Yesterday Lief compellingly argued that if a TBB user accidentally clicks on a link to my tor2web proxy (onion.link), that they should be redirected to the .onion address. It hadn't occurred before that a Tor user might accidentally click a onion.link URL, but yes I completely concur and I told Lief I would prioritize this and would owe him a Bitcoin if I didn't get this implemented within a week.
Now the trouble starts. If the TBB user gets to the tor2web backend I check if they're coming from an Exit relay and redirect them---all good. But a CDN (Fastly.com) sits in front of my backends and right now it's unclear how to detect TBB at the CDN level.
Going over my CDN's documentation. They do have the standard MaxMind database for geo-IP. So that's good. But plugging in an exit-node IP# merely reports as an "A1" for "Anonymous Proxy". Unfortunately there are many anonymous proxies other than Tor so that won't do.
There are two ways to solve this.
(1) For an given IP#, MaxMind reports numerous entries aside from the "A1" for country code. We could ask MaxMind to specify whatever else it knows about the Anonymous Proxy in the other fields such as the "Location" or "Organization" field. So when plugging in a Tor exit relay it would return something like:
{ "countrycode": "A1", "location": "Tor", "domain": "torproject.org" }
or some such. This seems a reasonable request. Do we know someone at MaxMind to forward this request to?
(2) If we (Tor Project) is going to ask MaxMind to do something special to distinguish TBB users, it seems reasonable we should make the same effort. I know in the past it's been proposed for TBB to include a special HTTP header, e.g.,
Tor-Browser-Bundle: true
to distinguish TBB users. If this header existed, I could detect it at the CDN-level and do the appropriate redirect. Alternatively, We could do something equivalent with the "Via": HTTP header, but that seems overkill.
Between these two options, I personally opt for (2) because it seems inappropriate to request MaxMind to help us do X when we have not done what we can do to achieve X.
Q: Does anyone (especially Mike Perry) have any objections to (2)? If not, I will write the proposal.
-V
P.S. Lief... even if we go at maximum speed, it looks like I'm going to owe you that Bitcoin. Email me your BTC address? How embarrassing.
On 3 Oct 2015, at 14:10, Virgil Griffith i@virgil.gr wrote:
(2) If we (Tor Project) is going to ask MaxMind to do something special to distinguish TBB users, it seems reasonable we should make the same effort. I know in the past it's been proposed for TBB to include a special HTTP header, e.g.,
Tor-Browser-Bundle: true
to distinguish TBB users. If this header existed, I could detect it at the CDN-level and do the appropriate redirect. Alternatively, We could do something equivalent with the "Via": HTTP header, but that seems overkill.
Between these two options, I personally opt for (2) because it seems inappropriate to request MaxMind to help us do X when we have not done what we can do to achieve X.
Q: Does anyone (especially Mike Perry) have any objections to (2)? If not, I will write the proposal.
I think this kind of tagging has security implications, but I’m not sure what the tradeoffs are.
Are we still trying to hide TBB users in the Mozilla browser crowd? Are we making it even easier to identify and block TBB users?
Tim
Tim Wilson-Brown (teor)
teor2345 at gmail dot com PGP 968F094B
teor at blah dot im OTR CAD08081 9755866D 89E2A06F E3558B7F B5A9D14F
Are we still trying to hide TBB users in the Mozilla browser crowd?
My understanding of this, because we make the exit relays public, that the answer is "no". Correct me if I'm wrong.
Are we making it even easier to identify and block TBB users?
Mildly so. But if an operator wants to block TBB users they don't need to have much trouble using ExitRelay list or the MaxMind anonymous proxy list.
For what it's worth we had a similar discussion in tor2web over whether to add the "x-tor2web" request header. We eventually decided to add it.
-V
On Sat, Oct 3, 2015 at 2:13 PM Tim Wilson-Brown - teor teor2345@gmail.com wrote:
On 3 Oct 2015, at 14:10, Virgil Griffith i@virgil.gr wrote:
(2) If we (Tor Project) is going to ask MaxMind to do something special to distinguish TBB users, it seems reasonable we should make the same effort. I know in the past it's been proposed for TBB to include a special HTTP header, e.g.,
Tor-Browser-Bundle: true
to distinguish TBB users. If this header existed, I could detect it at the CDN-level and do the appropriate redirect. Alternatively, We could do something equivalent with the "Via": HTTP header, but that seems overkill.
Between these two options, I personally opt for (2) because it seems inappropriate to request MaxMind to help us do X when we have not done what we can do to achieve X.
Q: Does anyone (especially Mike Perry) have any objections to (2)? If not, I will write the proposal.
I think this kind of tagging has security implications, but I’m not sure what the tradeoffs are.
Are we still trying to hide TBB users in the Mozilla browser crowd? Are we making it even easier to identify and block TBB users?
Tim
Tim Wilson-Brown (teor)
teor2345 at gmail dot com PGP 968F094B
teor at blah dot im OTR CAD08081 9755866D 89E2A06F E3558B7F B5A9D14F
tor-dev mailing list tor-dev@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev
On Sun, 4 Oct 2015, at 01:13 AM, Tim Wilson-Brown - teor wrote:
On 3 Oct 2015, at 14:10, Virgil Griffith i@virgil.gr wrote:
(2) If we (Tor Project) is going to ask MaxMind to do something special to distinguish TBB users, it seems reasonable we should make the same effort. I know in the past it's been proposed for TBB to include a special HTTP header, e.g.,
Tor-Browser-Bundle: true
to distinguish TBB users. If this header existed, I could detect it at the CDN-level and do the appropriate redirect. Alternatively, We could do something equivalent with the "Via": HTTP header, but that seems overkill.
Between these two options, I personally opt for (2) because it seems inappropriate to request MaxMind to help us do X when we have not done what we can do to achieve X.
Q: Does anyone (especially Mike Perry) have any objections to (2)? If not, I will write the proposal.
I think this kind of tagging has security implications, but I’m not sure what the tradeoffs are.
Are we still trying to hide TBB users in the Mozilla browser crowd? Are we making it even easier to identify and block TBB users?
If any sites do start blocking users based on the header (and not also based on IP) it will push people into using a non-TBB browser to access Tor.
-- Carlin
On Sat, 3 Oct 2015, Virgil Griffith wrote:
Now the trouble starts. If the TBB user gets to the tor2web backend I check if they're coming from an Exit relay and redirect them---all good. But a CDN (Fastly.com) sits in front of my backends and right now it's unclear how to detect TBB at the CDN level.
I don't think this shoud be fixed by detecting TBB, which somehow counters the very purpose of TBB. What about having a scriptlet/extension/whatever in The Tor Browser that sends the request directly via the Tor network instead of using the gateway? Client-side solution is the only way to recover your Bitcoin to me.
~saper
On 10/03/2015 02:10 PM, Virgil Griffith wrote:
Now the trouble starts. If the TBB user gets to the tor2web backend I check if they're coming from an Exit relay and redirect them---all good. But a CDN (Fastly.com) sits in front of my backends and right now it's unclear how to detect TBB at the CDN level.
The CDN should forward the client IP address as X-Forwarded-For or something?
various wrote: Yesterday Lief compellingly argued that if a TBB user accidentally clicks on a link to my tor2web proxy (onion.link), that they should be redirected to the .onion address. It hadn't occurred before that a Tor user might accidentally click a onion.link URL
TBB plugin: T2W-OE - tor2web onion everywhere. Fork HTTPS-E. Maintain list of known t2w's. Plugin update from tpo. Matching engine rewrites t2w URL's to onions in TBB before the fetch.
{ "countrycode": "A1", "location": "Tor", "domain": "torproject.org" } or some such. This seems a reasonable request. Do we know someone at
They may not wish to if they want to return a single result per IP, and an IP could be running more than one proxy (tor, i2p/cjdns exit, vpngate, plain old vpn service, whatever), it's not generally possible to tell which proxy emitted traffic from said IP, nor is it reasonable to require tor exits operators to not participate in other networks.
Tor-Browser-Bundle: true
Great for advertising statistical demand for anonymous access to clearnet web operators, bad for blocking.
Are we still trying to hide TBB users in the Mozilla browser crowd?
TBB should conform to Mozilla. Though it's a unique header, currently unused by web operators, that's only for a while. If any such thing, it should be a toggle, default off. You don't want to be unique unless you have to, and it's unlikely even 1/3 of clearnet operators are programmatically exit-aware, with fewer programmed to block.
the "x-tor2web" request header. We eventually decided to add it.
Which is fine because it doesn't disclose any bits about the user to clearnet, the disclosure to the onion is still anon and moot, and the user can go direct to the onion if the onion blocks t2w.
The CDN should forward the client IP address as X-Forwarded-For or something?
Other proxies, vpn's, chains, whatever between t2w and the exit may not do this.
If any sites do start blocking users based on the header (and not also based on IP) it will push people into using a non-TBB browser to access Tor.
Yep.
TBB plugin: T2W-OE - tor2web onion everywhere. Fork HTTPS-E. Maintain list of known t2w's. Plugin update from tpo. Matching engine rewrites t2w URL's to onions in TBB before the fetch.
You are correct my good sir! This is indeed the better way. Thank you! I made a pull request to HTTPS-E for the requisite tor2web rules.
https://github.com/EFForg/https-everywhere/pull/3033
It's unclear to me how to make these rules only apply to the TBB version, but judging by the version history of HTTPS-E they have a way of doing that.
Unless there's another specific issue, I consider the matter of Tor users accidentally clicking links to Tor2web nodes solved.
-V
On Sat, Oct 3, 2015 at 8:29 PM grarpamp grarpamp@gmail.com wrote:
various wrote: Yesterday Lief compellingly argued that if a TBB user accidentally
clicks on
a link to my tor2web proxy (onion.link), that they should be redirected
to
the .onion address. It hadn't occurred before that a Tor user might accidentally click a onion.link URL
TBB plugin: T2W-OE - tor2web onion everywhere. Fork HTTPS-E. Maintain list of known t2w's. Plugin update from tpo. Matching engine rewrites t2w URL's to onions in TBB before the fetch.
{ "countrycode": "A1", "location": "Tor", "domain": "torproject.org" } or some such. This seems a reasonable request. Do we know someone at
They may not wish to if they want to return a single result per IP, and an IP could be running more than one proxy (tor, i2p/cjdns exit, vpngate, plain old vpn service, whatever), it's not generally possible to tell which proxy emitted traffic from said IP, nor is it reasonable to require tor exits operators to not participate in other networks.
Tor-Browser-Bundle: true
Great for advertising statistical demand for anonymous access to clearnet web operators, bad for blocking.
Are we still trying to hide TBB users in the Mozilla browser crowd?
TBB should conform to Mozilla. Though it's a unique header, currently unused by web operators, that's only for a while. If any such thing, it should be a toggle, default off. You don't want to be unique unless you have to, and it's unlikely even 1/3 of clearnet operators are programmatically exit-aware, with fewer programmed to block.
the "x-tor2web" request header. We eventually decided to add it.
Which is fine because it doesn't disclose any bits about the user to clearnet, the disclosure to the onion is still anon and moot, and the user can go direct to the onion if the onion blocks t2w.
The CDN should forward the client IP address as X-Forwarded-For or something?
Other proxies, vpn's, chains, whatever between t2w and the exit may not do this.
If any sites do start blocking users based on the header (and not also
based on IP)
it will push people into using a non-TBB browser to access Tor.
Yep. _______________________________________________ tor-dev mailing list tor-dev@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev
On Sat, Oct 3, 2015 at 6:59 PM, Virgil Griffith i@virgil.gr wrote:
You are correct my good sir! This is indeed the better way. Thank you!
That'll be half a BTC please, lol: 161JvwnowBsojF4rRcdjMRcztoLb7R1qkN
It's unclear to me how to make these rules only apply to the TBB version, but judging by the version history of HTTPS-E they have a way of doing that.
A plugin may have a way of determining if it is plugged into TBB (tor) and acting accordingly. Else a separate T2W-OE plugin that takes precedence over HTTPS-E for t2w's. Or coordinate with HTTPS-E in that space.
That'll be half a BTC please, lol: 161JvwnowBsojF4rRcdjMRcztoLb7R1qkN
My pleasure. You saved me half a BTC!
-V
On Sun, Oct 4, 2015 at 3:59 AM grarpamp grarpamp@gmail.com wrote:
On Sat, Oct 3, 2015 at 6:59 PM, Virgil Griffith i@virgil.gr wrote:
You are correct my good sir! This is indeed the better way. Thank you!
That'll be half a BTC please, lol: 161JvwnowBsojF4rRcdjMRcztoLb7R1qkN
It's unclear to me how to make these rules only apply to the TBB version, but judging by the version history of HTTPS-E they have a way of doing
that.
A plugin may have a way of determining if it is plugged into TBB (tor) and acting accordingly. Else a separate T2W-OE plugin that takes precedence over HTTPS-E for t2w's. Or coordinate with HTTPS-E in that space. _______________________________________________ tor-dev mailing list tor-dev@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev
On Sun, Oct 4, 2015 at 12:06 AM, Virgil Griffith i@virgil.gr wrote:
That'll be half a BTC please, lol: 161JvwnowBsojF4rRcdjMRcztoLb7R1qkN
My pleasure. You saved me half a BTC!
Holy shit, somebody tipped me, on a LOL no less, this Bitcoin thing works! You, kind benevolent and most gracious Sir, are getting some kind of thanks back to that address someday.
-
Carlin Bingham -
grarpamp -
Marcin Cieslak -
Moritz Bartl -
Tim Wilson-Brown - teor -
Virgil Griffith