On 24/11/2017 16:43, Yury Bulka wrote: > Great to hear! > > I have one caveat with it though - if I understand it correctly, it is > currently in a man-in-the-middle position between the visitor and WMF, > as it provides its own self-signed https certificate and performs > various URL rewriting on the traffic to change the URLs to the onion > domain.
It is. > Using Tor <-> clearnet WMF (HTTPS) still provides: > 1) censorship circumvention; > 2) location anonymity; > 3) opaque encryption between the visitor and the WMF; > > The #3 is missing if the onion service is not operated by the WMF > itself. > > Please correct me if I'm wrong. > > I do think it's very good that such effort is taking place - but we need > to make sure there's no weak points security-wise that aren't > communicated prominently enough to the users. You are absolutely right, but the point of this service is that this is an experiment(*) (and its maintainer says he will will be running it for just some time, it is not permanent[1]), It is just a proof of concept to see that it can be done. Of course it would make more sense if the WMF would run this service directly so that we would have an official service (also, in this case you wouldn't experience the problem with self-signed certificates). Cristian (*) Just for reference, Alec is running the whole thing on Amazon Web Services on a micro instance[2]. Which is a less-than-10USD-a-month virtual server. [1]: https://twitter.com/AlecMuffett/status/933735934272704512 [2]: https://twitter.com/AlecMuffett/status/933738958143590401 _______________________________________________ Wikimedia-l mailing list, guidelines at: https://meta.wikimedia.org/wiki/Mailing_lists/Guidelines and https://meta.wikimedia.org/wiki/Wikimedia-l New messages to: Wikimedia-l@lists.wikimedia.org Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l, <mailto:wikimedia-l-requ...@lists.wikimedia.org?subject=unsubscribe>
