On Tue, Nov 08, 2005 at 10:14:31PM -0500, Anthony DiPierro wrote: > How hard would it be to run a Tor exit node which accepts GET requests but > not POST requests? Or, possibly, POST requests could simply be passed on to > another Tor exit node? Would it be ethical to do this? You'd have to examine > the traffic to see if it was a GET or a POST, but you wouldn't have to store > anything. You could make one tomorrow, but it would be useless, since clients wouldn't know how to handle its restrictions automatically. Moreover, if you were doing this in order to try to keep people from doing bad stuff over your server, you'd be sorely disappointed: the world has GET-based exploits as well as POST-based exploits. Finally, you'd set a pretty awful precedent if you did this without careful planning: suppose you decide to handle only GET from HTTP, and somebody else decides to also handle POST to a limited number of sites, and somebody else decides to normalize requests, all without giving clients an idea of what to expect, we'll be in a world of trouble. (I hate to think what would happen to protocols more finicky than HTTP.) yrs, -- Nick Mathewson
Attachment:
pgpvGGfIxph4O.pgp
Description: PGP signature