[tor-bugs] #13174 [meek]: Amazon CloudFront sets X-Forwarded-For

Tor Bug Tracker & Wiki blackhole at torproject.org
Tue Sep 16 18:29:52 UTC 2014 

#13174: Amazon CloudFront sets X-Forwarded-For
-------------------------+---------------------
 Reporter:  dcf          |          Owner:  dcf
     Type:  enhancement  |         Status:  new
 Priority:  normal       |      Milestone:
Component:  meek         |        Version:
 Keywords:               |  Actual Points:
Parent ID:               |         Points:
-------------------------+---------------------
 Amazon sets the X-Forwarded-For header that contains the client's true IP.
 Here's what the header looks like as it arrives at meek-server:
 {{{
 POST / HTTP/1.1
 Host: d1727xplrgzao3.cloudfront.net
 Via: 1.1 c54d7f08e2f3dab1918454910cc8aad0.cloudfront.net (CloudFront)
 X-Amz-Cf-Id: 4ygWFdM8S5fIh-pnW7BK7hKsA7vv6tba-G30YwVHLCXT2Kblcl_yDw==
 Connection: Keep-Alive
 Content-Length: 244
 Accept-Encoding: gzip, deflate
 X-Forwarded-Proto: https
 User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:24.0) Gecko/20100101
 Firefox/24.0
 X-Forwarded-For: 192.0.2.101
 CloudFront-Is-Mobile-Viewer: false
 CloudFront-Is-Tablet-Viewer: false
 CloudFront-Is-Desktop-Viewer: true
 CloudFront-Viewer-Country: US
 Accept-Language: en-US,en;q=0.5
 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
 CloudFront-Forwarded-Proto: https
 X-Session-Id: FHY4jxw72uodLxdRbrFtqRMnBbMxoa5USSuLj1pzh4w=
 Content-Type: application/octet-stream
 }}}

 From a censorship point of view, the presence of the client IP address
 doesn't make a difference, because the request is out of the censor's view
 by the time the IP is visible. From a surveillance point of view, it
 doesn't really increase the exposure of clients over ordinary bridges or
 other transports, because someone surveilling one of those bridges also
 gets a list of client IPs. But if we can hide the IP on the link between
 the CDN and meek-server, then we can be in an even better situation with
 respect to surveillance.

 Previously we didn't enable HTTPS on the link between App Engine and meek-
 server because it [comment:6:ticket:10935 increased latency]. That was for
 App Engine, though, not Amazon, and HTTPS is not as slow anymore with
 optimizations made in newer Go releases. (Now it's about 300 ms with HTTPS
 and 100 ms without.)

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/13174>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list