[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
Re: Filtering out attacks?
On 5/17/05, alexyz@xxxxxxxxxx <alexyz@xxxxxxxxxx> wrote:
> If I can make an additional suggestion, why not have Tor implement some kind packet
> inspection?
It's important to remember that the circuit route is decided at
connection time - before any higher level information is available.
Since this is the case, one cannot use information like "I won't
connect to google.com" from the directory.
Thus any application level filtering has to be network wide. The
alternative is a non-deterministic "sometimes Google works, sometimes
it doesn't" and that's a very bad user experience.
(yes, a node could wait until after getting the first header before
making the connection. That might work for some protocols. For HTTP it
would have to be site level filtering only because many requests can
be sent down the same connection. But we can do site level filtering
already with exit rules. Don't underestimate how nice it is that Tor
has so far avoided touching the traffic at all.)
Do you have specific examples of where this would be a good idea?
AGL
--
Adam Langley agl@xxxxxxxxxxxxxxxxxx
http://www.imperialviolet.org (+44) (0)7906 332512
PGP: 9113 256A CC0F 71A6 4C84 5087 CDA5 52DF 2CB6 3D60