On Sun, Nov 15, 2015 at 01:15:03PM +0100, Pascal Stumpf wrote: > On Sat, 14 Nov 2015 21:37:08 +0100, Uwe Werler wrote: > > On Sat, Nov 14, 2015 at 08:40:40PM +0100, Pascal Stumpf wrote: > > > On Fri, 13 Nov 2015 17:37:12 -0500, Michael McConville wrote: > > > > Uwe Werler wrote: > > > > > Hello list, > > > > > > > > > > I'd like to add a Flavor to tor which allows Tor2webMode: > > > > > > > > This seems like a rare enough use-case that it probably isn't worth a > > > > flavor. > > > > > > I tend to agree. A tor2web proxy is an extremely rare configuration > > > compared to the total number of tor nodes. > > > > I don't think so 'cause it's one possible way e.g. leaking sites may run. > > This is exactly one of those scenarios that are extremely dangerous. An > attacker can trivially expose whistleblowers by inspecting the traffic > at the reverse proxy's end.
If it's so *trivial* then the whole tor concept is trivial. The hidden service remains hidden and anonymously. If You are right the same is true for any tor entry or exit node. > > I'm glad if we can stop people from making such mistakes by not > providing a tor2web package. I think You are wrong. But's Your opinion. > > > I am also opposed to the whole model of making .onion sites available > > > through clearnet. Where a hidden service is needed, it is mostly for > > > content that both the content provider and the recipient may get into > > > legal trouble (or worse) in their respective jurisdictions. > > > > Yeah, maybe. I live in a country where some years ago You could be > > hung for listening BBC or radio London. There are countries in the > > world where it's illegal to read foreign newspapers or to be gay... > > > > I think it's not our businness to decide which sites people want to > > look for or not. > > > > > While > > > tor2web preserves the content provider's anonymity, it exposes the > > > (often naive) end user to uncertain risks. > > > > I tend to forbit knives 'cause naive people my cut their fingers off. > > I tend to not give machetes to kids, yes. I agree. But I think we have a dissence about which people kids are. > But still, I'm not stopping anyone from compiling their own tor2web and > deploying it. Hell, it's not even that hard to keep a local patch for > the port. That's true. > > Just don't expect any support from me. > Ok. You are the maintainer, it's Your decision. > > Or we should remove the -d switch from pfctl too. > > > > > > > > It is protected by no more than simple SSL/TLS, which makes correlation > > > attacks even easier, especially considering the very limited number of > > > .onion sites out there. An attacker can plausibly deduce the site > > > you're looking at just by inspecting the encrypted traffic. > > > > It's not to keep the user itself anonymously or a proxy e.g. > > Exactly. And thereby it goes against the fundamental idea of hidden > services, namely to keep both the client and the server anonymous. No. The idea of hidden services is to keep the service hidden. The idea of tor as a client is to hide the client. Even it's the same bin it's not automatically the same. The people of tor project developed this mode not without reason. And yes, it's dangerous for *naive* people and that's why it's not compiled in by default and there's no possibility to use it outside tor. > > > > Frankly, I don't think it's ethical to provide people with this > > > particular gun to shoot themselves in the foot (i.e. ruin their life). > > > > It's not ethical to pay taxes for governments to shoot innocent people > > in other countries. Isn't it? Or should government protect us for > > ourself? > > Irrelevant. This is about OpenBSD ports. Exactly this I meant. You argued "ethical". > > I think it's not the right place here to decide what other people > > should or shouldn't do. > > See above. Not stopping anyone from rolling their own. As You already mentioned above. > > > It is a convenience mechanism to access .onion content on the clearnet > > > that is on .onion in the first place *for a darn good reason*. > > > > This is only *one* possible scenario. I told two others which imho > > makes more sense than simply making hidden content public available. > > 2. is just as dangerous; I don't understand why you need tor2web for 3. It's my secred ;). It's possible to build a totally anonymous network on top of tor. This is the basic idea behind that. And access to ressources within this network is only possible through proxies within this private network. > > > > It also runs the risk that people will think "Tor2web" is what > > > > they need (plausible, based on the name) and thereby deanonymize > > > > themselves. > > > > > > > > > --
