[metrics-bugs] #27925 [Metrics/ExoneraTor]: Permanent link on /exonerator.html? is http

Tor Bug Tracker & Wiki blackhole at torproject.org
Mon Oct 8 20:34:05 UTC 2018 

#27925: Permanent link on /exonerator.html? is http
--------------------------------+-----------------------------------
 Reporter:  modik               |          Owner:  metrics-team
     Type:  defect              |         Status:  needs_information
 Priority:  Medium              |      Milestone:
Component:  Metrics/ExoneraTor  |        Version:
 Severity:  Normal              |     Resolution:
 Keywords:                      |  Actual Points:
Parent ID:                      |         Points:
 Reviewer:                      |        Sponsor:
--------------------------------+-----------------------------------
Changes (by karsten):

 * status:  new => needs_information
 * cc: metrics-team (added)


Comment:

 Good catch! This is indeed not ideal.

 It's even a tiny bit worse than described above: we also include the
 `http` link in other places, for example, when an IP address was not found
 but nearby IP addresses in the same /24 have possible hits. Try searching
 for .170 and look at the HTML sources:

 {{{
             <div class="panel-body">
               <p>We did not find IP address 62.138.7.170 on or within a
 day of 2018-09-20. But we did find other IP addresses of Tor relays in the
 same /24 network around the time:</p>
               <ul>
                 <li><a
 href="http://metrics.torproject.org/exonerator.html?ip=62.138.7.171&timestamp=2018-09-20&lang=en">62.138.7.171</a></li>
               </ul>
             </div><!-- panel-body -->
 }}}

 The underlying issue is that we have an Apache running on the metrics host
 that listens on 443 and rewrites to 8080. In our servlet, we don't even
 learn that the request came in via `https`.

 I don't really have an elegant solution. The best thing I can come up with
 is that we pretend that we're living in an HTTPS world now and simply
 rewrite `http` to `https`. And for local testing environments we provide a
 simple configuration option that turns off this internal rewriting.

 Changing to needs_information to collect feedback on this plan. If I don't
 hear otherwise, I'll hack something next week. Unless somebody else wants
 to do it, in which case, please just grab the ticket!

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/27925#comment:1>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the metrics-bugs mailing list