On Sun, 2010-08-15 at 17:40 +0200, Michael Scheinost wrote: > 2. Why is it offering HTTP > If duckduckgo.com really cares for the anonymity and privacy of its > users, why do they offer unencrypted HTTP? > Even if tor users are encouraged to use HTTPS, some of them will > forget > doing so. There's no point in HTTPS if you're using an exit enclave. The traffic is encrypted in the Tor cloud, exits that cloud **on the service's localhost address**, and if it were encrypted, would be transmitted as ciphertext to the service port on the local interface. If you're proposing a threat model wherein loopback is an untrusted connection, you have bigger problems than, well, anything.
Attachment:
signature.asc
Description: This is a digitally signed message part