On Mon, 17 Nov 2014 18:22:00 +0000, NTPT wrote: ... > web application "foo" use a classical session to maitain state of the user. > Classically user BAR have IP address and cookie is assigned in the login > process. If the right cookie from the right ip address comes for user BAR, > server accepts future request > > But how it can work thru TOR ?
Your server always sees requests from 127.0.0.1 and everything works. ;-) (The server only ever sees the addresse from where the hidden service node is; obviously it can't see the actual client IP.) > what about scenario that an attacker > determine my exit point and somehow stole my authentication cookie and then The model of using the IP address (among others) to distinguish users is broken anyway - mobile users may change addresses occasionally, and the other way round multiple users (esp. mobile again) can appear from the same address thanks to the marvels of NAT. > he can use .exit pseudodomain to route his traffic thru the same exit point > (ie gain same ip address as a legitimate client ) ? You were talking about hidden services in the subject; what you discuss here is your regular web service being accessed via tor. If we're talking about the latter you should (as always) offer the service on https, not http, and the question of stealing the login cookie becomes academic. If you're not using https, you're simply careless towards any user of your service as the cookie is transferred in plaintext - any open WLAN allows to sniff, as well as any rogue exit node operator can intercept any login cookie that passes its node in HTTP. If you're actually offering a hidden service the traffic is encrypted end-to-end even for plain http: URLs. > And is it possible (and how ? ) to run end to end encrypted (ssl) web > traffic via tor network ? By enterin https://someurl in the tor browser. I'm sure there is a pretty picture somewhere but I don't know it. Andreas -- "Totally trivial. Famous last words." From: Linus Torvalds <torvalds@*.org> Date: Fri, 22 Jan 2010 07:29:21 -0800 -- tor-talk mailing list - [email protected] To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
