On 9/2/13 5:59 PM, Steve Snyder wrote:
On 09/02/2013 10:02 AM, Kostas Jakeliunas wrote: [snip]
Perhaps you're using it yourself, but one of the ways to probe Onionoo in a user-friendly way is the new Globe tool [1]. It includes bridges as well as relays.
Having this tool on an unencrypted HTTP site doesn't seem safe to me. Anybody can sniff the bridge IP addresses that users submit for reporting.
In general, I agree that Globe should be provided on HTTPS.
But regardless, you don't have to be concerned about IP addresses being sent over an unencrypted link. Globe is just the JavaScript thing that you load in your browser and that then makes all its data requests to Onionoo over HTTPS. Here's Firefox's console output of searching for gabelmoo by IP address:
[10:14:41.726] GET https://onionoo.torproject.org/details?limit=50&search=212.112.245.170&a... [HTTP/1.1 200 OK 569ms] [10:14:46.040] GET https://onionoo.torproject.org/details?lookup=16EF359C2FBF50FC08CF9A95717BE3... [HTTP/1.1 200 OK 141ms] [10:14:46.041] GET http://globe.rndm.de/img/ajax-loader.gif [HTTP/1.1 200 OK 284ms] [10:14:46.283] GET https://onionoo.torproject.org/weights?lookup=16EF359C2FBF50FC08CF9A95717BE3... [HTTP/1.1 200 OK 284ms] [10:14:46.285] GET https://onionoo.torproject.org/bandwidth?lookup=16EF359C2FBF50FC08CF9A95717B... [HTTP/1.1 200 OK 399ms]
Best, Karsten