#17605: Tell caches to remove X-Your-IP-Address-Is from Tor Directory documents ----------------------------------+------------------------------ Reporter: teor | Owner: Type: defect | Status: new Priority: High | Milestone: Tor: 0.3.??? Component: Core Tor/Tor | Version: Severity: Normal | Resolution: Keywords: tor-auth, isaremoved | Actual Points: Parent ID: | Points: 2 Reviewer: | Sponsor: ----------------------------------+------------------------------
Comment (by teor): Replying to [comment:5 teor]: > Replying to [comment:4 arma]: > > What if we went a step further and didn't include the header at all in unencrypted connections? That is, we include it in the begin_dir response but not in the naked dirport responses. > > I think this is an excellent idea. As the HTTP headers of a naked dirport response are unauthenticated, they can be modified in transit, and we can't know either way. > > > The main effect would be that relays, who use the naked dirport, would no longer be able to learn their IP address from their directory authority interactions. > > A relay believes any directory mirror, not just the authorities. But if it doesn't know its IP address, it will only connect to authorities. > > > We could work around that by finally moving all dir traffic to begin_dir (which still makes me uncomfortable because of the extra scaling and load, but maybe this is a good additional kick for why we should do it anyway), or by having relays who don't know their address launch a begin_dir connection just for finding it out. > > With the introduction of fallback directory mirrors in 0.2.8 (#15775), the extra load for bootstrap begindirs will be shared among 100-250 high- uptime directory mirrors, rather than just the ~9 authorities. > > After bootstrap, with the introduction of "dir servers for all" (#12538) in 0.2.8, it will be shared among almost all relays. > > So I think we can do begindirs for all directory fetches. We made clients always use begindir in 0.2.8 in #18483. > We might want to fix #17848 at the same time, otherwise clients and relays won't know if they have an existing connection to a directory server, and load balancing will suffer. > > > Actually, wait a minute, don't netinfo cells have your address in them now too? Does that mean x-your-address-is on naked dirport answers is redundant? And thus we should try to phase it out in favor of the encrypted, authenticated mechanism that we built? > > It has the relay's IPv4 address. > > (Although it's somewhat orthogonal, we'd like to have some way for relays to learn their IPv6 addresses, too. This would be somewhat easier to do by adding a HTTP header, rather than changing the format of a NETINFO cell. See #5940.) Actually, the NETINFO format supports IPv6. If it doesn't work when you connect to a relay's IPv6 ORPort, that's a bug. > > > The reason I want to get rid of the caching situation is because this is an information leak, from one user to another. Now, it's mostly just relays who suffer, since they're the ones who use naked dirport requests. But this is still an uncomfortable state of affairs to leave in place. > > Let's fix it then! -- Ticket URL: <https://trac.torproject.org/projects/tor/ticket/17605#comment:11> Tor Bug Tracker & Wiki <https://trac.torproject.org/> The Tor Project: anonymity online _______________________________________________ tor-bugs mailing list tor-bugs@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs