>
>> As observed elsewhere, we tell our infrastructure that any traffic inbound
>> from the Facebook onion site is sourced from the DHCP broadcast
>> network (169.254/whatever).
>
> [â]
> I'm assuming you're pushing an IP in that range into the X-Forwarded-For
> header?
Approximately yes; we use a different header (extant, internal) so we can mostly not mess with the existing headers.
> Without wanting to start a thread-in-a-thread, I've definitely got mixed
> feelings on that one. I think most sites should be using HTTPS, but I
> think there are also cases where HTTPS genuinely may not be
> needed/desirable.
I agree that sometimes itâs overkill. Iâm okay with an occasional bit of overkill in this area.
One extra aside: if you go with SSL and get the EV Onion cert (which supports wildcards, yay!) - then if you were to lose your onion key for some reason the move to a new address would be less traumatic. Of course this is a mechanism of trust placed in CAs (etc, etc) and of course there are other ways to achieve the same thing (e.g.: TOFU?) - but this one is extant and works.
I like the mutual reinforcement of Tor and SSL, each addresses issues in the other. :-)
-a
â
Alec Muffett
Security Infrastructure
Facebook Engineering
London
Attachment:
signature.asc
Description: Message signed with OpenPGP using GPGMail
-- tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk