On Sat, 14 Nov 2015 21:37:08 +0100, Uwe Werler wrote: > On Sat, Nov 14, 2015 at 08:40:40PM +0100, Pascal Stumpf wrote: > > On Fri, 13 Nov 2015 17:37:12 -0500, Michael McConville wrote: > > > Uwe Werler wrote: > > > > Hello list, > > > > > > > > I'd like to add a Flavor to tor which allows Tor2webMode: > > > > > > This seems like a rare enough use-case that it probably isn't worth a > > > flavor. > > > > I tend to agree. A tor2web proxy is an extremely rare configuration > > compared to the total number of tor nodes. > > I don't think so 'cause it's one possible way e.g. leaking sites may run.
This is exactly one of those scenarios that are extremely dangerous. An attacker can trivially expose whistleblowers by inspecting the traffic at the reverse proxy's end. I'm glad if we can stop people from making such mistakes by not providing a tor2web package. > > I am also opposed to the whole model of making .onion sites available > > through clearnet. Where a hidden service is needed, it is mostly for > > content that both the content provider and the recipient may get into > > legal trouble (or worse) in their respective jurisdictions. > > Yeah, maybe. I live in a country where some years ago You could be > hung for listening BBC or radio London. There are countries in the > world where it's illegal to read foreign newspapers or to be gay... > > I think it's not our businness to decide which sites people want to > look for or not. > > > While > > tor2web preserves the content provider's anonymity, it exposes the > > (often naive) end user to uncertain risks. > > I tend to forbit knives 'cause naive people my cut their fingers off. I tend to not give machetes to kids, yes. But still, I'm not stopping anyone from compiling their own tor2web and deploying it. Hell, it's not even that hard to keep a local patch for the port. Just don't expect any support from me. > Or we should remove the -d switch from pfctl too. > > > > > It is protected by no more than simple SSL/TLS, which makes correlation > > attacks even easier, especially considering the very limited number of > > .onion sites out there. An attacker can plausibly deduce the site > > you're looking at just by inspecting the encrypted traffic. > > It's not to keep the user itself anonymously or a proxy e.g. Exactly. And thereby it goes against the fundamental idea of hidden services, namely to keep both the client and the server anonymous. > > Frankly, I don't think it's ethical to provide people with this > > particular gun to shoot themselves in the foot (i.e. ruin their life). > > It's not ethical to pay taxes for governments to shoot innocent people > in other countries. Isn't it? Or should government protect us for > ourself? Irrelevant. This is about OpenBSD ports. > I think it's not the right place here to decide what other people > should or shouldn't do. See above. Not stopping anyone from rolling their own. > > It is a convenience mechanism to access .onion content on the clearnet > > that is on .onion in the first place *for a darn good reason*. > > This is only *one* possible scenario. I told two others which imho > makes more sense than simply making hidden content public available. 2. is just as dangerous; I don't understand why you need tor2web for 3. > > > It also runs the risk that people will think "Tor2web" is what > > > they need (plausible, based on the name) and thereby deanonymize > > > themselves. > > > > >
