[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: exit notation stripping

     On Tue, 14 Jul 2009 02:24:30 -0400 Roger Dingledine <arma@xxxxxxx>
>On Sat, Jul 11, 2009 at 03:14:19AM -0400, grarpamp wrote:
>> >  This is why Privoxy includes a filter to strip the exit notation from
>> >  the Host header when passing the request through, and why this filter
>> >  should be enabled when using Privoxy for Tor purposes.
>> Note that this will not work for https obviously.
>Yep. The smarter place to put this logic would be inside Torbutton
>(or inside something else in Firefox-land).
>But alas, the real answer is that the whole .exit notation needs to go
>away. There are too many subtle security and anonymity problems with it.
>If somebody wants to make a patch for 0.2.2.x that adds a new config
>option for allowing .exit, disabled by default, this change would happen
>faster. That seems to be the best compromise I can see -- keep users
>safe by default, and let people screw themselves if they really want
>the feature. Any takers? :)
     It is important to keep in mind that, for the time being at least,
the .exit notation is the best tool we (non-developers) have for zooming
in on and identifying bad exits.

                                  Scott Bennett, Comm. ASMELG, CFIAG
* Internet:       bennett at cs.niu.edu                              *
* "A well regulated and disciplined militia, is at all times a good  *
* objection to the introduction of that bane of all free governments *
* -- a standing army."                                               *
*    -- Gov. John Hancock, New York Journal, 28 January 1790         *