[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Experimenting with Tor and Pagekite

To: or-talk@xxxxxxxx
Subject: Experimenting with Tor and Pagekite
From: Bjarni Rúnar Einarsson <bre@xxxxxxxxxxxx>
Date: Mon, 20 Dec 2010 20:35:15 +0000
Delivered-to: archiver@xxxxxxxx
Delivered-to: or-talk-outgoing@xxxxxxxx
Delivered-to: or-talk@xxxxxxxx
Delivery-date: Mon, 20 Dec 2010 15:35:22 -0500
Reply-to: or-talk@xxxxxxxxxxxxx
Sender: owner-or-talk@xxxxxxxxxxxxx

Hiya!

I've met a couple of you (hi Linus, hi Erinn), and as promised, I finally got around to looking into what it would take to use Pagekite as a remote front-end for a Tor relay.

Executive summary: it does not work, but making it work would be very easy.

First, for those of you who don't know me or PageKite: PageKite (http://pagekite.net/) is a free software project whose goal is to enable the average Joe to run servers on personal computers, laptops, mobiles, such things. We're focusing on the web first, so we currently have support for HTTP and HTTPS. The system is basically a "remote front-end service", where a front-end reverse proxy accepts incoming connections and then uses name-based virtual hosting techniques to forward requests over tunnels to remote back-ends. A bit like a load-balancer, or HTTP accelerator - except PageKite can proxy SSL connections as well, by looking at the TLS/SNI data.

(subliminal message: it's totally cool, please play with it and tell everyone how much you like it and give me all your money)

I met Linus and Erinn at FSCONS, and Linus thought Pagekite might be helpful for people who want to run relays but have trouble poking holes in their routers/firewalls. So, having been told that an incoming Tor connection "looks just like SSL", I finally got around to testing it this evening to see if it would "just work".

It almost did! :-)

In fact, the only reason it doesn't work, is you guys are putting random domain names in the SNI section, instead of just using the name of the host you are connecting to. If I had a way of telling Tor what name to request, Pagekite could "route" incoming Tor connections without any modifications at all.

Now, I could still get it to work by hacking Pagekite to just blindly forward all connections on a specific port to the right back-end, but that would pretty much make it useless in a shared environment (where multiple users are sharing the same Pagekite front-end) which would largely defeat the purpose.

So, my questions:

1. Would it be possible to add a feature to Tor which lets a relay specify what name to put in the SNI?

And finally:

2. Is this all a bad idea anyway?

The reason I wonder if this is a bad idea, is it kinda messes with some of the fundamental assumptions of Tor. For one, you could end up with multiple relays having the same (incoming) visible IP addresses, but the traffic would pop out somewhere else on the network, on some other IP address entirely, which could be quite far away. So instead of one address, each Pagekite/Tor node actually has two, one or even both of which might be shared with different relay nodes (say if I have a Pagekite/Tor on both my laptop and my closet server). Does this do bad things to your route selection algorithms? Are there structures in Tor which assume IP addresses are unique?

Thoughts?

--
Bjarni R. Einarsson
The Beanstalks Project ehf.

Making personal web-pages fly: http://pagekite.net/

Follow-Ups:
- Re: Experimenting with Tor and Pagekite
  - From: Moritz Bartl

Prev by Author: Re: Any way to secure/anonymize ALL traffic?
Next by Author: Re: Experimenting with Tor and Pagekite
Previous by thread: Re: Tor 0.2.2.20-alpha is out (security patches)
Next by thread: Re: Experimenting with Tor and Pagekite
Index(es):
- Author
- Thread