onion.link is an untrusted, upstream CDN, no? On Sun, Oct 11, 2015 at 10:50 PM, Mirimir <mirimir@riseup.net> wrote:
On 10/11/2015 08:31 PM, Travis Biehn wrote:
Your onion or your clearsite?
What clearsite? One aspect of the design is that lighttpd runs in a VM that can't see the Internet except through a Tor-gateway VM.
How do you establish that your onion and clearsite host the same content?
Running a clearsite just doesn't work for me. It would paint too big a target on the server. Anyone not using Tor can just use <http://dbshmc5frbchaum2.onion.link/>.
How do you federate changes from your onion to your clearsite? What do you do if your clearsite gets seized and used to serve up TAO payloads?
Don't have a clearsite :)
How do you prevent your upstream from logging the IP addresses that hit port 80 and 443? The size of those messages (you know the https sizing attacks which can reveal which particular pages your visitors are on, right)?
Upstream = Tor. And sure, maybe Tor gets hosed.
How do you make your visitors aware of the above and more? How do you ensure that they saw your message?
Look at my front page :)
-Travis
On Sun, Oct 11, 2015 at 10:15 PM, Mirimir <mirimir@riseup.net> wrote:
On 10/11/2015 07:49 PM, Travis Biehn wrote:
I'd rather have what you call 'lazy' over nothing.
Look, I mean no disrespect to Cryptome. But I do think that there ought to be a warning for users to protect themselves, if they don't want their access logged by everyone and their little yellow dog.
The ideal is all distribution modes available: "Keep the info off the dark web, off the deep web and in the search indexes."
Cryptome shows up on google searches. Your onion does not.
Well, Cryptome has been around for about 20 years, so hey ;)
But Google is indexing it. And it shows up well enough in relevant searches. But I haven't been promoting it very much.
-Travis
On Sun, Oct 11, 2015 at 9:38 PM, Mirimir <mirimir@riseup.net> wrote:
On 10/11/2015 06:20 PM, Travis Biehn wrote:
A billboard doesn't need much 'security.' *shrug*
Well, there are the access logs ;)
It ought to be an onion service, no? No sure bet, of course, but better than nothing. In my opinion.
Putting it all on users is awfully lazy, I think.
Travis
On Sun, Oct 11, 2015, 8:18 PM John Young <jya@pipeline.com> wrote:
> >> I would not have expected Cryptome to be on shared hosting ;) But yes, >> that would explain it. > > Shared is cheap, so are we. Shared is vuln, so are we. So are the others > despite credentials and billion-dollar armaments and above all else > secrecy and shallow oversight. That explains it. > > > >
-- Twitter <https://twitter.com/tbiehn> | LinkedIn <http://www.linkedin.com/in/travisbiehn> | GitHub <http://github.com/tbiehn> | TravisBiehn.com <http://www.travisbiehn.com> | Google Plus <https://plus.google.com/+TravisBiehn>