[tor-talk] Making a Site Available as both a Hidden Service and on the www - thoughts?
Alec Muffett
alecm at fb.com
Tue May 19 11:50:43 UTC 2015
> Are you doing anything the maximise the effect that (say) a ban based on
> IP can have?
Ah, I see - I mistook your intent, please let me clarify:
From a threat perspective we basically treat our onion site like an large web proxy with a mix of (by far the majority) normal and (remainder) malicious activity emanating from it.
There are a bunch of such proxies "out there" on the net anyhow - e.g.: any Tor exit node - so having one more is not a big deal.
The "rewrite the onion to a 169.254/*" is a book-keeping measure so that we don't have to special case either RFC-1918 or publicly routable IP addresses in our stack.
We don't use the onion's virtual IP for any sense of "session" management.
> Have you made any changes lower down (similar to the patch str4d posted,
> i guess) so that you can do it on a per-circuit basis (making things a
> little harder)
We are currently running a vanilla tor daemon binary. No mods, no magic, basic config.
>>
>> I agree that sometimes it’s overkill. I’m okay with an occasional bit
>> of overkill in this area.
>
> It depends, here's a massively oversimplified example
> [...]
> Switch to HTTPS.
>
> Every 300 requests, the connection is still torn-down by the origin but
> now you have to redo your SSL handshake etc. With VoD that's once every
> 600 seconds (as you only need to retrieve the manifest once).
[deletia]
That's a really interesting example, thank you! Food for thought...
> the point I'm trying to make is that people tend to assume that the
> traditional overhead of SSL is largely negated by the power of the
> systems we use now, but there are definitely areas where that assumption
> might be incorrect.
Yep.
Our approach so far has been to "just try it and see what works" - and then measure and fix the issues later, in-situ.
There have been far fewer issues than we expected. :-)
- alec
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 842 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.torproject.org/pipermail/tor-talk/attachments/20150519/aaf598fc/attachment.sig>
More information about the tor-talk
mailing list