[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] Making a Site Available as both a Hidden Service and on the www - thoughts?



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

carlo von lynX wrote:
> On Sun, May 17, 2015 at 11:26:41AM -0000, Ben wrote:
>> Anti-abuse scripts --------------------------
>> 
>> There are some off-the-shelf protections built into the site.
>> Given they were designed for the www, they can (and do) ban any
>> IP that's seen as a repeat offender.
>> 
>> Either an exclusion needs to be made, or the HS will sometimes
>> show 'nice' visitors a potentially rude message :)
> 
> When running a HS you don't get *any* clue where the circuit is
> coming from so the off-the-shelf protections may fail. It would be
> cool if Tor was to introduce bidirectionally authenticated circuits
> - that would allow for proper P2P apps over Tor - and in your case
> allow for users to consciously choose pseudonimity instead of
> anonymity (by storing the public key they used to access your site
> last time). This allows you as the site owner to apply behavioral
> ranking logic to pseudonymous users without annoying them with a
> registration.
> 

If the patch to give each inbound circuit its own temporary "IP
address" [0] were ever to be committed, then you could potentially use
off-the-shelf protections to protect HSs. However, the local addresses
are only ever temporarily unique, because they are derived from the
circuit ID; the protection application would need to be carefully
configured so that its timeouts matched the expected durations for
which a circuit ID is expected to be unique.

Bidirectionally-authenticated circuits (like I2P's tunnels) are
certainly a better way to enable protections like these, but
off-the-shelf applications won't work with them. I2P "solves" this by
implementing the protection itself, including some general rate
limiting features in server tunnels that drop connections before the
webserver ever sees them. It also includes a unique local address per
client feature like [0] for use with off-the-shelf applications, but
this is open to collisions (because the client hash space does not fit
into the IPv4 or IPv6 localhost address space).

str4d

[0] https://lists.torproject.org/pipermail/tor-dev/2014-March/006576.htm
l
-----BEGIN PGP SIGNATURE-----

iQIcBAEBCgAGBQJVWnnxAAoJEBO17ljAn7PgtqMP/1+GpwdGKcLbyBgEA4diwXlp
KwY1QyB4NgV+swO6LPrfvmKeWIOr5V1Rbw9qrcFqDmcrRNbV2hCioC7pQ5YHLD6W
7ZnnbStJh5AG5B0PBK0d9hMaYuW4D0LzDOvCkHogT32JVitfRW2rEZfIm4XC2TEh
acVIWREUJvqrArykSxUCvMbyZGf2BEvrDQFZ2yuIgRB1FvVnFSOnbv1IXM1WvVI4
kUIb5ORQ+2KXTmKmH/KT2k52c8ofkgeJsTYr209VzHxLHaH2o72PBYS4Seh56JVl
OZb3J/ezDbIYrEupCKZR1ibc5vAWL0dIfA65BsyJ2naJuYu/lAgR6VN6J5/H81+4
zAjb7Jx66S9J6jmzK3uOD/ztS1xJ4gU8VcT4wplQgVdEzXqPXHo3RqczhXN+fG/Y
PDpw4CHfrmcTTmd+C+sHYdpIEGcc2fmUYy1dWLPQ1AwAGLZhstZcgHWhwz7PUvAJ
O5tJFsv3rXka34drXWTfA9/3diLrOlwDMz1HOnRpPhnqFmE6z64Eob4xVOuUmb3D
iu9gcO5hmBc9+S3Imnk8kwUjdKvlVpXi2EvMHEcuhxcajcifRQQtgLHzjwhEh5Lc
CzA0PlrQJf8qKsjWVYeZivkYd8RQN8ape/yWmUDohOQqsepsBxn+1jSVbRd3K7nE
X3UCPecTdFHVFUIeEViX
=6H/8
-----END PGP SIGNATURE-----
-- 
tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk