[tor-dev] Proposal: HTTP header distinguish TBB users

Virgil Griffith i at virgil.gr
Sat Oct 3 12:10:06 UTC 2015

Yesterday Lief compellingly argued that if a TBB user accidentally clicks
on a link to my tor2web proxy (onion.link), that they should be redirected
to the .onion address. It hadn't occurred before that a Tor user might
accidentally click a onion.link URL, but yes I completely concur and I told
Lief I would prioritize this and would owe him a Bitcoin if I didn't get
this implemented within a week.

Now the trouble starts. If the TBB user gets to the tor2web backend I check
if they're coming from an Exit relay and redirect them---all good.  But a
CDN (Fastly.com) sits in front of my backends and right now it's unclear
how to detect TBB at the CDN level.

Going over my CDN's documentation.  They do have the standard MaxMind
database for geo-IP.  So that's good.  But plugging in an exit-node IP#
merely reports as an "A1" for "Anonymous Proxy".  Unfortunately there are
many anonymous proxies other than Tor so that won't do.

There are two ways to solve this.

(1) For an given IP#, MaxMind reports numerous entries aside from the "A1"
for country code.  We could ask MaxMind to specify whatever else it knows
about the Anonymous Proxy in the other fields such as the "Location" or
"Organization" field.  So when plugging in a Tor exit relay it would return
something like:

{ "countrycode": "A1", "location": "Tor", "domain": "torproject.org" }

or some such.  This seems a reasonable request.  Do we know someone at
MaxMind to forward this request to?

(2) If we (Tor Project) is going to ask MaxMind to do something special to
distinguish TBB users, it seems reasonable we should make the same effort.
I know in the past it's been proposed for TBB to include a special HTTP
header, e.g.,

Tor-Browser-Bundle: true

to distinguish TBB users.  If this header existed, I could detect it at the
CDN-level and do the appropriate redirect.  Alternatively, We could do
something equivalent with the "Via": HTTP header, but that seems overkill.

Between these two options, I personally opt for (2) because it seems
inappropriate to request MaxMind to help us do X when we have not done what
we can do to achieve X.

Q: Does anyone (especially Mike Perry) have any objections to (2)?  If not,
I will write the proposal.


P.S. Lief... even if we go at maximum speed, it looks like I'm going to owe
you that Bitcoin.  Email me your BTC address?  How embarrassing.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.torproject.org/pipermail/tor-dev/attachments/20151003/adecbae1/attachment.html>

More information about the tor-dev mailing list