Re: DuckDuckGo now operates a Tor exit enclave
Hi all, thanks a lot for your answers. I did some additional reading and now have a vague idea how tor exit enclaving works. As far as I understand, enclaving doesn't break tor anonymity and privacy. Quite contrary to this, anonymity may be even enhanced by it (https://trac.torproject.org/projects/tor/wiki/TheOnionRouter/TorFAQ#WhatisExitEnclaving). On the other hand, there are still some points coming up with the post of Eugen that remain unclear to me: 1. Eugen is posting this text from http://www.gabrielweinberg.com/blog/2010/08/duckduckgo-now-operates-a-tor-exit-enclave.html without any comment to this mailinglist. This blog enrtry looks alot like an adveritsment to me. Eugens intentions are hidden. So perhaps he is connected to duckduckgo.com in some way or perhaps he is not. 2. Why is it offering HTTP If duckduckgo.com really cares for the anonymity and privacy of its users, why do they offer unencrypted HTTP? Even if tor users are encouraged to use HTTPS, some of them will forget doing so. 3. This site requires JavaScript. In my opinion this point is the worst: When I entered https://duckduckgo.com with NoScript enabled (my default) I can read the message This site requires JavaScript. just below the search box. So duckduckgo.com wants its user to turn on java script. But with java script enabled your anonymity is nearly switched off. Perhaps duckduckgo.com's primary intention is not offering anonymous services. Probably they just want to offer another alternate search engine. And perhaps they just think offering a tor enclave is a nice addon. So perhaps in conclusion, they didn't think much about anonymity and privacy. I don't know it. But why was this ad posted to the tor mailinglist? just my 2c, Michael -- Michael Scheinost mich...@scheinost.org Jabber: m.schein...@jabber.ccc.de GPG Key ID 0x4FF8E93B signature.asc Description: OpenPGP digital signature
Re: DuckDuckGo now operates a Tor exit enclave
On Sun, 15 Aug 2010 17:40:16 +0200 Michael Scheinost mich...@scheinost.org wrote: Hi all, thanks a lot for your answers. I did some additional reading and now have a vague idea how tor exit enclaving works. As far as I understand, enclaving doesn't break tor anonymity and privacy. Quite contrary to this, anonymity may be even enhanced by it (https://trac.torproject.org/projects/tor/wiki/TheOnionRouter/TorFAQ#WhatisExitEnclaving). On the other hand, there are still some points coming up with the post of Eugen that remain unclear to me: 1. Eugen is posting this text from http://www.gabrielweinberg.com/blog/2010/08/duckduckgo-now-operates-a-tor-exit-enclave.html without any comment to this mailinglist. This blog enrtry looks alot like an adveritsment to me. Eugens intentions are hidden. So perhaps he is connected to duckduckgo.com in some way or perhaps he is not. I don't know whether Eugen Leitl is connected to DuckDuckGo, but he has routinely posted/forwarded Tor-related news stories to the mailing list. Search for his name in the archives at http://archives.seul.org/or/talk/. As for whether the blog post is an advertisement, Gabriel Weinberg created, owns, and operates DuckDuckGo, and readers of his blog are presumably interested in his business ventures and already aware of DuckDuckGo. 2. Why is it offering HTTP If duckduckgo.com really cares for the anonymity and privacy of its users, why do they offer unencrypted HTTP? From a comment posted by ‘phobos’ (Andrew Lewman) on https://blog.torproject.org/blog/life-without-ca: | The reason we as tor allow http and do not automatically redirect to | https is that some companies and countries block ssl websites by | default. I've seen this in action at a few banks around the world. They | feel they need to surveil their employees to meet audit requirements. | If we automatically redirected to the ssl site, many people would be | sad. Some countries in the Middle East block ssl versions of sites, but | not the non-SSL version. Simply forcing SSL everywhere is fraught with | complexities. However, enabling SSL for users to choose is a fine | option. You'll notice my links were to the ssl version of a site if it | existed. DuckDuckGo probably allows non-SSL access for the same reasons. Also, they would need to have an HTTP service that redirects to their HTTPS URL in order to support users typing ‘duckduckgo.com’ into a browser without a URL scheme, such a redirect can't be sent before the browser has sent the request (and URL) in the clear, and once the user has sent a request in the clear, sending the response back in the clear doesn't hurt their privacy any further. Even if tor users are encouraged to use HTTPS, some of them will forget doing so. https://www.eff.org/https-everywhere/ But it wouldn't be needed *if* you could ensure that you are using the exit enclave. 3. This site requires JavaScript. In my opinion this point is the worst: When I entered https://duckduckgo.com with NoScript enabled (my default) I can read the message This site requires JavaScript. just below the search box. So duckduckgo.com wants its user to turn on java script. But with java script enabled your anonymity is nearly switched off. It looks like they mainly use JavaScript to load search results lazily (when the user scrolls down so that the end of the page is visible). Their FAQ (https://duckduckgo.com/faq.html) says that they are actively working on a non-JavaScript version. I hope they finish it soon; their site wedged my browser the first time I tried it. For now, Torbutton can block many of the scary JavaScript-based attacks while still allowing JavaScript to run. Perhaps duckduckgo.com's primary intention is not offering anonymous services. Probably they just want to offer another alternate search engine. And perhaps they just think offering a tor enclave is a nice addon. So perhaps in conclusion, they didn't think much about anonymity and privacy. I don't know it. https://duckduckgo.com/privacy.html But why was this ad posted to the tor mailinglist? I don't know why Gabriel Weinberg didn't post a link to his blog post to the list himself. Advertisement or not, it is certainly an appropriate news item for this list. Robert Ransom signature.asc Description: PGP signature
Re: DuckDuckGo now operates a Tor exit enclave
On Sun, 2010-08-15 at 17:40 +0200, Michael Scheinost wrote: 2. Why is it offering HTTP If duckduckgo.com really cares for the anonymity and privacy of its users, why do they offer unencrypted HTTP? Even if tor users are encouraged to use HTTPS, some of them will forget doing so. There's no point in HTTPS if you're using an exit enclave. The traffic is encrypted in the Tor cloud, exits that cloud **on the service's localhost address**, and if it were encrypted, would be transmitted as ciphertext to the service port on the local interface. If you're proposing a threat model wherein loopback is an untrusted connection, you have bigger problems than, well, anything. signature.asc Description: This is a digitally signed message part
Re: DuckDuckGo now operates a Tor exit enclave
On Sun, Aug 15, 2010 at 2:46 PM, Ted Smith ted...@gmail.com wrote: On Sun, 2010-08-15 at 17:40 +0200, Michael Scheinost wrote: 2. Why is it offering HTTP If duckduckgo.com really cares for the anonymity and privacy of its users, why do they offer unencrypted HTTP? Even if tor users are encouraged to use HTTPS, some of them will forget doing so. There's no point in HTTPS if you're using an exit enclave. The traffic is encrypted in the Tor cloud, exits that cloud **on the service's localhost address**, and if it were encrypted, would be transmitted as ciphertext to the service port on the local interface. If you're proposing a threat model wherein loopback is an untrusted connection, you have bigger problems than, well, anything. Except that users often won't use the exit enclave due to limitations in tor. The first connection to a destination will not use the exit enclave because prior to the first connection the node will be unaware of the destination IP and thus unaware of the existence of the enclave. Incomplete directory information can also cause nodes to not use enclaves. Exits with falsified DNS will cause nodes not to use enclaves. These weaknesses could all be reduced or eliminated, but I don't think people have cared too much about the exit enclave functionality. *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Re: DuckDuckGo now operates a Tor exit enclave
Hi Eugen, I'm wondering why you posted this without any comment. On 08/13/2010 06:32 PM, Eugen Leitl wrote: DuckDuckGo now operates one of these relays, and more importantly an exit enclave for DDG search engine traffic. As far as I could see, DDH is a search engine frontend. So what does this statement exactly mean? Do you use their exit nodes when doing a browser request to their search engine or is it when using links on DDG search results? How can such a behaviour be technically achieved? That means if you're on Tor, and you access DDG, you'll likely exit through our relay and get service much faster. Tor can be slow, but this should speed it up a bit (when using DuckDuckGo). I don't see any chance how for doing such a thing. Even if so, what's its purpose? I am really confused by this. Seems like I oversee something important. Perhaps someone can help me out of this. Regards, Michael -- Michael Scheinost mich...@scheinost.org Jabber: m.schein...@jabber.ccc.de GPG Key ID 0x4FF8E93B signature.asc Description: OpenPGP digital signature
Re: DuckDuckGo now operates a Tor exit enclave
On Sat, 2010-08-14 at 13:01 +0200, Michael Scheinost wrote: Hi Eugen, I'm wondering why you posted this without any comment. On 08/13/2010 06:32 PM, Eugen Leitl wrote: DuckDuckGo now operates one of these relays, and more importantly an exit enclave for DDG search engine traffic. As far as I could see, DDH is a search engine frontend. So what does this statement exactly mean? Do you use their exit nodes when doing a browser request to their search engine or is it when using links on DDG search results? How can such a behaviour be technically achieved? An exit enclave is when a service operates a Tor exit node with an exit policy permitting exiting to that service. Tor will automagically extend circuits built to that host from three hops to four, such that your traffic will exit on localhost of the service you are intending to use. This means that users will use DDG's node when building circuits that terminate at duckduckgo.com or whatever. signature.asc Description: This is a digitally signed message part
Re: DuckDuckGo now operates a Tor exit enclave
On Sat, 14 Aug 2010 09:20 -0400, Ted Smith ted...@gmail.com wrote: An exit enclave is when a service operates a Tor exit node with an exit policy permitting exiting to that service. Tor will automagically extend circuits built to that host from three hops to four, such that your traffic will exit on localhost of the service you are intending to use. This means that users will use DDG's node when building circuits that terminate at duckduckgo.com or whatever. Really? Duckduckgo.com is on AS19262 Verizon, but when I accessed it, it was via an exit node on AS30058 ACTIVO-SYSTEMS. GD -- http://www.fastmail.fm - The professional email service *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Re: DuckDuckGo now operates a Tor exit enclave
On Sat, Aug 14, 2010 at 11:09 AM, Geoff Down geoffd...@fastmail.net wrote: On Sat, 14 Aug 2010 09:20 -0400, Ted Smith ted...@gmail.com wrote: An exit enclave is when a service operates a Tor exit node with an exit policy permitting exiting to that service. Tor will automagically extend circuits built to that host from three hops to four, such that your traffic will exit on localhost of the service you are intending to use. This means that users will use DDG's node when building circuits that terminate at duckduckgo.com or whatever. Really? Duckduckgo.com is on AS19262 Verizon, but when I accessed it, it was via an exit node on AS30058 ACTIVO-SYSTEMS. Exit enclaves need a lot of work. E.g. Your node can't tell if an exit enclave exists for your destination until after its done the DNS resolution. They also add an extra in-network hop. *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Re: DuckDuckGo now operates a Tor exit enclave
On Sat, 14 Aug 2010 16:09:18 +0100 Geoff Down geoffd...@fastmail.net wrote: On Sat, 14 Aug 2010 09:20 -0400, Ted Smith ted...@gmail.com wrote: An exit enclave is when a service operates a Tor exit node with an exit policy permitting exiting to that service. Tor will automagically extend circuits built to that host from three hops to four, such that your traffic will exit on localhost of the service you are intending to use. This means that users will use DDG's node when building circuits that terminate at duckduckgo.com or whatever. Really? Duckduckgo.com is on AS19262 Verizon, but when I accessed it, it was via an exit node on AS30058 ACTIVO-SYSTEMS. I don't remember where I read this, but at the moment, exit enclaving only works if your Tor client has already downloaded and cached the relay descriptor for the destination host. Robert Ransom signature.asc Description: PGP signature
Re: DuckDuckGo now operates a Tor exit enclave
An exit enclave is when a service operates a Tor exit node with an exit policy permitting exiting to that service. Tor will automagically extend circuits built to that host from three hops to four, such that your traffic will exit on localhost of the service you are intending to use. This means that users will use DDG's node when building circuits that terminate at duckduckgo.com or whatever. Oh cool, so I declare my Tor exit node as an enclave for emailProviderNotUsingHTTPS.com and can get a lot of passwords? Thats easy! I hope enclaves in that sense don't exist! I hope thats a misunderstanding! Such a thing would be pretty bad! morphium *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Re: DuckDuckGo now operates a Tor exit enclave
On Sat, 14 Aug 2010 18:19 +0200, morphium morph...@morphium.info wrote: An exit enclave is when a service operates a Tor exit node with an exit policy permitting exiting to that service. Tor will automagically extend circuits built to that host from three hops to four, such that your traffic will exit on localhost of the service you are intending to use. This means that users will use DDG's node when building circuits that terminate at duckduckgo.com or whatever. Oh cool, so I declare my Tor exit node as an enclave for emailProviderNotUsingHTTPS.com and can get a lot of passwords? Thats easy! I hope enclaves in that sense don't exist! I hope thats a misunderstanding! Such a thing would be pretty bad! well if the circuit can only be extended to localhost, your exit wouldn't be able to connect to emailProviderNotUsingHTTPS.com's server unless you owned emailProviderNotUsingHTTPS.com and it was on the same machine, by the sound of it . I'm not sure how you protect from modified versions of Tor though. GD -- http://www.fastmail.fm - Email service worth paying for. Try it for free *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Re: DuckDuckGo now operates a Tor exit enclave
On Sat, Aug 14, 2010 at 12:19 PM, morphium morph...@morphium.info wrote: An exit enclave is when a service operates a Tor exit node with an exit policy permitting exiting to that service. Tor will automagically extend circuits built to that host from three hops to four, such that your traffic will exit on localhost of the service you are intending to use. This means that users will use DDG's node when building circuits that terminate at duckduckgo.com or whatever. Oh cool, so I declare my Tor exit node as an enclave for emailProviderNotUsingHTTPS.com and can get a lot of passwords? Thats easy! I hope enclaves in that sense don't exist! I hope thats a misunderstanding! Such a thing would be pretty bad! Why don't you search the archives? The exit enclave functionality has been discussed many times. It only happens when the service the user is connecting to and the exit have the same IP. Moreover, the attack you're describing already exists— though I don't know if I should encourage people shove beans up their noses by going into the details here. *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
