Delivery-Date: Mon, 17 Nov 2014 13:09:16 -0500
Return-Path: <tor-talk-bounces@lists.torproject.org>
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on moria.seul.org
X-Spam-Level: 
X-Spam-Status: No, score=-4.7 required=5.0 tests=BAYES_00,DKIM_ADSP_CUSTOM_MED,
	DKIM_SIGNED,FREEMAIL_FROM,RCVD_IN_DNSWL_MED,RP_MATCHES_RCVD,T_DKIM_INVALID
	autolearn=ham version=3.3.1
X-Original-To: archiver@seul.org
Delivered-To: archiver@seul.org
Received: from eugeni.torproject.org (eugeni.torproject.org [38.229.72.13])
	(using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by khazad-dum.seul.org (Postfix) with ESMTPS id 7A3F41E0B78;
	Mon, 17 Nov 2014 13:09:14 -0500 (EST)
Received: from eugeni.torproject.org (localhost [127.0.0.1])
	by eugeni.torproject.org (Postfix) with ESMTP id EC5E4318F6;
	Mon, 17 Nov 2014 18:09:09 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
 by eugeni.torproject.org (Postfix) with ESMTP id 50CAB31808
 for <tor-talk@lists.torproject.org>; Mon, 17 Nov 2014 18:09:06 +0000 (UTC)
X-Virus-Scanned: Debian amavisd-new at 
Received: from eugeni.torproject.org ([127.0.0.1])
 by localhost (eugeni.torproject.org [127.0.0.1]) (amavisd-new, port 10024)
 with ESMTP id aDr1uH-qT7c2 for <tor-talk@lists.torproject.org>;
 Mon, 17 Nov 2014 18:09:06 +0000 (UTC)
Received: from mail-vc0-x232.google.com (mail-vc0-x232.google.com
 [IPv6:2607:f8b0:400c:c03::232])
 (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits))
 (Client CN "smtp.gmail.com",
 Issuer "Google Internet Authority G2" (not verified))
 by eugeni.torproject.org (Postfix) with ESMTPS id 27C4130FF7
 for <tor-talk@lists.torproject.org>; Mon, 17 Nov 2014 18:09:06 +0000 (UTC)
Received: by mail-vc0-f178.google.com with SMTP id hq12so8420201vcb.9
 for <tor-talk@lists.torproject.org>; Mon, 17 Nov 2014 10:09:03 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113;
 h=mime-version:in-reply-to:references:date:message-id:subject:from:to
 :content-type; bh=ryPd69CR0UVY1UGb6zHj3EqBBNueQlxpPpS4MOlnwPg=;
 b=UAsUbtm/hi1qZif+t1Npiid/wP+dZdhrQ6SOMnBQvfeQQeNa0GxDaYO4+I35Fi1YHO
 rqLrT2KLdviarQAXYsCeYD+l6TisT50rpV9e6wp+8J9jZZuzfymtG7lGmhDlmFGM/Zfy
 Cx2mMZgPoAiBBTCiDX+vt4AYqGuIBkPWVBXQJNESZIsDC+W1M59AGa0xC4yY2vEvZMBe
 h40vrLZUk9kxkny+aw5+UtrsIS/JmSW1BjDXFkuef+q3ZRMOuJA2lpPgOjrBQ/cZwmd6
 vQxntcFvMXag93mj7Zglkp4E1SYBioGZDA1wskL2C8SFpsqtxSibmOfdjptPPMpdC3o1
 5ZwA==
MIME-Version: 1.0
X-Received: by 10.52.184.167 with SMTP id ev7mr2839481vdc.67.1416247742087;
 Mon, 17 Nov 2014 10:09:02 -0800 (PST)
Received: by 10.221.64.74 with HTTP; Mon, 17 Nov 2014 10:09:02 -0800 (PST)
In-Reply-To: <L8D.DP3D.gRavit6TQI.1KQYwu@seznam.cz>
References: <L8D.DP3D.gRavit6TQI.1KQYwu@seznam.cz>
Date: Mon, 17 Nov 2014 13:09:02 -0500
Message-ID: <CAD2Ti29wjUnDv++yf_wCrXcpCQm2yBh2kOW5FzaTuiQ5pxxrJQ@mail.gmail.com>
From: grarpamp <grarpamp@gmail.com>
To: tor-talk@lists.torproject.org
Subject: Re: [tor-talk] Hiden service and session integrity
X-BeenThere: tor-talk@lists.torproject.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: tor-talk@lists.torproject.org
List-Id: "all discussion about theory, design,
 and development of Onion Routing" <tor-talk.lists.torproject.org>
List-Unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-talk>, 
 <mailto:tor-talk-request@lists.torproject.org?subject=unsubscribe>
List-Archive: <http://lists.torproject.org/pipermail/tor-talk/>
List-Post: <mailto:tor-talk@lists.torproject.org>
List-Help: <mailto:tor-talk-request@lists.torproject.org?subject=help>
List-Subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk>, 
 <mailto:tor-talk-request@lists.torproject.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: tor-talk-bounces@lists.torproject.org
Sender: "tor-talk" <tor-talk-bounces@lists.torproject.org>

You should never trust ip for auth (even dhcp changes), or ever
use ip for anything hard against the user. That's what your
authcookie or urlsessionid is for. Do not use ip for auth, it
pisses roaming/traveling/vpn/tor/dhcp/proxy/wifi users off, and
similarly gives you the siteop no useful data. Do not use ip's.

You should always use https, unless you want your cookies
stolen off the wire, your users to get mitm'd, your bits to get
rotted, etc. It's possible, just use it, everywhere, always.
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

