[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: TorButton and information disclosure on last OR



I think that you misunderstand what the Host header is for. It is a
required header for HTTP/1.1, and it gives a host *name* that the
server can then use to differentiate which resource you wanted. For
example, www.example.com and news.example.com could be run off the
same server. In order for the server to determine which resource you
want when you connect to it, it inspects the Host header.

Regardless, unless you are using an encrypted end-to-end connection,
you should always assume that the last OR has the ability to read what
you are sending. TorButton does several tasks that help to prevent the
end server (and evesdropping last OR) from being able to build a
pseudonym for you, including modifying your HTTP headers to reduce the
chance of disclosure.

Are you attempting to connect to your own server by IP? That's about
the only way that I know of that your IP would end up in the Host
header.

--
Marcus Griep
ââ
ÎÎÎÎÎÎ ××.ÏÎÂ, 3Â



On Sun, Jan 31, 2010 at 10:46 AM, Mansur Marvanov <nanorobocop@xxxxxxxxx> wrote:
> Hello!
>
> I have a Client machine with TorButton (Tor client + Firefox + Privoxy
> + TorButton) and a Server machine with Apache.
> But when I'm trying to connect from Client to Server through TOR
> network I see that there's my information on HTTP-headers on Server
> side that last OR gives to my Apache.
> So, AFAIU last OR has all information about me? Isn't it disclosure of
> information?
> I think that it would be better if TorButton changes or deletes
> HTTP-headers that could disclose me.
> For example, at least TorButton could hide my Host header, by it
> doesn't.. Is it a bug or what?
>
> GET / HTTP/1.1
> Host: ***MY***REAL***IP***
> User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US;
> rv:1.9.0.7) Gecko/2009021910 Firefox/3.0.7
> Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
> Accept-Language: en-us,en;q=0.5
> Accept-Encoding: gzip,deflate
> Accept-Charset: windows-1251,utf-8;q=0.7,*;q=0.7
> If-Modified-Since: Sat, 26 Sep 2009 15:50:51 GMT
> If-None-Match: "883d5-2d-4747d076a8cc0"-gzip
> Cache-Control: max-age=0
> Connection: close
>
> HTTP/1.1 200 OK
> Date: Sun, 31 Jan 2010 14:08:29 GMT
> Server: Apache/2.2.9 (Ubuntu)
> Last-Modified: Sat, 26 Sep 2009 15:50:51 GMT
> ETag: "883d5-2d-4747d076a8cc0"-gzip
> Accept-Ranges: bytes
> Vary: Accept-Encoding
> Content-Encoding: gzip
> Content-Length: 56
> Connection: close
> Content-Type: text/html
>
> ............(....I.O....0..,Q(./..V....l.!..`U\.QU.f-...
> ***********************************************************************
> To unsubscribe, send an e-mail to majordomo@xxxxxxxxxxxxxx with
> unsubscribe or-talk  Âin the body. http://archives.seul.org/or/talk/
>
>
***********************************************************************
To unsubscribe, send an e-mail to majordomo@xxxxxxxxxxxxxx with
unsubscribe or-talk    in the body. http://archives.seul.org/or/talk/