[tor-dev] Proposal: HTTP header distinguish TBB users

Virgil Griffith i at virgil.gr
Sat Oct 3 22:59:06 UTC 2015 

> TBB plugin: T2W-OE - tor2web onion everywhere.
> Fork HTTPS-E.
> Maintain list of known t2w's.
> Plugin update from tpo.
> Matching engine rewrites t2w URL's to onions in TBB before the fetch.

You are correct my good sir!  This is indeed the better way.  Thank you!  I
made a pull request to HTTPS-E for the requisite tor2web rules.

https://github.com/EFForg/https-everywhere/pull/3033

It's unclear to me how to make these rules only apply to the TBB version,
but judging by the version history of HTTPS-E they have a way of doing that.

Unless there's another specific issue, I consider the matter of Tor users
accidentally clicking links to Tor2web nodes solved.

-V

On Sat, Oct 3, 2015 at 8:29 PM grarpamp <grarpamp at gmail.com> wrote:

> > various wrote:
> > Yesterday Lief compellingly argued that if a TBB user accidentally
> clicks on
> > a link to my tor2web proxy (onion.link), that they should be redirected
> to
> > the .onion address. It hadn't occurred before that a Tor user might
> > accidentally click a onion.link URL
>
> TBB plugin: T2W-OE - tor2web onion everywhere.
> Fork HTTPS-E.
> Maintain list of known t2w's.
> Plugin update from tpo.
> Matching engine rewrites t2w URL's to onions in TBB before the fetch.
>
> > { "countrycode": "A1", "location": "Tor", "domain": "torproject.org" }
> > or some such.  This seems a reasonable request.  Do we know someone at
>
> They may not wish to if they want to return a single result per IP, and an
> IP could be running more than one proxy (tor, i2p/cjdns exit, vpngate,
> plain old vpn service, whatever), it's not generally possible to tell which
> proxy emitted traffic from said IP, nor is it reasonable to require tor
> exits
> operators to not participate in other networks.
>
> > Tor-Browser-Bundle: true
>
> Great for advertising statistical demand for anonymous access to
> clearnet web operators, bad for blocking.
>
> > Are we still trying to hide TBB users in the Mozilla browser crowd?
>
> TBB should conform to Mozilla. Though it's a unique header, currently
> unused by web operators, that's only for a while. If any such thing, it
> should
> be a toggle, default off. You don't want to be unique unless you have to,
> and it's unlikely even 1/3 of clearnet operators are programmatically
> exit-aware, with fewer programmed to block.
>
> > the "x-tor2web" request header. We eventually decided to add it.
>
> Which is fine because it doesn't disclose any bits about the user to
> clearnet, the disclosure to the onion is still anon and moot, and the
> user can go direct to the onion if the onion blocks t2w.
>
> > The CDN should forward the client IP address as X-Forwarded-For or
> > something?
>
> Other proxies, vpn's, chains, whatever between t2w and the exit may not do
> this.
>
> > If any sites do start blocking users based on the header (and not also
> based on IP)
> > it will push people into using a non-TBB browser to access Tor.
>
> Yep.
> _______________________________________________
> tor-dev mailing list
> tor-dev at lists.torproject.org
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.torproject.org/pipermail/tor-dev/attachments/20151003/33130a89/attachment-0001.html>

More information about the tor-dev mailing list