[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] Making a Site Available as both a Hidden Service and on the www - thoughts?

To: "tor-talk@xxxxxxxxxxxxxxxxxxxx" <tor-talk@xxxxxxxxxxxxxxxxxxxx>
Subject: Re: [tor-talk] Making a Site Available as both a Hidden Service and on the www - thoughts?
From: Alec Muffett <alecm@xxxxxx>
Date: Tue, 19 May 2015 11:50:43 +0000
Accept-language: en-GB, en-US
Delivered-to: archiver@xxxxxxxx
Delivery-date: Tue, 19 May 2015 07:50:56 -0400
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/simple; d=fb.com; h=from : to : subject : date : message-id : references : in-reply-to : content-type : mime-version; s=facebook; bh=Nues++1mOLLK7nHR+ehv8OTIMTS1RUiF75jguJBs8Y0=; b=FXdEXPmP7HRMv6bbxTCXk/Leicn6+4C42IFo5WhKxLcZcTR41qOhUP2VsV67usq/N2oL wvAy9bVoBbxfmMPpEHHLQ7JN4Y0si9xeieJL2AR+jwQVwTWat2zncF7T4mOZ6ce/tlQ/ 2nAGMhDDc32m9nO5AHB/BqQybG6RuY9Yb9Y=
In-reply-to: <20150519094935-728-58347-mailpile@mailpile-home>
List-archive: <http://lists.torproject.org/pipermail/tor-talk/>
List-help: <mailto:tor-talk-request@lists.torproject.org?subject=help>
List-id: "all discussion about theory, design, and development of Onion Routing" <tor-talk.lists.torproject.org>
List-post: <mailto:tor-talk@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk>, <mailto:tor-talk-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-talk>, <mailto:tor-talk-request@lists.torproject.org?subject=unsubscribe>
References: <52B6B3D5-F25C-46FA-84A1-9F2A73948958@xxxxxx> <20150519094935-728-58347-mailpile@mailpile-home>
Reply-to: tor-talk@xxxxxxxxxxxxxxxxxxxx
Sender: "tor-talk" <tor-talk-bounces@xxxxxxxxxxxxxxxxxxxx>
Thread-index: AQHQkKCWQyEiwmCnlUWOIfZbRgRBcJ2C4UEAgACBBgCAACGEgIAAAqCAgAAhvQA=
Thread-topic: [tor-talk] Making a Site Available as both a Hidden Service and on the www - thoughts?

> Are you doing anything the maximise the effect that (say) a ban based on
> IP can have?

Ah, I see - I mistook your intent, please let me clarify:

From a threat perspective we basically treat our onion site like an large web proxy with a mix of (by far the majority) normal and (remainder) malicious activity emanating from it.

There are a bunch of such proxies "out there" on the net anyhow - e.g.: any Tor exit node - so having one more is not a big deal.

The "rewrite the onion to a 169.254/*" is a book-keeping measure so that we don't have to special case either RFC-1918 or publicly routable IP addresses in our stack.

We don't use the onion's virtual IP for any sense of "session" management.

> Have you made any changes lower down (similar to the patch str4d posted,
> i guess) so that you can do it on a per-circuit basis (making things a
> little harder)

We are currently running a vanilla tor daemon binary.  No mods, no magic, basic config.

>> 
>> I agree that sometimes itâs overkill.  Iâm okay with an occasional bit
>> of overkill in this area.
> 
> It depends, here's a massively oversimplified example
> [...]
> Switch to HTTPS.
> 
> Every 300 requests, the connection is still torn-down by the origin but
> now you have to redo your SSL handshake etc. With VoD that's once every
> 600 seconds (as you only need to retrieve the manifest once).

[deletia]

That's a really interesting example, thank you! Food for thought...

> the point I'm trying to make is that people tend to assume that the
> traditional overhead of SSL is largely negated by the power of the
> systems we use now, but there are definitely areas where that assumption
> might be incorrect.

Yep.

Our approach so far has been to "just try it and see what works" - and then measure and fix the issues later, in-situ.

There have been far fewer issues than we expected. :-)

    - alec

Attachment: signature.asc
Description: Message signed with OpenPGP using GPGMail

-- 
tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Follow-Ups:
- Re: [tor-talk] Making a Site Available as both a Hidden Service and on the www - thoughts?
  - From: Ben

References:
- Re: [tor-talk] Making a Site Available as both a Hidden Service and on the www - thoughts?
  - From: Alec Muffett
- Re: [tor-talk] Making a Site Available as both a Hidden Service and on the www - thoughts?
  - From: Ben

Prev by Author: Re: [tor-talk] Making a Site Available as both a Hidden Service and on the www - thoughts?
Next by Author: Re: [tor-talk] Firefox with Tor on Android?
Previous by thread: Re: [tor-talk] Making a Site Available as both a Hidden Service and on the www - thoughts?
Next by thread: Re: [tor-talk] Making a Site Available as both a Hidden Service and on the www - thoughts?
Index(es):
- Author
- Thread