[tor-dev] Proposal: HTTP header distinguish TBB users

grarpamp grarpamp at gmail.com
Sat Oct 3 18:28:31 UTC 2015

> various wrote:
> Yesterday Lief compellingly argued that if a TBB user accidentally clicks on
> a link to my tor2web proxy (onion.link), that they should be redirected to
> the .onion address. It hadn't occurred before that a Tor user might
> accidentally click a onion.link URL

TBB plugin: T2W-OE - tor2web onion everywhere.
Maintain list of known t2w's.
Plugin update from tpo.
Matching engine rewrites t2w URL's to onions in TBB before the fetch.

> { "countrycode": "A1", "location": "Tor", "domain": "torproject.org" }
> or some such.  This seems a reasonable request.  Do we know someone at

They may not wish to if they want to return a single result per IP, and an
IP could be running more than one proxy (tor, i2p/cjdns exit, vpngate,
plain old vpn service, whatever), it's not generally possible to tell which
proxy emitted traffic from said IP, nor is it reasonable to require tor exits
operators to not participate in other networks.

> Tor-Browser-Bundle: true

Great for advertising statistical demand for anonymous access to
clearnet web operators, bad for blocking.

> Are we still trying to hide TBB users in the Mozilla browser crowd?

TBB should conform to Mozilla. Though it's a unique header, currently
unused by web operators, that's only for a while. If any such thing, it should
be a toggle, default off. You don't want to be unique unless you have to,
and it's unlikely even 1/3 of clearnet operators are programmatically
exit-aware, with fewer programmed to block.

> the "x-tor2web" request header. We eventually decided to add it.

Which is fine because it doesn't disclose any bits about the user to
clearnet, the disclosure to the onion is still anon and moot, and the
user can go direct to the onion if the onion blocks t2w.

> The CDN should forward the client IP address as X-Forwarded-For or
> something?

Other proxies, vpn's, chains, whatever between t2w and the exit may not do this.

> If any sites do start blocking users based on the header (and not also based on IP)
> it will push people into using a non-TBB browser to access Tor.


More information about the tor-dev mailing list