[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
Re: [tor-talk] Making a Site Available as both a Hidden Service and on the www - thoughts?
-----BEGIN PGP SIGNED MESSAGE-----
carlo von lynX wrote:
> On Sun, May 17, 2015 at 11:26:41AM -0000, Ben wrote:
>> Anti-abuse scripts --------------------------
>> There are some off-the-shelf protections built into the site.
>> Given they were designed for the www, they can (and do) ban any
>> IP that's seen as a repeat offender.
>> Either an exclusion needs to be made, or the HS will sometimes
>> show 'nice' visitors a potentially rude message :)
> When running a HS you don't get *any* clue where the circuit is
> coming from so the off-the-shelf protections may fail. It would be
> cool if Tor was to introduce bidirectionally authenticated circuits
> - that would allow for proper P2P apps over Tor - and in your case
> allow for users to consciously choose pseudonimity instead of
> anonymity (by storing the public key they used to access your site
> last time). This allows you as the site owner to apply behavioral
> ranking logic to pseudonymous users without annoying them with a
If the patch to give each inbound circuit its own temporary "IP
address"  were ever to be committed, then you could potentially use
off-the-shelf protections to protect HSs. However, the local addresses
are only ever temporarily unique, because they are derived from the
circuit ID; the protection application would need to be carefully
configured so that its timeouts matched the expected durations for
which a circuit ID is expected to be unique.
Bidirectionally-authenticated circuits (like I2P's tunnels) are
certainly a better way to enable protections like these, but
off-the-shelf applications won't work with them. I2P "solves" this by
implementing the protection itself, including some general rate
limiting features in server tunnels that drop connections before the
webserver ever sees them. It also includes a unique local address per
client feature like  for use with off-the-shelf applications, but
this is open to collisions (because the client hash space does not fit
into the IPv4 or IPv6 localhost address space).
-----BEGIN PGP SIGNATURE-----
-----END PGP SIGNATURE-----
tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsubscribe or change other settings go to