[tor-bugs] #28741 [Core Tor/sbws]: sbws should send scanner metadata as part of every HTTP request

Tor Bug Tracker & Wiki blackhole at torproject.org
Mon Dec 10 02:11:06 UTC 2018 

#28741: sbws should send scanner metadata as part of every HTTP request
---------------------------+-----------------------------------
 Reporter:  teor           |          Owner:  (none)
     Type:  defect         |         Status:  new
 Priority:  Medium         |      Milestone:  sbws: 1.0.x-final
Component:  Core Tor/sbws  |        Version:
 Severity:  Normal         |     Resolution:
 Keywords:                 |  Actual Points:
Parent ID:                 |         Points:
 Reviewer:                 |        Sponsor:
---------------------------+-----------------------------------

Comment (by teor):

 Replying to [comment:3 juga]:
 >
 > > Replying to [ticket:28741 teor]:
 > > > Here's some things we might want:
 > > > * software-name: sbws
 > > > * software-version
 > >
 > > These might be user-agent, unless requests sets its own user agent.
 >
 > Python Requests allows to setup custom User-Agent (http://docs.python-
 requests.org/en/master/community/faq/#custom-user-agents)
 >
 > So, this would be: `User-Agent: sbws/x.y.z`

 Ok.

 > >
 > > > * scanner-nickname
 > >
 > > I'm not sure if there is a generic HTTP header for a nickname or other
 client identifier.
 >
 > Can't find any in
 https://en.wikipedia.org/wiki/List_of_HTTP_header_fields#Standard_request_fields
 >
 > Following https://tools.ietf.org/html/rfc6648#appendix-B ("incorporate
 the organization's name"), this could be: `Tor-bwauth-Nickname:`

 Some tweaks:

 Words are capitalised; Abbreviations are rarely used; It's a bandwidth
 scanner:

 `Tor-Bandwidth-Scanner-Nickname: IDidntEditTheConfig`

 > > > * scanner-IP-address? (pro: discover users who haven't set nickname,
 con: discover users)
 > >
 > > We should look for a generic HTTP header for the client IP address.
 > > sbws doesn't guarantee any anonymity, and discovering rogue scanners
 is more important than the risk of malicious servers using the IP address.
 >
 > I also can't find any. It could be: `Tor-bwauth-Address:`

 The standard proxy client address header is:
 `Forwarded: for=192.0.2.1`

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/28741#comment:4>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list