Exit-node keeps .$mynode.exit in dns name
tup
tup.tuple at googlemail.com
Wed May 16 03:25:03 UTC 2007
On 5/15/07, M <maillist at piirakka.com> wrote:
> My problem is following: I typed http://whitehouse.gov.$mynode.exit (where
> $mynode was my exit nodes name) in address bar, waited a moment and got
> following error message from the server running transparent Squid proxy:
What's happening is that your Tor client strips the .$mynode.exit suffix
before initiating a stream through an exit node. At the exit node, Tor
resolves whitehouse.gov and tries to connect to it, but your packet filter
redirects the connection to Squid. Squid then looks up the original
destination address and ignores it, preferring to use the HTTP host header
specifying whitehouse.gov.$mynode.exit.
If I understand correctly, Privoxy has an option to strip the
.$mynode.exit suffix from host headers. This is something you'd want to
do next to your Tor client.
This does raise the issue of exit nodes redirecting HTTP streams
(and even non-HTTP port 80 traffic) through transparent caching proxies.
If people know exit nodes are logging not only "connection" data, but also
actual content of traffic they relay, exit nodes become a more valuable
target for attackers.
Also, since HTTP proxies won't pass non-HTTP traffic (setting aside
CONNECT, which is part of HTTP), it seems these exit nodes are lying in
their exit policies. They claim to allow port 80, but non-HTTP streams on
port 80 will fail unexpectedly.
tup
More information about the tor-talk
mailing list