[tor-bugs] #17605 [Tor]: Tell caches to remove X-Your-IP-Address-Is from Tor Directory documents
Tor Bug Tracker & Wiki
blackhole at torproject.org
Sun Nov 15 10:02:44 UTC 2015
#17605: Tell caches to remove X-Your-IP-Address-Is from Tor Directory documents
------------------------+--------------------------------
Reporter: teor | Owner:
Type: defect | Status: new
Priority: Medium | Milestone: Tor: 0.2.8.x-final
Component: Tor | Version:
Severity: Normal | Keywords: tor-auth
Actual Points: | Parent ID:
Points: | Sponsor:
------------------------+--------------------------------
Some web caches (such as Farahavar's previous cache), pass on the X-Your-
IP-Address-Is header from one directory document to multiple clients. This
causes the clients to guess the wrong IP address as their address.
I think we should add one or more of the following headers to every
directory response:
`Pragma: no-cache` tells HTTP 1.0 compliant caches to disable caching
entirely. (This will also disable caching for HTTP 1.1 caches unless we
provide a more generous Cache-Control header, like the one below.)
`Connection: close X-Your-IP-Address-Is` tells HTTP 1.1 caches to never
send out the X-Your-IP-Address-Is header, even to the first client
requesting the document.
`Cache-Control: no-cache="X-Your-IP-Address-Is"` tells HTTP 1.1 caches to
not cache the header at all. Alternately, if the cache doesn't support the
no-cache="<header-name>" feature, it tells the cache not to cache the
entire document. (This also causes the cache to attempt to revalidate the
header, which might not be what we want, as Tor doesn't support cache
revalidation.)
I don't know enough about how caches typically behave to recommend which
ones.
See:
* #16205 - bogus IP address / clock change from authority server
* https://lists.torproject.org/pipermail/tor-
relays/2015-November/008137.html
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/17605>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list