[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: Importance of HTTP connection keep-alive

Hi Juliusz,

--- Juliusz Chroboczek
<Juliusz.Chroboczek@xxxxxxxxxxxxxx> wrote:

> For people who do believe this is a serious threat,
> I can think of the following mitigations:
> (1) use a smaller timeout for idle connections;
> (2) shut down a connection after some number of
> serviced requets;
> (3) shut down a connection after it's been used
> for some time.

> Roger, I'd like to know whether you think this is
> worth implementing for the next version of Polipo
> (and of course whether you have any better ideas). 
> As I've stated, I don't believe this threat is
> real, but I'm quite willing to do the work if you
> disagree.

Has there been any further off-list discussion on this

I for one would like to see (1) and (3) implemented as
I tend to agree with Roger.  While the threat may or
may not be serious, it does at least add extra data
which may be used in nefarious ways (like cookies,
etc, you mentioned). 

Another possible anonymity threat is when a Tor user
routing through Polipo passes the NEWNYM signal to
Tor.  This signal makes Tor use a new (clean) circut
for new connections.  

For example: a Tor user routing through Polipo passes
the NEWNYM command to Tor while staying on the same
website.  The users IP is now different for new
connections to the website, but the new IP is still
using the Polipo connection created/used by the
previous IP (circut).  This seems like a possible
anonymity threat in regards to an adversary
correlating pseudonym's and there activity.   

Could Polipo be made to listen for the NEWNYM signal
passed to Tor? It seems to me good option/solution
would be to have Polipo shutdown a connection/s when a
NEWNYM signal is passed to Tor.  This way Tor and
Polipo will be acting in unison.  They won't
contradict each other in terms of Tor changing circuts
(IP's) to the host but Polipo keeping the same
connections to the host.  Maybe offer this in the
Polipo config file, Tor users can turn it on, other
users can keep it off?

Best regards,

Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around