North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Tor and network security/administration

  • From: Kevin Day
  • Date: Wed Jun 21 13:59:01 2006

On Jun 21, 2006, at 12:43 PM, Lionel Elie Mamane wrote:
If the proxy is not at the Tor exit node, how can the tor network
enforce the addition of the "this connection went through tor" HTTP
header that Kevin Day was asking for? Fundamentally, if you rely on a
program sitting on the user's computer adding that header, then
malevolent users can not add this header, so Kevin Day's purpose is
not served. And that is what is being discussed here.

Just to chime in before this gets any further off what I meant:

I know any intermediary nodes can't inject headers into HTTPS connections, that kinda defeats the purpose of SSL. :)

When doing any financial transaction, before any user enters anything sensitive, we bounce them to an HTTP page first, then look for common proxy headers on that request. If none are found, they're given a cookie that allows them to continue on that IP only for HTTPS transactions for the next 15 minutes.

Failing that, having an exit node look at HTTP headers back from the server that contained a "X-No-Anonymous" header to say that the host at that IP shouldn't allow Tor to use it would work.

*Anything* would be better for Tor users if we could keep Tor abuse off our financial services without having to just ban all Tor IPs at the border. On a credit card transaction page, you have no anonymity anyway, since you're having to give us your credit card number, home address, etc. Yet, until we banned as many known Tor IPs as we could find from our network, Tor IPs accounted for a pretty high percentage of our credit card fraud, and nearly zero non-fraudulent use. Tor IPs had some significant(legitimate) use on some of our other sites, but that's gone because they're all null routed at the border now.

Tor may have some legit uses, but when it's costing us $BIGNUM in credit card fraud, I'm not going to spend too much time trying to only selectively ban it from our network.