[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: exit notation stripping



On Sat, Jul 11, 2009 at 03:14:19AM -0400, grarpamp wrote:
> >  This is why Privoxy includes a filter to strip the exit notation from
> >  the Host header when passing the request through, and why this filter
> >  should be enabled when using Privoxy for Tor purposes.
> 
> Note that this will not work for https obviously.

Yep. The smarter place to put this logic would be inside Torbutton
(or inside something else in Firefox-land).

But alas, the real answer is that the whole .exit notation needs to go
away. There are too many subtle security and anonymity problems with it.

If somebody wants to make a patch for 0.2.2.x that adds a new config
option for allowing .exit, disabled by default, this change would happen
faster. That seems to be the best compromise I can see -- keep users
safe by default, and let people screw themselves if they really want
the feature. Any takers? :)

Thanks,
--Roger