> Date: Mon, 12 Jan 2015 01:04:58 -0500
> From: grarpamp
> To: tor-relays@lists.torproject.org
>
>>> On Fri, Jan 9, 2015 at 10:26 PM, Drake Wilson wrote:
>>> eric gisse wrote:
>>> Plus the logic starts to get warped when you wonder "So do you BadExit
>>> every node that runs on an ISP that cach
On Fri, Jan 9, 2015 at 10:26 PM, Drake Wilson wrote:
> eric gisse wrote:
>> Plus the logic starts to get warped when you wonder "So do you BadExit
>> every node that runs on an ISP that caches traffic?"
>>
>> What about ISP's (and openDNS) that NXDOMAIN trap to insert advertising?
>
> These, I thi
Yes :(
1) Blanket caching on port 80 is mostly fine, but not completely due
to squid dropping/erroring on non-http traffic. Not acceptable.
2) I've been unable to find a way to pass non-http traffic in a reliable way.
3) netfilter inspection to determine protocol ends with the layer7
filter projec
> On Fri, Jan 9, 2015 at 6:29 PM, Nusenu
>> Are you saying you are routing exit traffic through a transparent
>> squid http proxy?
>>
>> If that is the case, please do not interfere with exit traffic in
>> any way.
eric gisse:
> Why?
Is your exit breaking non-HTTP protocolls on destination por
Drake Wilson wrote:
> But the TCP specification doesn't. Nor is the Tor client signaling
> to you that they want an HTTP connection and not a raw TCP connection.
> Whether they happen to be passing octets over it that correspond to an
> HTTP stream is irrelevant.
Or alternatively, let me put the
On 2015-01-09 19:21, eric gisse wrote:
What about ISP's (and openDNS) that NXDOMAIN trap to insert advertising?
Just a quick point, OpenDNS doesn't do that anymore.
https://www.opendns.com/no-more-ads/
(Others do, and it's still a terrible idea there, but OpenDNS has seen
the light and/or fo
eric gisse wrote:
> Plus the logic starts to get warped when you wonder "So do you BadExit
> every node that runs on an ISP that caches traffic?"
>
> What about ISP's (and openDNS) that NXDOMAIN trap to insert advertising?
These, I think, are more general points that have not adequately been
reso
That's my point. The logic applies to either both or none.
Plus the logic starts to get warped when you wonder "So do you BadExit
every node that runs on an ISP that caches traffic?"
What about ISP's (and openDNS) that NXDOMAIN trap to insert advertising?
Regarding 'cached evidence', logs are sh
eric gisse wrote:
> This isn't exactly a convincing argument.
>
> The HTTP specification explicitly supports caching.
But the TCP specification doesn't. Nor is the Tor client signaling
to you that they want an HTTP connection and not a raw TCP connection.
Whether they happen to be passing octets
This isn't exactly a convincing argument.
The HTTP specification explicitly supports caching. On a protocol
level, this is quite acceptable and standard. The method I am using is
precisely what ISP's do in scenarios where they want to maximize their
bandwidth.
On Fri, Jan 9, 2015 at 8:12 PM, Drak
On Fri, Jan 9, 2015 at 9:18 PM, cacahuatl wrote:
> If you're caching exit traffic and a very naughty person uses your exit,
> you've potentially cached "evidence" (to be seized).
That logic applies equally to DNS; indeed, it is why the CMU Tor exit
*doesn't* run a DNS cache.
(It talks to CMU's D
eric gisse wrote:
> Why? People say 'DO NOT MESS WITH TRAFFIC' but in the same breath they
> say 'BUT USE A CACHING DNS RESOLVER'.
Because the interface level at which exit traffic proper occurs is TCP,
and the interface contract for the client is that the TCP stream will be
direct to the intended
If you're caching exit traffic and a very naughty person uses your exit,
you've potentially cached "evidence" (to be seized). Also likely has
interesting legal questions, eg. 'if you're actually storing the
content, then do you "possess" it?' ymmv with jurisdiction and ianal.
eric gisse:
> Why? Pe
Why? People say 'DO NOT MESS WITH TRAFFIC' but in the same breath they
say 'BUT USE A CACHING DNS RESOLVER'.
This is an internally inconsistent attitude, and is not consistent
with how large scale operations function either. Tools like varnish,
CDN's, memcache, dns caching, etc are all common - an
hi,
eric gisse:
> I even threw on a squid proxy on regular http and that's caching
> something like 5-10% of all requests and overall http bandwidth.
Are you saying you are routing exit traffic through a transparent squid
http proxy?
If that is the case, please do not interfere with exit traffic
15 matches
Mail list logo
