> Are you attempting to connect to your own server by IP? That's about > the only way that I know of that your IP would end up in the Host > header.
Yes, that's true that I misunderstood the meaning of Host header. It's the name or destination server, but not source. Got it now. There're 3 options in TorButton about headers: Set user agent for Tor usage (crucial) Spoof US English Browser Don't send referer during Tor usage (may break some sites) But I see the effect only from first one when my UserAgent header changes: my real UserAgent: User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.17) Gecko/2010010604 Ubuntu/8.10 (intrepid) Firefox/3.0.17 changes to: User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.7) Gecko/2009021910 Firefox/3.0.7 > TorButton does several tasks that help to prevent the > end server (and evesdropping last OR) from being able to build a > pseudonym for you, including modifying your HTTP headers to reduce the > chance of disclosure. What exact tasks do you know? Also, do I think right that it's quite useless to use Tor just as proxy - it would work just as proxy. And it's much better to use special plugins like TorButton to Firefox to set some extra settings about hiding yourself. Am I right? On Sun, Jan 31, 2010 at 7:18 PM, Marcus Griep <[email protected]> wrote: > I think that you misunderstand what the Host header is for. It is a > required header for HTTP/1.1, and it gives a host *name* that the > server can then use to differentiate which resource you wanted. For > example, www.example.com and news.example.com could be run off the > same server. In order for the server to determine which resource you > want when you connect to it, it inspects the Host header. > > Regardless, unless you are using an encrypted end-to-end connection, > you should always assume that the last OR has the ability to read what > you are sending. TorButton does several tasks that help to prevent the > end server (and evesdropping last OR) from being able to build a > pseudonym for you, including modifying your HTTP headers to reduce the > chance of disclosure. > > Are you attempting to connect to your own server by IP? That's about > the only way that I know of that your IP would end up in the Host > header. > > -- > Marcus Griep > —— > Ακακια את.ψο´, 3° > > > > On Sun, Jan 31, 2010 at 10:46 AM, Mansur Marvanov <[email protected]> > wrote: >> Hello! >> >> I have a Client machine with TorButton (Tor client + Firefox + Privoxy >> + TorButton) and a Server machine with Apache. >> But when I'm trying to connect from Client to Server through TOR >> network I see that there's my information on HTTP-headers on Server >> side that last OR gives to my Apache. >> So, AFAIU last OR has all information about me? Isn't it disclosure of >> information? >> I think that it would be better if TorButton changes or deletes >> HTTP-headers that could disclose me. >> For example, at least TorButton could hide my Host header, by it >> doesn't.. Is it a bug or what? >> >> GET / HTTP/1.1 >> Host: ***MY***REAL***IP*** >> User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; >> rv:1.9.0.7) Gecko/2009021910 Firefox/3.0.7 >> Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 >> Accept-Language: en-us,en;q=0.5 >> Accept-Encoding: gzip,deflate >> Accept-Charset: windows-1251,utf-8;q=0.7,*;q=0.7 >> If-Modified-Since: Sat, 26 Sep 2009 15:50:51 GMT >> If-None-Match: "883d5-2d-4747d076a8cc0"-gzip >> Cache-Control: max-age=0 >> Connection: close >> >> HTTP/1.1 200 OK >> Date: Sun, 31 Jan 2010 14:08:29 GMT >> Server: Apache/2.2.9 (Ubuntu) >> Last-Modified: Sat, 26 Sep 2009 15:50:51 GMT >> ETag: "883d5-2d-4747d076a8cc0"-gzip >> Accept-Ranges: bytes >> Vary: Accept-Encoding >> Content-Encoding: gzip >> Content-Length: 56 >> Connection: close >> Content-Type: text/html >> >> ............(....I.O....0..,Q(./..V....l.!..`U\.QU.f-... >> *********************************************************************** >> To unsubscribe, send an e-mail to [email protected] with >> unsubscribe or-talk in the body. http://archives.seul.org/or/talk/ >> >> > *********************************************************************** > To unsubscribe, send an e-mail to [email protected] with > unsubscribe or-talk in the body. http://archives.seul.org/or/talk/ > *********************************************************************** To unsubscribe, send an e-mail to [email protected] with unsubscribe or-talk in the body. http://archives.seul.org/or/talk/
