[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

end-to-end encryption question

To: or-talk@xxxxxxxx
Subject: end-to-end encryption question
From: Scott Bennett <bennett@xxxxxxxxxx>
Date: Thu, 13 Sep 2007 02:56:41 -0500 (CDT)
Delivered-to: archiver@xxxxxxxx
Delivered-to: or-talk-outgoing@xxxxxxxx
Delivered-to: or-talk@xxxxxxxx
Delivery-date: Thu, 13 Sep 2007 03:57:00 -0400
Reply-to: or-talk@xxxxxxxxxxxxx
Sender: owner-or-talk@xxxxxxxxxxxxx

     In http://tor.eff.org/docs/tor-doc-server.html.en it says,

	14.  If your Tor server provides other services on the same IP
	address--such as a public webserver--make sure that connections to the
	webserver ae allowed from the local host, too.  You need to allow
	these connections because Tor clients will detect that your Tor server
	is the safest way to reach that webserver, and always build a circuit
	that ends at your server.  If you don't want to allow the connections,
	you must explicitly reject them in your exit policy.

     I have a few questions about the above text.

a) Who translates the destination address to 127.0.0.1?  Is it the tor client?
   Or is it the exit server?

b) If I have "ExitPolicyRejectPrivate 1" in my torrc, does that prevent such
   end-to-end encryption?  If not, then does an "ExitPolicy reject *:*" at the
   end of my exit policy list count as "explicitly rejecting" such connections?

c) If "TunnelDirConns 1" tries to build one-hop circuits to directory servers,
   does "TunnelDirConns 0" result in direct, unencrypted links to directory
   servers?  Or does it result in the normal, three-hop link encrypted as far
   as the exit server, then unencrypted to the directory server?  Or does it
   result in an end-to-end-encrypted link to the directory server?  Do I need
   to have something like "ExitPolicy accept 127.0.0.1:[dirport]" ahead of the
   "ExitPolicyRejectPrivate 1" in my torrc to allow it?

d) If normal connections to directory servers are unencrypted at any point
   along the way, what is the procedure to get them to be encrypted from end
   to end?

     For obvious reasons, tor should not be getting directory information over
a connection that is not encrypted from end to end, even if everyone knows
exactly what the content of the directory information happens to be at any
given moment.  I'm trying to figure out the best way to make sure my tor only
uses end-to-end-encrypted connections, preferably going through a multi-hop
tor circuit.


                                  Scott Bennett, Comm. ASMELG, CFIAG
**********************************************************************
* Internet:       bennett at cs.niu.edu                              *
*--------------------------------------------------------------------*
* "A well regulated and disciplined militia, is at all times a good  *
* objection to the introduction of that bane of all free governments *
* -- a standing army."                                               *
*    -- Gov. John Hancock, New York Journal, 28 January 1790         *
**********************************************************************

Follow-Ups:
- Re: end-to-end encryption question
  - From: Nick Mathewson
- Re: end-to-end encryption question
  - From: Peter Palfrader

Prev by Author: Re: How can I know my IP address geted by the website?
Next by Author: Re: end-to-end encryption question
Previous by thread: spying on TOR
Next by thread: Re: end-to-end encryption question
Index(es):
- Author
- Thread