access to *.xprivacy.eu not possible over Tor #2076

Closed
grrrrr opened this Issue Dec 4, 2014 · 13 comments

Projects

None yet

3 participants

@grrrrr
grrrrr commented Dec 4, 2014

Can http://xprivacy.eu and https://crowd.xprivacy.eu be configured to allow access via Tor? At the moment when you connect you get error

403 Forbidden
     nginx
@M66B
Owner
M66B commented Dec 4, 2014
@M66B M66B closed this Dec 4, 2014
@M66B M66B added the question label Dec 4, 2014
@M66B
Owner
M66B commented Dec 4, 2014

The challenge is to prevent other TOR users from misusing things, like spamming.
This is obviously something I cannot fix.

@grrrrr
grrrrr commented Dec 4, 2014

@M66B From what I can see there's nothing writable by on http://xprivacy.eu so allowing access to that should be ok.

For https://crowd.xprivacy.eu could it be set up so that the Tor range of IP addresses have read access but not write, that way we can fetch crowd sourced lists.

@M66B
Owner
M66B commented Dec 4, 2014

The crowd sourced restrictions are writable.
The TOR IP range isn't fixed.

@an0n981
Contributor
an0n981 commented Dec 4, 2014

I may be be wrong here, but I believe this was implemented after a DDOS attack, which would be possible again under the proposed solution. There is another solution. It includes writing custom IPTable rules for all your apps, and allowing XPrivacy access outside of the TOR Network, this solution also has the advantage that you can really control which apps go through TOR and which don't and you can send their DNS traffic to a provider of your choice, not what your sim cards decides is best. I have posted instructions for this on the AFWall thread on XDA in the past.
@M66B sorry for the OT.

@grrrrr
grrrrr commented Dec 4, 2014

@M66B the Tor IP change depending on the exit node but there are a finite amount of exit nodes and are public. https://www.torproject.org/projects/tordnsel.html.en (actively updated list of Tor IP address range - http://torstatus.blutmagie.de/ip_list_exit.php/Tor_ip_list_EXIT.csv for easy import into a read only solution)

You set up the web server to just give read only access to anyone connecting with a Tor exit node IP address

It'd be similar to how Wikipedia operate, they allow Tor users to access the server and read the contents but not edit.

@grrrrr
grrrrr commented Dec 4, 2014

@an0n981 this sounds like what orbot already does. This thing is some people only want access via Tor so no local data leakage so not an ideal solution :)

@an0n981
Contributor
an0n981 commented Dec 4, 2014

I don't think you understood what I said, but that's ok.

@M66B
Owner
M66B commented Dec 4, 2014

This is not as easy as you might think. The TOR exit node list needs to be refreshed regularly (using a cronjob/script) and there needs to be special rules for read only access when using one of the IPs. The server is protected by firewall rules and it is not straightforward and maybe not even possible to create firewall rules which depends on the kind of access. Moving the rules to the application layer is not an option, since valuable server capacity will be wasted when requests are denied, since these will have to go through the web server first. I am not willing to spent a lot of time on this and in the process taking the risk that valid requests will be denied.

The IP-addresses are on the blocklists for a reason and I cannot help it TOR is also being misused.

@grrrrr
grrrrr commented Dec 4, 2014

@an0n981 it sounds like you are saying use IPTables rules on the phone to decide what app routes over tor and which does not, is that not the case?

Also as a DDoS measure blocking such attacks that close to the server is going to have little effect, all you have done is move the blocking slightly up the stack instead of further upstream where it is more effective.

@M66B
Owner
M66B commented Dec 4, 2014

@grrrrr the main goal is to prevent people from submitting bad restrictions, not to withstand a (D)DoS.

@grrrrr
grrrrr commented Dec 4, 2014

@M66B I was just basing it off what @an0n981 said

I may be be wrong here, but I believe this was implemented after a DDOS attack,

If the voting system is so easily abused the problem is not really with Tor it's with the system. What's to stop me from just spamming the system with hokey rules now? I assume I can make enough of an impact before my IP address gets blocked (which can be as easily changed with out Tor) and as you've said you don't interfere with the rules so you now have to hope that enough people vote to fix what I did.

I'll leave it be, I can see it's not going to happen though I can't fathom why a tool that aims to help protect your privacy can't be used with another tool used to protect your privacy, it just seems to be a design flaw.

@M66B
Owner
M66B commented Dec 4, 2014

There are also other measures in place to prevent misuse.
As said before, I can't help it that TOR is also being misused for less moral purposes.
It is also not that only TOR is being blocked.
I guess the biggest design flaw is in the humans itself.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment