Hi,
On 23/10/18 18:15, Alec Muffett wrote:
But any website that takes an interest (e.g. tracks Cloudflare's "xx-tor" country geolocation, or whatever it is called) - regarding the reputation of the source IP address will KNOW that the user is coming from Tor.
We live in a weird world where the Tor community still believes that systems administrators don't have trivial access to IP reputation databases.
IP reputation databases do not reflect the current state of the Tor network exactly. They may be pretty close, even 99%, but they're not exact. You will get false positives, and a lot of false negatives too.
Improving exit detection is on the list of tasks for Tor Metrics but it is not our top priority.
- if sites wish to follow Privacy International's example and
redirect from a DNS TLD to ".onion" then that is something they should implement at layer 7, by dint of identifying whether the user has arrived over Tor.
Given that false positives are possible, doing this conditionally is going to give some people a terrible user experience by redirecting them to an onion they cannot possibly reach in their browser.
This is why I like the Onion-Location header. You don't have to have this conditional. You don't need to have any infrastructure to provide lookups from databases (which ideally would need to be refreshed constantly). You just always serve the header. This also gives you the opportunity to advertise that a service is available via Onion service to all users, some of which might have a browser add-on that lets them know about these things.
Thanks, Iain.