtorrent library.


   (3)Just from my brief reading about it, it exposes a lot of user info. Every review I've read said only use it with a VPN (which I recommend in most cases anyway) Since it is not open source there is no way to verify what security measures are built into it (if any) or an easy way to tell if there is any kind of telemetry going on. Totally free, with no ads AND closed source, makes me wonder how they can afford to maintain it. I dont imagine donations cover the cost.  Lots of reports of it crashing often. Not something I would even look at even if it was whitelisted.

   Far to many good, well established open source clients for me to bother with a closed source alternative.


So what's the best way to persuade them to see the light that is tixati?
I would like to know what kinda people you argue about in this thread and whether admins read at all. Both responses seem uninformed, especially the second one. In most points I agree with the first response here.

(1) This is completely true. In theory. However I doubt the user holds himself to the same standards. If the tracker allows BitTorrent/uTorrent clients his argument is automatically moot. If the user uses Windows, Google Chrome, Netflix, Steam, Discord, Zoom, Whatsapp, iOS, Android etc. then his own argument is moot. This is just an example of most used proprietary software (Netflix requires darkbox DRM binaries. iOS is completely closed source, 'Android' in almost all cases is not the free AOSP but just a flavor of Android with proprietary components).
(2) The guy doesn't know the intricacy by which rTorrent uses libTorrent and all else use libtorrent (sic)

(3) This one is an absolute fool, there is no connection between Tixati and a recommendation to use a VPN. What builtin 'security measures' is s/he talking about? Telemetry? I believe not but its a good question for later. S/he can stick the superficial googling about crashes. Tixati got problems but this aint one of them. Reputation? The Tixati dev has got reputation dating back 20 years. It does not replace the ability to view the source and compile on your own but sounds good enough for me.

The point on telemetry is great. It would be funny if you could checkmate them:
a) does their website use Cloudflare or any similar service? (you can see this easily by checking the website's HTTPS certificate. If it's does not say 'Cloudflare', it's not easy to determine, you'd have to dig for yourself)
b) do their tracker URLs use the udp: protocol or http:?  Both are unencrypted
c) is their tracker URL on https? If so, is it behind Cloudflare? (again this gives Cloudflare ability to unlimited surveillance on the traffic)
d) do the tracker admins keep registration date & IP, login history for the user? I find it way more concerning than possible technical telemetry by the client.

That said, I did not notice any traffic activity to Tixati webservers (Wireshark) except for the manually triggered update check. Though Tixati does use its own DHT bootstrapping nodes, I do not know whether those are disabled if you set your own.
Again, if the guy uses iOS/regular Android/Windows 10/Chromium etc. this makes him a hypocrite. I bet s/he does.

I wonder how many implementations went this deep:
// Tixati socket parameters
// Name:  Strict
// Aug 8, 2011

// These parameters should be used when connecting exclusively to
// clients with a correct UDP Peer Connection implementation.

// At this time Tixati has the only implementation that observes std
// TCP-friendly congestion control rules, and the only client that
// does not contain at least one of many performance-killing bugs that
// have been observed on the open internet.

// Use the "Compatible" default parameters instead unless you are
// testing with other Tixati users.  

// This set of parameters turns off key workarounds and will result in
// worse loss characteristics in connections to defective clients, and
// better potential performance in connections to properly functioning
// clients.
Anyway. Let's get technical again and help you get Tixati whitelisted.
Since so much emphasis was put on 'battle tested clients', would these guys allow you to use your own client if you were to build it on top of libtorrent? Honest question. libtorrent is trusted, no? OK and what if you wanted to use your own fork of Transmission? Why would they forbid you to do this? Based on what arguments?

If they are afraid of Tixati because it is proprietary (possibility of spying) how do they know the user does not have keyloggers, viruses on their computers? Is the VPN client the users are using free and open source software, not proprietary? Do they restrict proprietary browsers (e.g. ban Chrome, Opera users) the same way they try to control what torrent client people use?
If not, they should please provide their questions and uncertainties regarding Tixati and whether there're any technical issues with it. I will try to answer these to the best of my knowledge.
After this sentence ask for a controlled trial where you will provide feedback if there'll be any issues.

Finally, please really try the four 'checkmate' options from above. This would give you the upper hand in this whole argument if any of it applies (you can come back to me with your findings; sensitive data removed; you can contact me over the Tixati User Group channel too)

PS: I would not change the peerID in Tixati. You need to constantly fake it, including tracker AND RSS. Just don't. Oh and if any of them reads this (don't ask this): Will they ban users who use the official transmission but a changed peerID? Hm.
by Guest on 2021/04/13 11:29:18 AM    
To the long ass post, I(OP) think you misunderstood, I am not worried, I too am a long time(+10years) Tixati user. It's the guys running a tracker I'm on that is worried about tixati being a security issue. and quote boxes contained posts from their forums regarding Tixati in a thread asking about the possibility to whitelist it.

How do you know the Tracker dislikes Tixati ?
The quote boxes in first post, and the fact that Tixati isn't whitelisted.

You could run some tests and report back:
I tried changing the "Local Peer ID" as you described, it didn't work.
"HTTP responded with code 400" is the response the tracker gives.
but thanks for the try.
by ali3nwar3 on 2021/04/13 06:27:54 PM    
I decided to make an account, to just make it easier to track who's saying what.

I would like to know what kinda people you argue about in this thread and whether admins read at all.
Both responses seem uninformed, especially the second one. In most points I agree with the first response here.

One was the site owner, few moderators, and some people with site rankings, etc.
The owner was the one who said

Sorry, Tixati is not trustworthy in my opinion, please feel free to try qBittorrent, Deluge, Transmission or rTorrent.
Those are my top 4 ( not in that order particularly).

If the tracker allows BitTorrent/uTorrent clients his argument is automatically moot

Yes, this post was just from a moderator, that said he didn't have a say in what is approved or not, but the tracker allows uTorrent and BitTorrent.

The official site whitelist is as follows:
qBittorrent 2.9.x
qBittorrent 3.0.x
qBittorrent 3.1.x
qBittorrent 3.2.x
qBittorrent 3.3.x
qBittorrent 4.0.x
qBittorrent 4.1.x
qBittorrent 4.2.x
qBittorrent 4.3.x
Deluge 1.3.x
Deluge 2.x.x
uTorrent 2.0.4
uTorrent 2.1.x
uTorrent 2.2.x
uTorrent 3.5.x
Transmission 1.5.4
Transmission 1.6.x
Transmission 1.7.x
Transmission 1.8.x
Transmission 1.92
Transmission 1.93
Transmission 2.xx
Transmission 3.xx
rtorrent 0.9.x
uTorrent Mac 1.0x
uTorrent Mac 1.1x
uTorrent Mac 1.5x
uTorrent Mac 1.6x
uTorrent Mac 1.7x
uTorrent Mac 1.8x
BitTorrent 7.10.x
BitTorrent 7.5.x
BitTorrent 7.6.x
BitTorrent 7.9.x


a) snip

Checking the padlock next to the URL, it seems the site's HTTPS certificate is from cloudflare.

b) snip

Tracker URL seems to be on HTTPS as well, it's at least what shows up with the torrents i got running in qBittorrent.
I don't know how to check if that is on cloudflare though.

d) snip
Registration date seems to be logged, says joined "x ago" on forum posts.
on the site under the "my active connections tab" it shows my client and IP used for each torrent.
I do not know if these are stored "long term"

Since so much emphasis was put on 'battle tested clients', would these guys allow you to use your own client if you were to build it on top of libtorrent?

No idea, I could ask.

If not, they should please provide their questions and uncertainties regarding Tixati and whether there're any technical issues with it.

I can make a post, asking them to clarrify / go in depth as to why they don't think Tixati is "trustworthy" to get more details about their opinion,
And then bring those questions back here.
by Guest on 2021/04/16 12:44:57 PM    
1 - utorrent, bittorrent is opensource? How I can be sure about security of this softwares? So I think both need be blacklisted, and one thing is the old utorrent other is the actual code of utorrent, is completely different products. Anyway to me old and new is bullshit.

2 - The Tixati's marketshare is below than 1%, how many is Tixati users with use private trackers? Something like 0,0000001? Because most users NEVER use private trackes. I'm personaly against DONATE to download, I prefer donate to Tixati team.

3 - Tixati developer don't want open the source, is his option, so you are free to use any other open clients, like the limited shit of qbitorrent or deluge, made for kids, this is your option

4 - If I'm the developer I would add a global useragent setting, so the user can use a utorrent useragent and all problems is solved. Because Tixati never can be open source and you can't persuade all admins to whitelist Tixati.

SOLUTION: Global Default Spoof Setting, with it you can whitelist Tixati in all private trackers forever with just one move and is the end of the trackers admins game.
by notaLamer on 2021/04/26 07:42:18 PM    
While I empathize with last Guest's reply, we need to forego emotions to get Tixati whitelisted.

@alienware thanks for posting the client list. This will actually be instrumental because it shows how uneducated the pickings are.

Checking the padlock next to the URL, it seems the site's HTTPS certificate is from cloudflare.
-
Tracker URL seems to be on HTTPS as well
It is safe to guess the tracker is also behind Cloudflare. Good job.
The argument goes that Cloudflare is essentially a MITM. It must be. It must be in the middle and read all your traffic unencrypted to function as the proxy they are. There're two problems with it:
1) You can be certain they're collaborating with three-letter agencies at some level and have been for a long time now. Shocker: all major US ISPs do too. The smaller ones abide by the law and have equipment in place in case the receive a warrant/request.
2) There can be awful configuration mistakes. For example your traffic to CF servers is encrypted, but CF to their website server IS NOT or it is not verified properly. Described in detail here: https://www.troyhunt.com/cloudflare-ssl-and-unhealthy-security-absolutism/

No, #1 is not a conspiracy theory, but it is a real conspiracy. PRISM was a 'dumb conspiracy theory' right until Snowden revelations. As someone who's absolutely serious about security and privacy, I'd not use Cloudflare for anything but static CDN (deliver static files) on a website's subdomain.

Registration date seems to be logged, says joined "x ago" on forum posts.
on the site under the "my active connections tab" it shows my client and IP used for each torrent.
I do not know if these are stored "long term"
Well first of all this goes right against the idea of restricting all but few 'trusted clients'. If they care about security and privacy of users, they should have made the forum software not save last visits (certainly time and IP). The classic too: registration date and IP, separately. Ideally you'd want to allow users to erase the e-mail after registration too. You know, think about what's gonna happen when 'someone' gets access to the server and their hands on the database. The hunt for users will begin.
Sure all of this sounds hypothetical right until it happens. You can only act ahead of time, so far I see no positive surprises.

The fun part: lets examine their allowed clients list! It took me some time to research, I've long wanted to do that but didn't quite have the time or motivation.
-----
Not applicable, 2008: BitTorrent 6.0 / uTorrent 1.6/1.7 - Peers Window Remote Code Execution. Just for the sake of completeness.

https://www.exploit-db.com/exploits/31032
-----
Transmission ver ?-2.92:
Remote Code Execution with a DNS rebinding JS attack against the web interface.

TF article: https://torrentfreak.com/bittorrent-client-transmission-suffers-remote-takeover-vulnerability-180116
Original Project Zero bug report: https://bugs.chromium.org/p/project-zero/issues/detail?id=1447  (funny how he notes that the devs didn't take it seriously and dragged on for 1.5 months)
Pull request: https://github.com/transmission/transmission/pull/468
-----
qBittorrent EVERY VERSION <=4.1.6, according to report:
Remote Code Execution via a malicious RSS Feed if one used automation (run commands on transfer).

CVE-2019-13640: https://www.cvedetails.com/vulnerability-list/vendor_id-16171/product_id-36121/Qbittorrent-Qbittorrent.html
-----
uTorrent 3.5 (build <= 44351), uTorrent Web (ver?), 2018
Remote Code Execution.

TorrentFreak article: https://torrentfreak.com/bittorrent-client-utorrent-suffers-security-vulnerability-180220/
Threatpost article: https://threatpost.com/utorrent-users-warned-of-remote-code-execution-vulnerability/130030/
Comment 10: https://bugs.chromium.org/p/project-zero/issues/detail?id=1524#c10
Comment 13 (c13): https://bugs.chromium.org/p/project-zero/issues/detail?id=1524#c13
Reddit claims of old versions: https://www.reddit.com/r/torrents/comments/7yyyzy/utorrent_various_jsonrpc_issues_resulting_in/

Apparently BiTorrent borked their first attempt to fix this exploit properly as explained in comment 10. I'm not sure what version has the final fix (maybe 44352, maybe not). Yet funnier is the 'workaround' misleadingly thought to fix the problem (c13):
Some websites tried to persuade people that setting Preferences → Advanced → net.discoverable = false resolves the problem. But it isn't true. This setting just disables port 10000. But you can execute the same actions using port which uTorrent uses for all incoming connections. For example, I use port 45705 for incoming connections, and a simple GET request to http://127.0.0.1:45705/fileserve/?callback=error crashes the program.
There's no definite consensus whether uTorrent 2.x is vulnerable too. Comments 30, 24 say, as far as I can tell, these are not vulnerable. Normal users from reddit claim otherwise.
A gem from the vulnerability description:
While not a particularly strong secret (8 bytes of std::random_device), it at least would make remote attacks non-trivial. Unfortunately however, the authentication secret is stored inside the webroot (wtf!?!?!?!), so you can just fetch the secret and gain complete control of the service.
Basically the password was accessible in plaintext to anyone via HTTP. This is a client family to be trusted for sure!
-----
uTorrent 3.5.5 build <= 45505 (fix in 45574)
Remote Denial of Service (crashes client). Any remote peer can crash the client.

https://blog.utorrent.com/release-notes/utorrent-3-5-5-for-windows-build-45574/
Original write up: https://blog.whtaguy.com/2020/09/utorrent-cve-2020-8437-vulnerability.html
Proof of Concept video by the author: https://www.youtube.com/watch?v=wIXZvz_Y4Ag
https://cve.circl.lu/cve/CVE-2020-8437
-----
I'm done proving my point here that the allowed client list is totally arbitrary. Not just that, but in case of the latter they effectively CANNOT filter out the 'bad vulnerable' client version because they all carry 3.5.5, simply differing in build numbers that afaik are not communicated in any way.
Further isn't BitTorrent client essentially the same codebase as uTorrent (and has been for a few years)? I cannot find the bencode fix in their changelogs: BitTorrent 7.10.5 For Windows (build 45665), June 30th, 2020 and 7.10.5 (build 45496), January 17, 2020.
https://blog.bittorrent.com/release-notes/bittorrent-7-10-5-for-windows-build-45665/
https://blog.bittorrent.com/release-notes/bittorrent-7-10-5-for-windows-build-45496/

I did not investigate BitTorrent, uTorrent Mac, rtorrent or Deluge in particular. I just wanted to show that even the most 'trusted' clients have had their loopholes and STILL are on the 'safe' list. And with uTorrent 3.5.5 DoS the whitelist is useless.

I hope this has been enough research into the past to conclude that the admins didn't do their due diligence (my personal opinion and I object such restrictive whitelists without a reason). You can copy my response verbatim to them (maybe without the parentheses part :P)

This should've been enough convincing done to allow Tixati <3 There be(en) worse things.

Finally: Open source or not, both Transmission and qBittorrent just had been waiting for someone for years to find the vulnerabilities.

In fact they can't be sure the outdated uTorrent (3.5), Transmission and qBittorrent users (still allowed) hadn't been already breached. Although not even whitelists can prevent users from installing/getting malware elsewhere. What needs to be done is general education for computer literacy and threat mitigation (as well as detecting malware and repairing your PC). I have reasons to believe that Tixati users are on average more literate than those jesters running uTorrent and downloading "funnyclip.mp4.exe" off of TPB.




This web site is powered by Super Simple Server