[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] Making a Site Available as both a Hidden Service and on the www - thoughts?

To: "tor-talk@xxxxxxxxxxxxxxxxxxxx" <tor-talk@xxxxxxxxxxxxxxxxxxxx>
Subject: Re: [tor-talk] Making a Site Available as both a Hidden Service and on the www - thoughts?
From: Ben <ben@xxxxxxxxx>
Date: Tue, 19 May 2015 11:04:16 -0000
Delivered-to: archiver@xxxxxxxx
Delivery-date: Tue, 19 May 2015 07:53:05 -0400
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/simple; d=gerbil.it; s=default; t=1432036373; bh=FCEKnAqYZ+qkPTfsHj/uNc2a5j6MGoYvYf/YFTc46bM=; h=Subject:From:To:In-Reply-To:References:Date; b=mW2z/vwBKfRzQKZlN/OfWfOHRW60rnNXoGJx9SvBd5kUj9wYgfIvtHw7nDG7Ju/g6 I6kHKoFIeMzSwpwJC/xJRlhZdR1Xwmhi+BtDXeIJuf2xfVTVZE0SeZsTrTx8+YD5Qv 43+Gj185eCWbM32Pa0xhGm66sYsDqt1Slk88xUuQ=
In-reply-to: <20150519112619.7FE4CA2914@xxxxxxxxxxxxxxxxx>
List-archive: <http://lists.torproject.org/pipermail/tor-talk/>
List-help: <mailto:tor-talk-request@lists.torproject.org?subject=help>
List-id: "all discussion about theory, design, and development of Onion Routing" <tor-talk.lists.torproject.org>
List-post: <mailto:tor-talk@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk>, <mailto:tor-talk-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-talk>, <mailto:tor-talk-request@lists.torproject.org?subject=unsubscribe>
Openpgp: id=1F9164D62373F057DF3971567F57C6686ACBCC6D; preference=signencrypt
References: <20150519112619.7FE4CA2914@xxxxxxxxxxxxxxxxx>
Reply-to: tor-talk@xxxxxxxxxxxxxxxxxxxx
Sender: "tor-talk" <tor-talk-bounces@xxxxxxxxxxxxxxxxxxxx>

> Your deployment of www-front induces the
> same design choices. A HS-front is nothing more than a gloriously
> encrypted version of the www-front

The point, though, is that running both at once is definitely not the
same thing.

You're 100% on the mark that things that were set up for the www-front
need re-examining, to take into account things like re-writing urls (for
example).

Simply setting up a www-front OR a hs-front does not introduce
challenges like how to handle/prevent the fact that there may be
consequences to it being accessible by completely disparate domains (the
duplicate content penalty being the example I gave).

I agree, setting it up is not hard - but making sure changes that are
made do not interfere with existing operations is something that should
not be overlooked lightly. Admittedly, I generally work on much larger
scale affairs than this, but the self enforced discipline is still there
- we do _not_ impact production - it's going to be the same back-end serving the content for both sites, so the risk needs to be assessed

> So really the deciding factor for all of your 'challenges' is do you want
> to hide the origin server for HS. Because that is what determines the
> rest of the deployment complexity

Again, I disagree. Both fronts will be served by the same back-end (so I
don't see much value in putting effort into hiding the origin in this
case), but there's more to consider than that.

As an example, I'm going to be giving this a run-through on my personal
site first (the intention had been to do it the other way round, but if
we're going to break anything, let's do it on a lower traffic site eh?).

I touched on this earlier, but to give you a little more depth.

The origin for that site, runs a reverse caching proxy, so that the
back-end doesn't have to handle every request for a dynamically
generated page (content is in a CMS but doesn't change often).

Now, once we multihome, I'll be rewriting absolute URL's to go via a
.onion, which means I need to take the caching into consideration - if you visit via .onion and I visit that page a little later via www. then I get broken references to static content, and so a broken page.

It's easy enough to sort, I just need to make sure the two fronts are
different cacheable entities, but that's still a good step away from it
being quite as straightforward a consideration as you're painting it to
be.

> All you've currently considered is
> learning-by-example.

That may be what you've seen is this thread, but it's certainly not all
I've been doing. 

To be fair, I think you could argue the same about any thread asking for
other people's input on something, just like others I'm not looking for
people to tell me what to do, but for input to help me run through it in
my mind. There have been some good ideas mooted, and others have led me
to think deeper into it.

> You might find you experience fewer problems in secure parts of your site
> without the https. I guess that's not really by-example though. Sorry
> I don't have a by-example example.

Sarcasm aside, yes that's the route I'd already settled on taking, even
if I revisit later. Although setting up HTTPS might bring a few benefits
in the future, I don't see much value into diving straight into getting
that working.


Just to jump back to something you said earlier by the way

> How did the choice to deploy both HS and www become about reasons? 
> There are no reasons, none against anyway.

Followed by

> If you accept payments by certain methods
> (non-anonymous) your liability skyrockets 
> when those payments are issued using the onion. 

There you go, there's a reason against.

Similarly, if I was serving other people's content, they might require
it only be available to certain geo-graphic regions (which I can't
reasonably claim to enforce if you're hitting an .onion). Another reason
against.

Neither are technical, sure, but there's definitely reasons against
making an existing www. available on a .onion


I'd be curious whether you can find a post where I asked for examples?
I've certainly been given examples (and I'm definitely not complaining
about that), but you seem determined to paint it as though I'm looking
to have someone give me the full set up for this - to re-iterate, I'm
not. 

-- 
tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Follow-Ups:
- Re: [tor-talk] Making a Site Available as both a Hidden Service and on the www - thoughts?
  - From: l.m

References:
- Re: [tor-talk] Making a Site Available as both a Hidden Service and on the www - thoughts?
  - From: l.m

Prev by Author: Re: [tor-talk] Making a Site Available as both a Hidden Service and on the www - thoughts?
Next by Author: Re: [tor-talk] Making a Site Available as both a Hidden Service and on the www - thoughts?
Previous by thread: Re: [tor-talk] Making a Site Available as both a Hidden Service and on the www - thoughts?
Next by thread: Re: [tor-talk] Making a Site Available as both a Hidden Service and on the www - thoughts?
Index(es):
- Author
- Thread