Re: [tor-dev] Proposal: HTTP header distinguish TBB users

Subject: Re: [tor-dev] Proposal: HTTP header distinguish TBB users

From: Tim Wilson-Brown - teor <teor2345@xxxxxxxxx>

Date: Sat, 3 Oct 2015 14:13:12 +0200

Delivery-date: Sat, 03 Oct 2015 08:13:28 -0400

Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=content-type:mime-version:subject:from:in-reply-to:date:message-id :references:to; bh=yKH6+K9xq5/oN7uIAczerb2nx45+iz+dFfBJmi6GP9Y=; b=VKqxFFtH1gG8qt3+JwZ+3SDqFcIb5fhqMLmF0zVqJ94vYzSWaCU+kSft/NDglu7R5w eVwtO/dusVbtd4MB7573ofwav/awBugq4cNjQYboc4EoEuRZQFVexp2PEJysUW/zPF0D 1ISsd3KMPPUSiik9Zmm06803CbOFzI/csUfOMqgytDbwm/osIknhSQV+qFdjUGm2FKDk aNt4Uhy6QKG/oentrQfni+6I2istnp8nCghP4xYDQrGN/JXW/qOU2a7edlz4/LApXuxu v0M0MhBUqKn56N4IXAwfWz8cffQs0upWhr6UDuSZd3NvZ4ZQ8W3706VME2fOyM0+4mKG 52vg==

In-reply-to: <CADop2NE-hd0cq7PJA-YpvFJR7iugstD8Fmo=2hT93GBsNTm_9w@xxxxxxxxxxxxxx>

List-archive: <http://lists.torproject.org/pipermail/tor-dev/>

List-help: <mailto:tor-dev-request@lists.torproject.org?subject=help>

List-id: discussion regarding Tor development <tor-dev.lists.torproject.org>

List-post: <mailto:tor-dev@lists.torproject.org>

List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev>, <mailto:tor-dev-request@lists.torproject.org?subject=subscribe>

List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-dev>, <mailto:tor-dev-request@lists.torproject.org?subject=unsubscribe>

References: <CADop2NE-hd0cq7PJA-YpvFJR7iugstD8Fmo=2hT93GBsNTm_9w@xxxxxxxxxxxxxx>

Reply-to: tor-dev@xxxxxxxxxxxxxxxxxxxx

Sender: "tor-dev" <tor-dev-bounces@xxxxxxxxxxxxxxxxxxxx>

On 3 Oct 2015, at 14:10, Virgil Griffith <i@xxxxxxxxx> wrote:

(2) If we (Tor Project) is going to ask MaxMind to do something special to distinguish TBB users, it seems reasonable we should make the same effort. I know in the past it's been proposed for TBB to include a special HTTP header, e.g.,

Tor-Browser-Bundle: true

to distinguish TBB users. If this header existed, I could detect it at the CDN-level and do the appropriate redirect. Alternatively, We could do something equivalent with the "Via": HTTP header, but that seems overkill.

Between these two options, I personally opt for (2) because it seems inappropriate to request MaxMind to help us do X when we have not done what we can do to achieve X.

Q: Does anyone (especially Mike Perry) have any objections to (2)? If not, I will write the proposal.

I think this kind of tagging has security implications, but Iâm not sure what the tradeoffs are.

Are we still trying to hide TBB users in the Mozilla browser crowd?

Are we making it even easier to identify and block TBB users?

Tim

Tim Wilson-Brown (teor)

teor2345 at gmail dot com
PGP 968F094B

teor at blah dot im
OTR CAD08081 9755866D 89E2A06F E3558B7F B5A9D14F

Attachment: signature.asc
Description: Message signed with OpenPGP using GPGMail

_______________________________________________ tor-dev mailing list tor-dev@xxxxxxxxxxxxxxxxxxxx https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev