[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [tor-talk] Making a Site Available as both a Hidden Service and on the www - thoughts?



> 
>> As observed elsewhere, we tell our infrastructure that any traffic inbound
>> from the Facebook onion site is sourced from the DHCP broadcast
>> network (169.254/whatever).
> 
> […]
> I'm assuming you're pushing an IP in that range into the X-Forwarded-For
> header?

Approximately yes; we use a different header (extant, internal) so we can mostly not mess with the existing headers.

> Without wanting to start a thread-in-a-thread, I've definitely got mixed
> feelings on that one. I think most sites should be using HTTPS, but I
> think there are also cases where HTTPS genuinely may not be
> needed/desirable.

I agree that sometimes it’s overkill.  I’m okay with an occasional bit of overkill in this area.

One extra aside: if you go with SSL and get the EV Onion cert (which supports wildcards, yay!) - then if you were to lose your onion key for some reason the move to a new address would be less traumatic.  Of course this is a mechanism of trust placed in CAs (etc, etc) and of course there are other ways to achieve the same thing (e.g.: TOFU?) - but this one is extant and works.

I like the mutual reinforcement of Tor and SSL, each addresses issues in the other.  :-)

    -a

—
Alec Muffett
Security Infrastructure
Facebook Engineering
London


Attachment: signature.asc
Description: Message signed with OpenPGP using GPGMail

-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk