[tor-dev] UX improvement proposal: Onion auto-redirects using Alt-Svc HTTP header

teor teor2345 at gmail.com
Thu Nov 16 03:23:02 UTC 2017

> On 16 Nov 2017, at 00:38, Alec Muffett <alec.muffett at gmail.com> wrote:
>> I think it's important to point out that a Tor client is never
>> guaranteed to hold a *definitive* consensus.
> That's why I say "(mostly) definitive" in my text - my feeling is that a locally-held copy of the consensus to be queried is going to be on average of far higher quality, completeness, and non-stagnancy than something that one tries to scrape out of Onionoo every 15 minutes.

Please don't use a consensus or a tor client to check for exits for
this purpose. It produces significant numbers of false negatives,
because some exits use other IP addresses for their exit traffic.

Using Onionoo or TorDNSEL reduces your false negatives, because it
pulls data from Exitmap to populate exit_addresses. (Tor clients do
not pull data from Exitmap, and that data is not in the consensus.)

> On 16 Nov 2017, at 03:03, Tom Ritter <tom at ritter.vg> wrote:
> Detecting exit nodes is error prone, as you point out. Some exit nodes
> have their traffic exit a different address than their listening
> port.[1]
> ...
> [1] Hey does Exonerator handle these?

Exonerator uses data from Exitmap, which queries a service through each
exit to discover the address(es) the exit uses to send client requests
to websites.

The list is updated every 24 hours.
So there's really no need to scrape OnionOO every 15 minutes.

>> but now we are discussing weird tor
>> modules that communicate with the Tor daemon to decide whether to
>> redirect clients, so it seems to me like an equally "special" Tor setup
>> for sysadmins.
> I can see how you would think that, and I would kind-of agree, but at least this would be local and cheap.  Perhaps instead of a magic protocol, it should be a REST API that's embedded in the local Tor daemon?  That would be a really, REALLY common pattern for an enterprise to query.

You can download the set of exit addresses every 24 hours, and write a
small tool that implements a REST API to query it:


In fact, you could even adapt the "check" service to your needs, if it
doesn't do what you want already:


Is this the kind of JSON reply you would want?



Or for the interactive version, see:


(And if you supply a destination port, it's more accurate, because it
checks exit policies as well.)


Tim / teor

PGP C855 6CED 5D90 A0C5 29F6 4D43 450C BA7F 968F 094B

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: Message signed with OpenPGP
URL: <http://lists.torproject.org/pipermail/tor-dev/attachments/20171116/2213c798/attachment.sig>

More information about the tor-dev mailing list