[CC-ing the Polipo-users list] > Speaking of which, it occurred to me a little while ago that > persistent connections between the http proxy and the website, > through Tor, can have an impact on anonymity.
> If the user is figuring they're rotating their connections over > different Tor circuits over time (after all, they're clicking at > different times, right?), but polipo is holding open the same > persistent connection [...] It will certainly facilitate grouping requests into sessions. I'm not sure it counts as an anonymity threat, since the session itself is still anonymous; furthermore, there are easier ways to track requests into sessions (cookies, ``Referer'' headers, unique tokens embedded into URLs, If-Modified-Since requests, etc.). But I agree that it should at the very least be documented somewhere. > Is it documented anywhere how Polipo does its keepalives and timeouts > for persistent connections? Polipo will keep a persistent connection open as long as possible, but it will shut an idle connection down after its normal timeout (120s by default). Additionally, the server's idle timeout will usually come into play; in my experience, it's usually between 4 and 15 seconds. But that's irrelevant, since a malicious server could choose a much larger timeout. For people who do believe this is a serious threat, I can think of the following mitigations: (1) use a smaller timeout for idle connections; (2) shut down a connection after some number of serviced requets; (3) shut down a connection after it's been used for some time. Trouble is, either of these will harm performance in some cases; the obvious example being two polipi on the two ends of an ssh or ssl tunnel, where avoiding the intial handshake helps a lot. So I guess I'd have to implement different behaviour for parent proxies and direct connections. Roger, I'd like to know whether you think this is worth implementing for the next version of Polipo (and of course whether you have any better ideas). As I've stated, I don't believe this threat is real, but I'm quite willing to do the work if you disagree. Juliusz