exit notation stripping

Drake Wilson drake at begriffli.ch
Fri Jul 10 08:00:23 UTC 2009


Quoth Scott Bennett <bennett at cs.niu.edu>, on 2009-07-10 01:44:22 -0500:
> Next, privoxy sends an HTTP GET request, which contains no hostname,
> domainname, Nickname.exit, nor IP address through the connection to
> the web server at the other end.

Someone's either been living in HTTP/0.9 days or hasn't been reading
the specs.  HTTP/1.1 requires a Host field because multiple domains
may be hosted at one TCP endpoint, and that's exactly the problem: the
full URI is (albeit in pieces) passed through the whole way at the
application layer, and the exit notation is included in the URI.  A
full example flow is:

  - Browser sends GET http://example.net.example.exit/ to an HTTP proxy
    that is not aware of exit notation.

  - The HTTP proxy connects to the Tor SOCKS proxy, requesting a
    connection to example.net.example.exit.

  - Tor builds its circuit and makes the connection.

  - The HTTP proxy passes through GET http://example.net.example.exit/
    to the origin server.

  - The origin server looks up whether it knows of any site to serve
    under "example.net.example.exit", finds that it doesn't, and
    returns an error.  Alternatively, it uses a default site, which
    may be the wrong one.  Alternatively, it does whatever it usually
    does but now has mostly-definitive information that this user is
    using Tor and has requested a specific exit node.

This is why Privoxy includes a filter to strip the exit notation from
the Host header when passing the request through, and why this filter
should be enabled when using Privoxy for Tor purposes.

   ---> Drake Wilson



More information about the tor-talk mailing list