yadakhov / torelay Goto Github PK

http://www.reddit.com/r/webdev/comments/382vw9/a_simple_tor_relay_website_i_coded_over_the/crs611c

This is a really cool idea.
I tried it at work with kickass.to but I just got back a bunch of garbled text (this is just a small sample):
��}�v�H��s�+�ٷ�Ҕ��J�G���d�E���z||�@�DXXD���2g�d�b�<���������I� "�봻K$�̈"#c��W�8�xx���1$#���+� �#?�_7I2~��;�L��F�]ն��k,� ��n�I��Z��{��{5� #X��_S��u�0$�r:� ��_� �Nv�K�X��u����ؽP'���VpN/W؈�n\y|2�d���s��k�_y����/��Oc�����T�.���'^,��p9�

Hi!

It looks like you use a certain set of user agents to obscure the fact that the data is coming from torelay.com instead of a regular client. As of my understanding of the TOR network it would be better to send the user agent of the latest TOR Browser Bundle ("Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0"), which is used by all TOR Browser instances on all platforms to make the torelay.com traffic more difficult to differentiate from regular TOR traffic.

--rec0de

Whenever a captcha is presented after submission a "Sorry, the page you are looking for could not be found." error is returned.

Examples:
https://torelay.com/?url=4chan.org
https://torelay.com/?url=thepiratebay.la

Some url such as jquery cdn and bootstrap cdn doesn't need to go through URL injection.

Hi!

I just looked trough your code and noticed that the Roboto Webfont is loaded over plaintext HTTP even if the main connection is TLS encrypted.
This causes a 'mixed content' warning in Firefox (and perhaps Chrome?)

Additionaly I would suggest enabling HSTS headers to prevent downgrading attacks.

Thanks for creating this :)

-- rec0de

Hello.
https://torelay.com/?url=www.pandora.com
http://i.imgur.com/SHi5OQN.png

Is this a limitation or a bug? (Tested FF & Chrome)

Thanks

composer create-project yadakhov/torelay mytor FTW

Hi!

It looks like your use of 'CURLOPT_HTTPHEADER' is incorrect as you only set the Useragent, not the entire header. Viewing ipnumber.info trough torelay shows that an empty user agent is sent.
If you want to send header values you have to prefix them with the name of the value you want to change (see http://curl.haxx.se/libcurl/c/CURLOPT_HTTPHEADER.html).
As you are only sending the user agent for now, I would suggest replacing 'CURLOPT_HTTPHEADER' with 'CURLOPT_USERAGENT'.

--rec0de

If you click on certain links to stuff like "./blah.html" it will take you to "torelay.com/blah.html" instead of "torelay.com/?url=website.com/blah.html"

Media stream takes up too much bandwidth