2011/1/19 Michael Blizek <[email protected]> > > End to end encryption between the user and the backend is not really the > point > here. It does not really exist for tor either unless an application does it > on > its own. The point is encryption between the front end and the back end. > This > will prevent various attacks and would allow the connection between the > back > end and the front end to safely go over TOR. >
OK, this is actually already implemented - the tunnel between front- and back-end can be a TLS tunnel and that is the default configuration for people using the Pagekite.net service. People rolling their own need to either buy a cert or know how to self sign and generate their own certificates, but it works just fine. The rest of the path can be encrypted as well by exposing an HTTPS web-server. So if you layer all the available encryption, you can have Tor anonymize your server IP, a TLS tunnel between you and the front-end hiding traffic from Tor, and finally HTTPS encryption between your web-server and the browser hiding traffic from the Pagekite proxy. :-) If you can do all this without leaving a paper-trail of money or service registration, you can host a publicly visible, completely anonymous website which cannot be siezed. It can be blocked at the front-end, but that is about it. Pagekite.py by default anonymizes its logs at the front-end as well, so unless your front-end provider is malicious (or being spied on), the logs of who visited are private as well. But you may not need all that technical stuff - since Pagekite lets you run a server from behind firewalls and NAT, the easiest way to anonymously publish might be to just buy a $100 plug server, put the content on that and then abandon said server behind a potted plant in some cafe with free wifi. :-P The paper trail is still the hard part though, front-end providers will be exposed, will have expenses and will have to cooperate with the authorities. For my service I'm still a bit on the fence as to how much to do to support truly anonymous publishing. It's an interesting hack, but I'm not sure it makes business sense, especially if it makes the shared infrastructure a higher profile target for attacks which would impact availability for other customers. I'm quite open to arguments as to why it would be good for me to provide explicitly anonymous publishing services, but at the moment I'm focusing on just providing service at all, without too many complications... -- Bjarni R. Einarsson The Beanstalks Project ehf. Making personal web-pages fly: http://pagekite.net/
_______________________________________________ p2p-hackers mailing list [email protected] http://lists.zooko.com/mailman/listinfo/p2p-hackers
