onion.link is an untrusted, upstream CDN, no?

On Sun, Oct 11, 2015 at 10:50 PM, Mirimir <mirimir@riseup.net> wrote:
On 10/11/2015 08:31 PM, Travis Biehn wrote:
> Your onion or your clearsite?

What clearsite? One aspect of the design is that lighttpd runs in a VM
that can't see the Internet except through a Tor-gateway VM.

> How do you establish that your onion and clearsite host the same content?

Running a clearsite just doesn't work for me. It would paint too big a
target on the server. Anyone not using Tor can just use
<http://dbshmc5frbchaum2.onion.link/>.

> How do you federate changes from your onion to your clearsite?
> What do you do if your clearsite gets seized and used to serve up TAO
> payloads?

Don't have a clearsite :)

> How do you prevent your upstream from logging the IP addresses that hit
> port 80 and 443? The size of those messages (you know the https sizing
> attacks which can reveal which particular pages your visitors are on,
> right)?

Upstream = Tor. And sure, maybe Tor gets hosed.

> How do you make your visitors aware of the above and more? How do you
> ensure that they saw your message?

Look at my front page :)

> -Travis
>
> On Sun, Oct 11, 2015 at 10:15 PM, Mirimir <mirimir@riseup.net> wrote:
>
>> On 10/11/2015 07:49 PM, Travis Biehn wrote:
>>> I'd rather have what you call 'lazy' over nothing.
>>
>> Look, I mean no disrespect to Cryptome. But I do think that there ought
>> to be a warning for users to protect themselves, if they don't want
>> their access logged by everyone and their little yellow dog.
>>
>>> The ideal is all distribution modes available: "Keep the info off the
>> dark
>>> web, off the deep web and in the search indexes."
>>>
>>> Cryptome shows up on google searches. Your onion does not.
>>
>> Well, Cryptome has been around for about 20 years, so hey ;)
>>
>> But Google is indexing it. And it shows up well enough in relevant
>> searches. But I haven't been promoting it very much.
>>
>>> -Travis
>>>
>>> On Sun, Oct 11, 2015 at 9:38 PM, Mirimir <mirimir@riseup.net> wrote:
>>>
>>>> On 10/11/2015 06:20 PM, Travis Biehn wrote:
>>>>> A billboard doesn't need much 'security.' *shrug*
>>>>
>>>> Well, there are the access logs ;)
>>>>
>>>> It ought to be an onion service, no? No sure bet, of course, but better
>>>> than nothing. In my opinion.
>>>>
>>>> Putting it all on users is awfully lazy, I think.
>>>>
>>>>> Travis
>>>>>
>>>>> On Sun, Oct 11, 2015, 8:18 PM John Young <jya@pipeline.com> wrote:
>>>>>
>>>>>>
>>>>>>> I would not have expected Cryptome to be on shared hosting ;) But
>> yes,
>>>>>>> that would explain it.
>>>>>>
>>>>>> Shared is cheap, so are we. Shared is vuln, so are we. So are the
>> others
>>>>>> despite credentials and billion-dollar armaments and above all else
>>>>>> secrecy and shallow oversight. That explains it.
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>
>>>
>>>
>>>
>>
>
>
>



--
Twitter | LinkedIn | GitHub | TravisBiehn.com | Google Plus