[tor-talk] Making a Site Available as both a Hidden Service and on the www - thoughts?

Alec Muffett alecm at fb.com
Tue May 19 11:50:43 UTC 2015 

> Are you doing anything the maximise the effect that (say) a ban based on
> IP can have?

Ah, I see - I mistook your intent, please let me clarify:

From a threat perspective we basically treat our onion site like an large web proxy with a mix of (by far the majority) normal and (remainder) malicious activity emanating from it.

There are a bunch of such proxies "out there" on the net anyhow - e.g.: any Tor exit node - so having one more is not a big deal.

The "rewrite the onion to a 169.254/*" is a book-keeping measure so that we don't have to special case either RFC-1918 or publicly routable IP addresses in our stack.

We don't use the onion's virtual IP for any sense of "session" management.

> Have you made any changes lower down (similar to the patch str4d posted,
> i guess) so that you can do it on a per-circuit basis (making things a
> little harder)

We are currently running a vanilla tor daemon binary.  No mods, no magic, basic config.

>> 
>> I agree that sometimes it’s overkill.  I’m okay with an occasional bit
>> of overkill in this area.
> 
> It depends, here's a massively oversimplified example
> [...]
> Switch to HTTPS.
> 
> Every 300 requests, the connection is still torn-down by the origin but
> now you have to redo your SSL handshake etc. With VoD that's once every
> 600 seconds (as you only need to retrieve the manifest once).

[deletia]

That's a really interesting example, thank you! Food for thought...

> the point I'm trying to make is that people tend to assume that the
> traditional overhead of SSL is largely negated by the power of the
> systems we use now, but there are definitely areas where that assumption
> might be incorrect.

Yep.

Our approach so far has been to "just try it and see what works" - and then measure and fix the issues later, in-situ.

There have been far fewer issues than we expected. :-)

    - alec


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 842 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.torproject.org/pipermail/tor-talk/attachments/20150519/aaf598fc/attachment.sig>

More information about the tor-talk mailing list