[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
Re: exit notation stripping
On Tue, 14 Jul 2009 02:24:30 -0400 Roger Dingledine <arma@xxxxxxx>
wrote:
>On Sat, Jul 11, 2009 at 03:14:19AM -0400, grarpamp wrote:
>> > This is why Privoxy includes a filter to strip the exit notation from
>> > the Host header when passing the request through, and why this filter
>> > should be enabled when using Privoxy for Tor purposes.
>>
>> Note that this will not work for https obviously.
>
>Yep. The smarter place to put this logic would be inside Torbutton
>(or inside something else in Firefox-land).
>
>But alas, the real answer is that the whole .exit notation needs to go
>away. There are too many subtle security and anonymity problems with it.
>
>If somebody wants to make a patch for 0.2.2.x that adds a new config
>option for allowing .exit, disabled by default, this change would happen
>faster. That seems to be the best compromise I can see -- keep users
>safe by default, and let people screw themselves if they really want
>the feature. Any takers? :)
>
It is important to keep in mind that, for the time being at least,
the .exit notation is the best tool we (non-developers) have for zooming
in on and identifying bad exits.
Scott Bennett, Comm. ASMELG, CFIAG
**********************************************************************
* Internet: bennett at cs.niu.edu *
*--------------------------------------------------------------------*
* "A well regulated and disciplined militia, is at all times a good *
* objection to the introduction of that bane of all free governments *
* -- a standing army." *
* -- Gov. John Hancock, New York Journal, 28 January 1790 *
**********************************************************************