[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: Hacker strikes through student's router



On Tue, Nov 08, 2005 at 10:14:31PM -0500, Anthony DiPierro wrote:
> How hard would it be to run a Tor exit node which accepts GET requests but
> not POST requests? Or, possibly, POST requests could simply be passed on to
> another Tor exit node? Would it be ethical to do this? You'd have to examine
> the traffic to see if it was a GET or a POST, but you wouldn't have to store
> anything.

You could make one tomorrow, but it would be useless, since clients
wouldn't know how to handle its restrictions automatically.

Moreover, if you were doing this in order to try to keep people from
doing bad stuff over your server, you'd be sorely disappointed: the
world has GET-based exploits as well as POST-based exploits.

Finally, you'd set a pretty awful precedent if you did this without
careful planning: suppose you decide to handle only GET from HTTP, and
somebody else decides to also handle POST to a limited number of
sites, and somebody else decides to normalize requests, all without
giving clients an idea of what to expect, we'll be in a world of
trouble.

(I hate to think what would happen to protocols more finicky than
HTTP.)

yrs,
-- 
Nick Mathewson

Attachment: pgpvGGfIxph4O.pgp
Description: PGP signature