[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: Exit-node keeps .$mynode.exit in dns name

On 5/15/07, M <maillist@xxxxxxxxxxxx> wrote:
My problem is following: I typed http://whitehouse.gov.$mynode.exit (where
$mynode was my exit nodes name) in address bar, waited a moment and got
following error message from the server running transparent Squid proxy:

What's happening is that your Tor client strips the .$mynode.exit suffix before initiating a stream through an exit node. At the exit node, Tor resolves whitehouse.gov and tries to connect to it, but your packet filter redirects the connection to Squid. Squid then looks up the original destination address and ignores it, preferring to use the HTTP host header specifying whitehouse.gov.$mynode.exit.

If I understand correctly, Privoxy has an option to strip the
.$mynode.exit suffix from host headers. This is something you'd want to
do next to your Tor client.

This does raise the issue of exit nodes redirecting HTTP streams
(and even non-HTTP port 80 traffic) through transparent caching proxies.
If people know exit nodes are logging not only "connection" data, but also
actual content of traffic they relay, exit nodes become a more valuable
target for attackers.

Also, since HTTP proxies won't pass non-HTTP traffic (setting aside
CONNECT, which is part of HTTP), it seems these exit nodes are lying in
their exit policies. They claim to allow port 80, but non-HTTP streams on
port 80 will fail unexpectedly.