[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] Hiden service and session integrity

To: tor-talk@xxxxxxxxxxxxxxxxxxxx
Subject: Re: [tor-talk] Hiden service and session integrity
From: grarpamp <grarpamp@xxxxxxxxx>
Date: Mon, 17 Nov 2014 13:09:02 -0500
Delivered-to: archiver@xxxxxxxx
Delivery-date: Mon, 17 Nov 2014 13:09:16 -0500
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type; bh=ryPd69CR0UVY1UGb6zHj3EqBBNueQlxpPpS4MOlnwPg=; b=UAsUbtm/hi1qZif+t1Npiid/wP+dZdhrQ6SOMnBQvfeQQeNa0GxDaYO4+I35Fi1YHO rqLrT2KLdviarQAXYsCeYD+l6TisT50rpV9e6wp+8J9jZZuzfymtG7lGmhDlmFGM/Zfy Cx2mMZgPoAiBBTCiDX+vt4AYqGuIBkPWVBXQJNESZIsDC+W1M59AGa0xC4yY2vEvZMBe h40vrLZUk9kxkny+aw5+UtrsIS/JmSW1BjDXFkuef+q3ZRMOuJA2lpPgOjrBQ/cZwmd6 vQxntcFvMXag93mj7Zglkp4E1SYBioGZDA1wskL2C8SFpsqtxSibmOfdjptPPMpdC3o1 5ZwA==
In-reply-to: <L8D.DP3D.gRavit6TQI.1KQYwu@xxxxxxxxx>
List-archive: <http://lists.torproject.org/pipermail/tor-talk/>
List-help: <mailto:tor-talk-request@lists.torproject.org?subject=help>
List-id: "all discussion about theory, design, and development of Onion Routing" <tor-talk.lists.torproject.org>
List-post: <mailto:tor-talk@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk>, <mailto:tor-talk-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-talk>, <mailto:tor-talk-request@lists.torproject.org?subject=unsubscribe>
References: <L8D.DP3D.gRavit6TQI.1KQYwu@xxxxxxxxx>
Reply-to: tor-talk@xxxxxxxxxxxxxxxxxxxx
Sender: "tor-talk" <tor-talk-bounces@xxxxxxxxxxxxxxxxxxxx>

You should never trust ip for auth (even dhcp changes), or ever
use ip for anything hard against the user. That's what your
authcookie or urlsessionid is for. Do not use ip for auth, it
pisses roaming/traveling/vpn/tor/dhcp/proxy/wifi users off, and
similarly gives you the siteop no useful data. Do not use ip's.

You should always use https, unless you want your cookies
stolen off the wire, your users to get mitm'd, your bits to get
rotted, etc. It's possible, just use it, everywhere, always.
-- 
tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

References:
- [tor-talk] Hiden service and session integrity
  - From: NTPT

Prev by Author: Re: [tor-talk] Netflow analysis breaks Tor
Next by Author: Re: [tor-talk] What should our 31c3 talk be?
Previous by thread: [tor-talk] Hiden service and session integrity
Next by thread: Re: [tor-talk] Hiden service and session integrity
Index(es):
- Author
- Thread