[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: Importance of HTTP connection keep-alive



[CC-ing the Polipo-users list]

> Speaking of which, it occurred to me a little while ago that
> persistent connections between the http proxy and the website,
> through Tor, can have an impact on anonymity.

> If the user is figuring they're rotating their connections over
> different Tor circuits over time (after all, they're clicking at
> different times, right?), but polipo is holding open the same
> persistent connection [...]

It will certainly facilitate grouping requests into sessions.

I'm not sure it counts as an anonymity threat, since the session
itself is still anonymous; furthermore, there are easier ways to track
requests into sessions (cookies, ``Referer'' headers, unique tokens
embedded into URLs, If-Modified-Since requests, etc.).  But I agree
that it should at the very least be documented somewhere.

> Is it documented anywhere how Polipo does its keepalives and timeouts
> for persistent connections?

Polipo will keep a persistent connection open as long as possible, but
it will shut an idle connection down after its normal timeout (120s by
default).

Additionally, the server's idle timeout will usually come into play;
in my experience, it's usually between 4 and 15 seconds.  But that's
irrelevant, since a malicious server could choose a much larger
timeout.

For people who do believe this is a serious threat, I can think of the
following mitigations:

  (1) use a smaller timeout for idle connections;
  (2) shut down a connection after some number of serviced requets;
  (3) shut down a connection after it's been used for some time.

Trouble is, either of these will harm performance in some cases; the
obvious example being two polipi on the two ends of an ssh or ssl
tunnel, where avoiding the intial handshake helps a lot.  So I guess
I'd have to implement different behaviour for parent proxies and
direct connections.

Roger, I'd like to know whether you think this is worth implementing
for the next version of Polipo (and of course whether you have any
better ideas).  As I've stated, I don't believe this threat is real,
but I'm quite willing to do the work if you disagree.

                                        Juliusz