On 24/11/2017 16:43, Yury Bulka wrote:
> Great to hear!
> I have one caveat with it though - if I understand it correctly, it is
> currently in a man-in-the-middle position between the visitor and WMF,
> as it provides its own self-signed https certificate and performs
> various URL rewriting on the traffic to change the URLs to the onion
> domain.

It is.

> Using Tor <-> clearnet WMF (HTTPS) still provides:
> 1) censorship circumvention;
> 2) location anonymity;
> 3) opaque encryption between the visitor and the WMF;
> The #3 is missing if the onion service is not operated by the WMF
> itself.
> Please correct me if I'm wrong.
> I do think it's very good that such effort is taking place - but we need
> to make sure there's no weak points security-wise that aren't
> communicated prominently enough to the users.

You are absolutely right, but the point of this service is that this is
an experiment(*) (and its maintainer says he will will be running it for
just some time, it is not permanent[1]), It is just a proof of concept
to see that it can be done.

Of course it would make more sense if the WMF would run this service
directly so that we would have an official service (also, in this case
you wouldn't experience the problem with self-signed certificates).


(*) Just for reference, Alec is running the whole thing on Amazon Web
Services on a micro instance[2]. Which is a less-than-10USD-a-month
virtual server.

[1]: https://twitter.com/AlecMuffett/status/933735934272704512
[2]: https://twitter.com/AlecMuffett/status/933738958143590401

Wikimedia-l mailing list, guidelines at: 
https://meta.wikimedia.org/wiki/Mailing_lists/Guidelines and 
New messages to: Wikimedia-l@lists.wikimedia.org
Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l, 

Reply via email to