[tor-relays] onionoo
Karsten Loesing
karsten at torproject.org
Tue Sep 3 08:18:26 UTC 2013
On 9/2/13 5:59 PM, Steve Snyder wrote:
>
>
> On 09/02/2013 10:02 AM, Kostas Jakeliunas wrote:
> [snip]
>> Perhaps you're using it yourself, but one of the ways to probe Onionoo
>> in a user-friendly way is the new Globe tool [1]. It includes bridges as
>> well as relays.
>>
>> [1]: http://globe.rndm.de/
>
> Having this tool on an unencrypted HTTP site doesn't seem safe to me.
> Anybody can sniff the bridge IP addresses that users submit for reporting.
In general, I agree that Globe should be provided on HTTPS.
But regardless, you don't have to be concerned about IP addresses being
sent over an unencrypted link. Globe is just the JavaScript thing that
you load in your browser and that then makes all its data requests to
Onionoo over HTTPS. Here's Firefox's console output of searching for
gabelmoo by IP address:
[10:14:41.726] GET
https://onionoo.torproject.org/details?limit=50&search=212.112.245.170&fields=fingerprint,nickname,advertised_bandwidth,last_restarted,country,flags,or_addresses,dir_address,running,hashed_fingerprint
[HTTP/1.1 200 OK 569ms]
[10:14:46.040] GET
https://onionoo.torproject.org/details?lookup=16EF359C2FBF50FC08CF9A95717BE3060575B67E
[HTTP/1.1 200 OK 141ms]
[10:14:46.041] GET http://globe.rndm.de/img/ajax-loader.gif [HTTP/1.1
200 OK 284ms]
[10:14:46.283] GET
https://onionoo.torproject.org/weights?lookup=16EF359C2FBF50FC08CF9A95717BE3060575B67E
[HTTP/1.1 200 OK 284ms]
[10:14:46.285] GET
https://onionoo.torproject.org/bandwidth?lookup=16EF359C2FBF50FC08CF9A95717BE3060575B67E
[HTTP/1.1 200 OK 399ms]
Best,
Karsten
More information about the tor-relays
mailing list