Delivery-Date: Tue, 19 May 2015 07:50:56 -0400
Return-Path: <tor-talk-bounces@lists.torproject.org>
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on moria.seul.org
X-Spam-Level: 
X-Spam-Status: No, score=-4.1 required=5.0 tests=BAYES_00,DKIM_SIGNED,
	RCVD_IN_DNSWL_MED,T_DKIM_INVALID,T_RP_MATCHES_RCVD autolearn=ham version=3.3.1
X-Original-To: archiver@seul.org
Delivered-To: archiver@seul.org
Received: from eugeni.torproject.org (eugeni.torproject.org [38.229.72.13])
	(using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by khazad-dum.seul.org (Postfix) with ESMTPS id A1DE81E0690
	for <archiver@seul.org>; Tue, 19 May 2015 07:50:54 -0400 (EDT)
Received: from eugeni.torproject.org (localhost [127.0.0.1])
	by eugeni.torproject.org (Postfix) with ESMTP id EB396355CB;
	Tue, 19 May 2015 11:50:51 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
 by eugeni.torproject.org (Postfix) with ESMTP id 8401A355BD
 for <tor-talk@lists.torproject.org>; Tue, 19 May 2015 11:50:48 +0000 (UTC)
X-Virus-Scanned: Debian amavisd-new at 
Received: from eugeni.torproject.org ([127.0.0.1])
 by localhost (eugeni.torproject.org [127.0.0.1]) (amavisd-new, port 10024)
 with ESMTP id UJgJgF5DI1jq for <tor-talk@lists.torproject.org>;
 Tue, 19 May 2015 11:50:48 +0000 (UTC)
Received: from mx0a-00082601.pphosted.com (mx0b-00082601.pphosted.com
 [67.231.153.30])
 (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
 (Client did not present a certificate)
 by eugeni.torproject.org (Postfix) with ESMTPS id 627D53558E
 for <tor-talk@lists.torproject.org>; Tue, 19 May 2015 11:50:48 +0000 (UTC)
Received: from pps.filterd (m0004003 [127.0.0.1])
 by mx0b-00082601.pphosted.com (8.14.5/8.14.5) with SMTP id t4JBnX0j006221
 for <tor-talk@lists.torproject.org>; Tue, 19 May 2015 04:50:45 -0700
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=fb.com;
 h=from : to : subject : date
 : message-id : references : in-reply-to : content-type : mime-version;
 s=facebook; bh=Nues++1mOLLK7nHR+ehv8OTIMTS1RUiF75jguJBs8Y0=;
 b=FXdEXPmP7HRMv6bbxTCXk/Leicn6+4C42IFo5WhKxLcZcTR41qOhUP2VsV67usq/N2oL
 wvAy9bVoBbxfmMPpEHHLQ7JN4Y0si9xeieJL2AR+jwQVwTWat2zncF7T4mOZ6ce/tlQ/
 2nAGMhDDc32m9nO5AHB/BqQybG6RuY9Yb9Y= 
Received: from mail.thefacebook.com ([199.201.64.23])
 by mx0b-00082601.pphosted.com with ESMTP id 1ug44x03bw-2
 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NOT)
 for <tor-talk@lists.torproject.org>; Tue, 19 May 2015 04:50:45 -0700
Received: from PRN-MBX02-4.TheFacebook.com ([169.254.5.133]) by
 PRN-CHUB06.TheFacebook.com ([fe80::f073:2a60:c133:4d69%12]) with mapi id
 14.03.0195.001; Tue, 19 May 2015 04:50:44 -0700
From: Alec Muffett <alecm@fb.com>
To: "tor-talk@lists.torproject.org" <tor-talk@lists.torproject.org>
Thread-Topic: [tor-talk] Making a Site Available as both a Hidden Service
 and on the www - thoughts?
Thread-Index: AQHQkKCWQyEiwmCnlUWOIfZbRgRBcJ2C4UEAgACBBgCAACGEgIAAAqCAgAAhvQA=
Date: Tue, 19 May 2015 11:50:43 +0000
Message-ID: <2FE3C5AE-69CE-41D0-9BC3-AE4C85647B66@fb.com>
References: <52B6B3D5-F25C-46FA-84A1-9F2A73948958@fb.com>
 <20150519094935-728-58347-mailpile@mailpile-home>
In-Reply-To: <20150519094935-728-58347-mailpile@mailpile-home>
Accept-Language: en-GB, en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator: 
x-originating-ip: [192.168.52.13]
MIME-Version: 1.0
X-Proofpoint-Spam-Reason: safe
X-FB-Internal: Safe
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:5.14.151, 1.0.33,
 0.0.0000
 definitions=2015-05-19_04:2015-05-19,2015-05-19,1970-01-01 signatures=0
Subject: Re: [tor-talk] Making a Site Available as both a Hidden Service and
 on the www - thoughts?
X-BeenThere: tor-talk@lists.torproject.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: tor-talk@lists.torproject.org
List-Id: "all discussion about theory, design,
 and development of Onion Routing" <tor-talk.lists.torproject.org>
List-Unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-talk>, 
 <mailto:tor-talk-request@lists.torproject.org?subject=unsubscribe>
List-Archive: <http://lists.torproject.org/pipermail/tor-talk/>
List-Post: <mailto:tor-talk@lists.torproject.org>
List-Help: <mailto:tor-talk-request@lists.torproject.org?subject=help>
List-Subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk>, 
 <mailto:tor-talk-request@lists.torproject.org?subject=subscribe>
Content-Type: multipart/mixed; boundary="===============7602608584340359661=="
Errors-To: tor-talk-bounces@lists.torproject.org
Sender: "tor-talk" <tor-talk-bounces@lists.torproject.org>

--===============7602608584340359661==
Content-Language: en-US
Content-Type: multipart/signed;
	boundary="Apple-Mail=_DB10A3D7-6DDA-4334-A97F-EDEA41EC6EDB";
	protocol="application/pgp-signature"; micalg=pgp-sha512

--Apple-Mail=_DB10A3D7-6DDA-4334-A97F-EDEA41EC6EDB
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain;
	charset=utf-8

> Are you doing anything the maximise the effect that (say) a ban based =
on
> IP can have?

Ah, I see - I mistook your intent, please let me clarify:

=46rom a threat perspective we basically treat our onion site like an =
large web proxy with a mix of (by far the majority) normal and =
(remainder) malicious activity emanating from it.

There are a bunch of such proxies "out there" on the net anyhow - e.g.: =
any Tor exit node - so having one more is not a big deal.

The "rewrite the onion to a 169.254/*" is a book-keeping measure so that =
we don't have to special case either RFC-1918 or publicly routable IP =
addresses in our stack.

We don't use the onion's virtual IP for any sense of "session" =
management.

> Have you made any changes lower down (similar to the patch str4d =
posted,
> i guess) so that you can do it on a per-circuit basis (making things a
> little harder)

We are currently running a vanilla tor daemon binary.  No mods, no =
magic, basic config.

>>=20
>> I agree that sometimes it=E2=80=99s overkill.  I=E2=80=99m okay with =
an occasional bit
>> of overkill in this area.
>=20
> It depends, here's a massively oversimplified example
> [...]
> Switch to HTTPS.
>=20
> Every 300 requests, the connection is still torn-down by the origin =
but
> now you have to redo your SSL handshake etc. With VoD that's once =
every
> 600 seconds (as you only need to retrieve the manifest once).

[deletia]

That's a really interesting example, thank you! Food for thought...

> the point I'm trying to make is that people tend to assume that the
> traditional overhead of SSL is largely negated by the power of the
> systems we use now, but there are definitely areas where that =
assumption
> might be incorrect.

Yep.

Our approach so far has been to "just try it and see what works" - and =
then measure and fix the issues later, in-situ.

There have been far fewer issues than we expected. :-)

    - alec



--Apple-Mail=_DB10A3D7-6DDA-4334-A97F-EDEA41EC6EDB
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment; filename="signature.asc"
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Message signed with OpenPGP using GPGMail

-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - https://gpgtools.org

iQIcBAEBCgAGBQJVWyOSAAoJECldTB9TIAHGHAUP/0qRD5gB3/vRszNNdsMld6yM
25Hqlyl/x/bMMju9l6sjPaiWGncGCV2+99lJUpnPg28A1KEOdEEivZiHIfOqCVrq
lejrrXAVWpV9FyEDClDvtYHqv1IWLzk4gH9H0nnF/gv3I/fJPgMcbjDyl9RNTQpX
c2tnHqpiokfCyRBohQTFhfn8mJwQfZKtZmYIfF0mZw3fkPSJ2kzLnTZ58mFBgDci
G9K/KaNDCFWRhxC6ZMOm7+74FJmO0YEhW4uUnW6sgesabCidhOpdN6OBbVrPomCe
AX9xoCmnojRlZ/neBnDe7REpD2GEqd5dCpVYy/l2B5+dNkBp+MeOU1JNH0GOBJjs
UEcTDs9NWlwVK2PCJbyFst5joYMeUrwAUumRQQ2un26GSLBSqqcD1y29EdUHDoes
xGiyRFeUPUgbCJXwNkBLrgF5aGMNgwV59KzzurFiwXVnQFm2WEH7jPo8sChF/K/h
iJ05x0pLvXjinAN2OTBuPM+5CY6/7qdK5kWDXGDP3ON8ZQ4JkT9WfojOetSeYKM0
TT2LZVJwDoVCDeqj/Ea1wlw//v/xkqeSee4EuH5R9bxNjg8zgDh63qavWCW2gbkh
FI5a+3xNWmew63CdeV7lB9ztlsxGVQZLU8wAGlmk59NPyyv3KKDG5dbzjvgNtWQC
9sFDoUQ4ijdFsIiieRpR
=XGI5
-----END PGP SIGNATURE-----

--Apple-Mail=_DB10A3D7-6DDA-4334-A97F-EDEA41EC6EDB--

--===============7602608584340359661==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

--===============7602608584340359661==--

