[tor-talk] Making a Site Available as both a Hidden Service and on the www - thoughts?
Alec Muffett
alecm at fb.com
Tue May 19 09:40:35 UTC 2015
>
>> As observed elsewhere, we tell our infrastructure that any traffic inbound
>> from the Facebook onion site is sourced from the DHCP broadcast
>> network (169.254/whatever).
>
> […]
> I'm assuming you're pushing an IP in that range into the X-Forwarded-For
> header?
Approximately yes; we use a different header (extant, internal) so we can mostly not mess with the existing headers.
> Without wanting to start a thread-in-a-thread, I've definitely got mixed
> feelings on that one. I think most sites should be using HTTPS, but I
> think there are also cases where HTTPS genuinely may not be
> needed/desirable.
I agree that sometimes it’s overkill. I’m okay with an occasional bit of overkill in this area.
One extra aside: if you go with SSL and get the EV Onion cert (which supports wildcards, yay!) - then if you were to lose your onion key for some reason the move to a new address would be less traumatic. Of course this is a mechanism of trust placed in CAs (etc, etc) and of course there are other ways to achieve the same thing (e.g.: TOFU?) - but this one is extant and works.
I like the mutual reinforcement of Tor and SSL, each addresses issues in the other. :-)
-a
—
Alec Muffett
Security Infrastructure
Facebook Engineering
London
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 842 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.torproject.org/pipermail/tor-talk/attachments/20150519/c76ad970/attachment.sig>
More information about the tor-talk
mailing list