Re: [tor-dev] Proposal: HTTP header distinguish TBB users
On Sun, Oct 4, 2015 at 12:06 AM, Virgil Griffith wrote: >> That'll be half a BTC please, lol: 161JvwnowBsojF4rRcdjMRcztoLb7R1qkN > > My pleasure. You saved me half a BTC! Holy shit, somebody tipped me, on a LOL no less, this Bitcoin thing works! You, kind benevolent and most gracious Sir, are getting some kind of thanks back to that address someday. ___ tor-dev mailing list tor-dev@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev
Re: [tor-dev] Proposal: HTTP header distinguish TBB users
> That'll be half a BTC please, lol: 161JvwnowBsojF4rRcdjMRcztoLb7R1qkN My pleasure. You saved me half a BTC! -V On Sun, Oct 4, 2015 at 3:59 AM grarpamp wrote: > On Sat, Oct 3, 2015 at 6:59 PM, Virgil Griffith wrote: > > You are correct my good sir! This is indeed the better way. Thank you! > > That'll be half a BTC please, lol: 161JvwnowBsojF4rRcdjMRcztoLb7R1qkN > > > It's unclear to me how to make these rules only apply to the TBB version, > > but judging by the version history of HTTPS-E they have a way of doing > that. > > A plugin may have a way of determining if it is plugged into TBB (tor) > and acting accordingly. Else a separate T2W-OE plugin that takes > precedence over HTTPS-E for t2w's. Or coordinate with HTTPS-E > in that space. > ___ > tor-dev mailing list > tor-dev@lists.torproject.org > https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev > ___ tor-dev mailing list tor-dev@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev
Re: [tor-dev] Proposal: HTTP header distinguish TBB users
On Sat, Oct 3, 2015 at 6:59 PM, Virgil Griffith wrote: > You are correct my good sir! This is indeed the better way. Thank you! That'll be half a BTC please, lol: 161JvwnowBsojF4rRcdjMRcztoLb7R1qkN > It's unclear to me how to make these rules only apply to the TBB version, > but judging by the version history of HTTPS-E they have a way of doing that. A plugin may have a way of determining if it is plugged into TBB (tor) and acting accordingly. Else a separate T2W-OE plugin that takes precedence over HTTPS-E for t2w's. Or coordinate with HTTPS-E in that space. ___ tor-dev mailing list tor-dev@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev
Re: [tor-dev] Proposal: HTTP header distinguish TBB users
> TBB plugin: T2W-OE - tor2web onion everywhere.
> Fork HTTPS-E.
> Maintain list of known t2w's.
> Plugin update from tpo.
> Matching engine rewrites t2w URL's to onions in TBB before the fetch.
You are correct my good sir! This is indeed the better way. Thank you! I
made a pull request to HTTPS-E for the requisite tor2web rules.
https://github.com/EFForg/https-everywhere/pull/3033
It's unclear to me how to make these rules only apply to the TBB version,
but judging by the version history of HTTPS-E they have a way of doing that.
Unless there's another specific issue, I consider the matter of Tor users
accidentally clicking links to Tor2web nodes solved.
-V
On Sat, Oct 3, 2015 at 8:29 PM grarpamp wrote:
> > various wrote:
> > Yesterday Lief compellingly argued that if a TBB user accidentally
> clicks on
> > a link to my tor2web proxy (onion.link), that they should be redirected
> to
> > the .onion address. It hadn't occurred before that a Tor user might
> > accidentally click a onion.link URL
>
> TBB plugin: T2W-OE - tor2web onion everywhere.
> Fork HTTPS-E.
> Maintain list of known t2w's.
> Plugin update from tpo.
> Matching engine rewrites t2w URL's to onions in TBB before the fetch.
>
> > { "countrycode": "A1", "location": "Tor", "domain": "torproject.org" }
> > or some such. This seems a reasonable request. Do we know someone at
>
> They may not wish to if they want to return a single result per IP, and an
> IP could be running more than one proxy (tor, i2p/cjdns exit, vpngate,
> plain old vpn service, whatever), it's not generally possible to tell which
> proxy emitted traffic from said IP, nor is it reasonable to require tor
> exits
> operators to not participate in other networks.
>
> > Tor-Browser-Bundle: true
>
> Great for advertising statistical demand for anonymous access to
> clearnet web operators, bad for blocking.
>
> > Are we still trying to hide TBB users in the Mozilla browser crowd?
>
> TBB should conform to Mozilla. Though it's a unique header, currently
> unused by web operators, that's only for a while. If any such thing, it
> should
> be a toggle, default off. You don't want to be unique unless you have to,
> and it's unlikely even 1/3 of clearnet operators are programmatically
> exit-aware, with fewer programmed to block.
>
> > the "x-tor2web" request header. We eventually decided to add it.
>
> Which is fine because it doesn't disclose any bits about the user to
> clearnet, the disclosure to the onion is still anon and moot, and the
> user can go direct to the onion if the onion blocks t2w.
>
> > The CDN should forward the client IP address as X-Forwarded-For or
> > something?
>
> Other proxies, vpn's, chains, whatever between t2w and the exit may not do
> this.
>
> > If any sites do start blocking users based on the header (and not also
> based on IP)
> > it will push people into using a non-TBB browser to access Tor.
>
> Yep.
> ___
> tor-dev mailing list
> tor-dev@lists.torproject.org
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev
>
___
tor-dev mailing list
tor-dev@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev
Re: [tor-dev] Proposal: HTTP header distinguish TBB users
> various wrote:
> Yesterday Lief compellingly argued that if a TBB user accidentally clicks on
> a link to my tor2web proxy (onion.link), that they should be redirected to
> the .onion address. It hadn't occurred before that a Tor user might
> accidentally click a onion.link URL
TBB plugin: T2W-OE - tor2web onion everywhere.
Fork HTTPS-E.
Maintain list of known t2w's.
Plugin update from tpo.
Matching engine rewrites t2w URL's to onions in TBB before the fetch.
> { "countrycode": "A1", "location": "Tor", "domain": "torproject.org" }
> or some such. This seems a reasonable request. Do we know someone at
They may not wish to if they want to return a single result per IP, and an
IP could be running more than one proxy (tor, i2p/cjdns exit, vpngate,
plain old vpn service, whatever), it's not generally possible to tell which
proxy emitted traffic from said IP, nor is it reasonable to require tor exits
operators to not participate in other networks.
> Tor-Browser-Bundle: true
Great for advertising statistical demand for anonymous access to
clearnet web operators, bad for blocking.
> Are we still trying to hide TBB users in the Mozilla browser crowd?
TBB should conform to Mozilla. Though it's a unique header, currently
unused by web operators, that's only for a while. If any such thing, it should
be a toggle, default off. You don't want to be unique unless you have to,
and it's unlikely even 1/3 of clearnet operators are programmatically
exit-aware, with fewer programmed to block.
> the "x-tor2web" request header. We eventually decided to add it.
Which is fine because it doesn't disclose any bits about the user to
clearnet, the disclosure to the onion is still anon and moot, and the
user can go direct to the onion if the onion blocks t2w.
> The CDN should forward the client IP address as X-Forwarded-For or
> something?
Other proxies, vpn's, chains, whatever between t2w and the exit may not do this.
> If any sites do start blocking users based on the header (and not also based
> on IP)
> it will push people into using a non-TBB browser to access Tor.
Yep.
___
tor-dev mailing list
tor-dev@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev
Re: [tor-dev] Proposal: HTTP header distinguish TBB users
On Sun, 4 Oct 2015, at 01:13 AM, Tim Wilson-Brown - teor wrote: > >> On 3 Oct 2015, at 14:10, Virgil Griffith wrote: >> >> (2) If we (Tor Project) is going to ask MaxMind to do something special to >> distinguish TBB users, it seems reasonable we should make the same effort. >> I know in the past it's been proposed for TBB to include a special HTTP >> header, e.g., >> >> Tor-Browser-Bundle: true >> >> to distinguish TBB users. If this header existed, I could detect it at the >> CDN-level and do the appropriate redirect. Alternatively, We could do >> something equivalent with the "Via": HTTP header, but that seems overkill. >> >> Between these two options, I personally opt for (2) because it seems >> inappropriate to request MaxMind to help us do X when we have not done what >> we can do to achieve X. >> >> Q: Does anyone (especially Mike Perry) have any objections to (2)? If not, >> I will write the proposal. > > I think this kind of tagging has security implications, but I’m not sure what > the tradeoffs are. > > Are we still trying to hide TBB users in the Mozilla browser crowd? > Are we making it even easier to identify and block TBB users? If any sites do start blocking users based on the header (and not also based on IP) it will push people into using a non-TBB browser to access Tor. -- Carlin ___ tor-dev mailing list tor-dev@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev
Re: [tor-dev] Proposal: HTTP header distinguish TBB users
On 10/03/2015 02:10 PM, Virgil Griffith wrote: > Now the trouble starts. If the TBB user gets to the tor2web backend I > check if they're coming from an Exit relay and redirect them---all > good. But a CDN (Fastly.com) sits in front of my backends and right now > it's unclear how to detect TBB at the CDN level. The CDN should forward the client IP address as X-Forwarded-For or something? -- Moritz Bartl https://www.torservers.net/ ___ tor-dev mailing list tor-dev@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev
Re: [tor-dev] Proposal: HTTP header distinguish TBB users
On Sat, 3 Oct 2015, Virgil Griffith wrote: > Now the trouble starts. If the TBB user gets to the tor2web backend I check > if they're coming from an Exit relay and redirect them---all good. But a > CDN (Fastly.com) sits in front of my backends and right now it's unclear > how to detect TBB at the CDN level. I don't think this shoud be fixed by detecting TBB, which somehow counters the very purpose of TBB. What about having a scriptlet/extension/whatever in The Tor Browser that sends the request directly via the Tor network instead of using the gateway? Client-side solution is the only way to recover your Bitcoin to me. ~saper ___ tor-dev mailing list tor-dev@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev
Re: [tor-dev] Proposal: HTTP header distinguish TBB users
> Are we still trying to hide TBB users in the Mozilla browser crowd? My understanding of this, because we make the exit relays public, that the answer is "no". Correct me if I'm wrong. > Are we making it even easier to identify and block TBB users? Mildly so. But if an operator wants to block TBB users they don't need to have much trouble using ExitRelay list or the MaxMind anonymous proxy list. For what it's worth we had a similar discussion in tor2web over whether to add the "x-tor2web" request header. We eventually decided to add it. -V On Sat, Oct 3, 2015 at 2:13 PM Tim Wilson-Brown - teor wrote: > > On 3 Oct 2015, at 14:10, Virgil Griffith wrote: > > (2) If we (Tor Project) is going to ask MaxMind to do something special to > distinguish TBB users, it seems reasonable we should make the same effort. > I know in the past it's been proposed for TBB to include a special HTTP > header, e.g., > > Tor-Browser-Bundle: true > > to distinguish TBB users. If this header existed, I could detect it at > the CDN-level and do the appropriate redirect. Alternatively, We could do > something equivalent with the "Via": HTTP header, but that seems overkill. > > Between these two options, I personally opt for (2) because it seems > inappropriate to request MaxMind to help us do X when we have not done what > we can do to achieve X. > > Q: Does anyone (especially Mike Perry) have any objections to (2)? If > not, I will write the proposal. > > > I think this kind of tagging has security implications, but I’m not sure > what the tradeoffs are. > > Are we still trying to hide TBB users in the Mozilla browser crowd? > Are we making it even easier to identify and block TBB users? > > Tim > > Tim Wilson-Brown (teor) > > teor2345 at gmail dot com > PGP 968F094B > > teor at blah dot im > OTR CAD08081 9755866D 89E2A06F E3558B7F B5A9D14F > > ___ > tor-dev mailing list > tor-dev@lists.torproject.org > https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev > ___ tor-dev mailing list tor-dev@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev
Re: [tor-dev] Proposal: HTTP header distinguish TBB users
> On 3 Oct 2015, at 14:10, Virgil Griffith wrote: > > (2) If we (Tor Project) is going to ask MaxMind to do something special to > distinguish TBB users, it seems reasonable we should make the same effort. I > know in the past it's been proposed for TBB to include a special HTTP header, > e.g., > > Tor-Browser-Bundle: true > > to distinguish TBB users. If this header existed, I could detect it at the > CDN-level and do the appropriate redirect. Alternatively, We could do > something equivalent with the "Via": HTTP header, but that seems overkill. > > Between these two options, I personally opt for (2) because it seems > inappropriate to request MaxMind to help us do X when we have not done what > we can do to achieve X. > > Q: Does anyone (especially Mike Perry) have any objections to (2)? If not, I > will write the proposal. I think this kind of tagging has security implications, but I’m not sure what the tradeoffs are. Are we still trying to hide TBB users in the Mozilla browser crowd? Are we making it even easier to identify and block TBB users? Tim Tim Wilson-Brown (teor) teor2345 at gmail dot com PGP 968F094B teor at blah dot im OTR CAD08081 9755866D 89E2A06F E3558B7F B5A9D14F signature.asc Description: Message signed with OpenPGP using GPGMail ___ tor-dev mailing list tor-dev@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev
[tor-dev] Proposal: HTTP header distinguish TBB users
Yesterday Lief compellingly argued that if a TBB user accidentally clicks
on a link to my tor2web proxy (onion.link), that they should be redirected
to the .onion address. It hadn't occurred before that a Tor user might
accidentally click a onion.link URL, but yes I completely concur and I told
Lief I would prioritize this and would owe him a Bitcoin if I didn't get
this implemented within a week.
Now the trouble starts. If the TBB user gets to the tor2web backend I check
if they're coming from an Exit relay and redirect them---all good. But a
CDN (Fastly.com) sits in front of my backends and right now it's unclear
how to detect TBB at the CDN level.
Going over my CDN's documentation. They do have the standard MaxMind
database for geo-IP. So that's good. But plugging in an exit-node IP#
merely reports as an "A1" for "Anonymous Proxy". Unfortunately there are
many anonymous proxies other than Tor so that won't do.
There are two ways to solve this.
(1) For an given IP#, MaxMind reports numerous entries aside from the "A1"
for country code. We could ask MaxMind to specify whatever else it knows
about the Anonymous Proxy in the other fields such as the "Location" or
"Organization" field. So when plugging in a Tor exit relay it would return
something like:
{ "countrycode": "A1", "location": "Tor", "domain": "torproject.org" }
or some such. This seems a reasonable request. Do we know someone at
MaxMind to forward this request to?
(2) If we (Tor Project) is going to ask MaxMind to do something special to
distinguish TBB users, it seems reasonable we should make the same effort.
I know in the past it's been proposed for TBB to include a special HTTP
header, e.g.,
Tor-Browser-Bundle: true
to distinguish TBB users. If this header existed, I could detect it at the
CDN-level and do the appropriate redirect. Alternatively, We could do
something equivalent with the "Via": HTTP header, but that seems overkill.
Between these two options, I personally opt for (2) because it seems
inappropriate to request MaxMind to help us do X when we have not done what
we can do to achieve X.
Q: Does anyone (especially Mike Perry) have any objections to (2)? If not,
I will write the proposal.
-V
P.S. Lief... even if we go at maximum speed, it looks like I'm going to owe
you that Bitcoin. Email me your BTC address? How embarrassing.
___
tor-dev mailing list
tor-dev@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev
