> >> As observed elsewhere, we tell our infrastructure that any traffic inbound >> from the Facebook onion site is sourced from the DHCP broadcast >> network (169.254/whatever). > > […] > I'm assuming you're pushing an IP in that range into the X-Forwarded-For > header?
Approximately yes; we use a different header (extant, internal) so we can
mostly not mess with the existing headers.
> Without wanting to start a thread-in-a-thread, I've definitely got mixed
> feelings on that one. I think most sites should be using HTTPS, but I
> think there are also cases where HTTPS genuinely may not be
> needed/desirable.
I agree that sometimes it’s overkill. I’m okay with an occasional bit of
overkill in this area.
One extra aside: if you go with SSL and get the EV Onion cert (which supports
wildcards, yay!) - then if you were to lose your onion key for some reason the
move to a new address would be less traumatic. Of course this is a mechanism
of trust placed in CAs (etc, etc) and of course there are other ways to achieve
the same thing (e.g.: TOFU?) - but this one is extant and works.
I like the mutual reinforcement of Tor and SSL, each addresses issues in the
other. :-)
-a
—
Alec Muffett
Security Infrastructure
Facebook Engineering
London
signature.asc
Description: Message signed with OpenPGP using GPGMail
-- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
