Tor and network security/administration
Kevin Day
toasty at dragondata.com
Wed Jun 21 17:58:09 UTC 2006
On Jun 21, 2006, at 12:43 PM, Lionel Elie Mamane wrote:
>
> If the proxy is not at the Tor exit node, how can the tor network
> enforce the addition of the "this connection went through tor" HTTP
> header that Kevin Day was asking for? Fundamentally, if you rely on a
> program sitting on the user's computer adding that header, then
> malevolent users can not add this header, so Kevin Day's purpose is
> not served. And that is what is being discussed here.
>
Just to chime in before this gets any further off what I meant:
I know any intermediary nodes can't inject headers into HTTPS
connections, that kinda defeats the purpose of SSL. :)
When doing any financial transaction, before any user enters anything
sensitive, we bounce them to an HTTP page first, then look for common
proxy headers on that request. If none are found, they're given a
cookie that allows them to continue on that IP only for HTTPS
transactions for the next 15 minutes.
Failing that, having an exit node look at HTTP headers back from the
server that contained a "X-No-Anonymous" header to say that the host
at that IP shouldn't allow Tor to use it would work.
*Anything* would be better for Tor users if we could keep Tor abuse
off our financial services without having to just ban all Tor IPs at
the border. On a credit card transaction page, you have no anonymity
anyway, since you're having to give us your credit card number, home
address, etc. Yet, until we banned as many known Tor IPs as we could
find from our network, Tor IPs accounted for a pretty high percentage
of our credit card fraud, and nearly zero non-fraudulent use. Tor IPs
had some significant(legitimate) use on some of our other sites, but
that's gone because they're all null routed at the border now.
Tor may have some legit uses, but when it's costing us $BIGNUM in
credit card fraud, I'm not going to spend too much time trying to
only selectively ban it from our network.
More information about the NANOG
mailing list