[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
Re: Injecting client data through your own server
On Tue, Aug 30, 2005 at 11:45:32AM -0700, Chris Palmer wrote:
> Arrakis Tor writes:
>
> > What i understood is that when you send data to the entrynode it is in
> > plaintext. Only then is it encrypted and passed through the circuit.
> > The entrynode can read the plaintext data, no?
>
> Roger answered, but let me supplement. There might be confusion as to
> what the entry node actually is. There is the onion proxy (OP), which is
> the Tor instance that actually receives the original request directly
> from your application; the OP is not the same as the first onion router
> (OR) in your randomly selected Tor circuit. The first OR is the "entry
> node".
>
> In diagram 3 on <http://tor.eff.org/overview.html>, the OP is running on
> Alice's computer, and the upper left Tor server is the first OR.
>
> The traffic between the application and the OP is unencrypted, but we
> don't show that on our diagram because, if you are wise and run the OP
> on the same machine as the application, it doesn't matter (much).
>
Just to add, usually you would want to run the OP on the same machine
as the application, but you may need for it to be in a different place.
For example, in a corporate environment where local communication is
subject to monitoring you might want the OP and OR both at a firewall.
Or if you are unable to run an OP locally but can set up an encrypted
connection to somewhere trusted to proxy for you.
Much of this is discussed in "Onion Routing Access Configurations"
http://www.onion-router.net/Publications.html#DISCEX-2000
This paper is pre-Tor so will have some obviously dated aspects.
I also have the slides describing access policies and illustrating
about a half dozen different configurations if anybody
wants to see them.
-Paul