Years ago there where the so called "Exit Enclaves" https://trac.torproject.org/projects/tor/wiki/doc/ExitEnclave but those where abandoned.
That approach was quite cool, because the end-users would had been able to just avoid using onion addresses, but keep using internet addresses having the very same security properties.
It would be very nice to restore the exit-enclaves concept, reshaping it in this new context, so that end-users on Tor Browser could just hist www.website.com and, if that website support Tor, his traffic will go directly to him as an Exit node.
On 02/07/2016 10:41 AM, Fabio Pietrosanti (naif) - lists wrote:
Years ago there where the so called "Exit Enclaves" https://trac.torproject.org/projects/tor/wiki/doc/ExitEnclave but those where abandoned.
That approach was quite cool, because the end-users would had been able to just avoid using onion addresses, but keep using internet addresses having the very same security properties.
It would be very nice to restore the exit-enclaves concept, reshaping it in this new context, so that end-users on Tor Browser could just hist www.website.com and, if that website support Tor, his traffic will go directly to him as an Exit node.
I was wondering the same when I saw the instructions published by mailbox.org last week: https://support.mailbox.org/knowledge-base/article/der-tor-exit-node-von-mai... (German)
They operate an exit relay, and suggest to use MapAddress statements and the exit notation to use their exit for *.mailbox.org. I didn't see this previously, and they also don't explicitly enable exit notation, so I wondered if that actually works.
This requires manual client-side configuration, but the one-sided ability to draw traffic for a certain IP (range) to your exit like with exit enclaves is also not a good property, right?
On Sun, Feb 07, 2016 at 01:39:57PM +0100, Moritz Bartl wrote:
I was wondering the same when I saw the instructions published by mailbox.org last week: https://support.mailbox.org/knowledge-base/article/der-tor-exit-node-von-mai... (German)
They operate an exit relay, and suggest to use MapAddress statements and the exit notation to use their exit for *.mailbox.org. I didn't see this previously, and they also don't explicitly enable exit notation, so I wondered if that actually works.
This requires manual client-side configuration, but the one-sided ability to draw traffic for a certain IP (range) to your exit like with exit enclaves is also not a good property, right?
Probably not, unless the exit relay can prove that it's run by the same person that runs the Web server. For example, it could have a blurb in its extra-info descriptor that is signed with the Web server's private key, but there are probably smarter ways.
Cheers, Philipp
On Sun, Feb 07, 2016 at 01:39:57PM +0100, Moritz Bartl wrote:
I was wondering the same when I saw the instructions published by mailbox.org last week: https://support.mailbox.org/knowledge-base/article/der-tor-exit-node-von-mai... (German)
They operate an exit relay, and suggest to use MapAddress statements and the exit notation to use their exit for *.mailbox.org. I didn't see this previously, and they also don't explicitly enable exit notation, so I wondered if that actually works.
Using the 'router <nickname>' in '.exit' or 'mapaddress' notation is nondeterministic... anyone can spoof a relay with the same name, in that case their enclave intent will at best not be realized, and at worst will result in MITM attacks upon their users. That's part of why AllowDotExit is disabled by default.
They need to instead publish and pgp sign their relay fingerprint[s] and the TLS fingerprint[s] of their service[s] so users can pin them all down. And change their docs to use the fingerprint style notation instead of the nickname.
An example, RiseUp and Whonix properly sign their onion proofs... https://trac.torproject.org/projects/tor/wiki/org/projects/WeSupportTor
Follow this autoresponder if you want...
Neues Ticket eroeffnet: [tor-onions] Exit Enclaves 2.0 ? [HPLS-Ticket#2016021110001248] mailbox.org Support-Team support@mailbox.org Thu, Feb 11, 2016 at 12:42 PM
tor-onions@lists.torproject.org
-
Fabio Pietrosanti (naif) - lists -
grarpamp -
Moritz Bartl -
Philipp Winter