[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: DuckDuckGo now operates a Tor exit enclave

On Sun, 2010-08-15 at 17:40 +0200, Michael Scheinost wrote:
> 2. Why is it offering HTTP
> If duckduckgo.com really cares for the anonymity and privacy of its
> users, why do they offer unencrypted HTTP?
> Even if tor users are encouraged to use HTTPS, some of them will
> forget
> doing so. 

There's no point in HTTPS if you're using an exit enclave. The traffic
is encrypted in the Tor cloud, exits that cloud **on the service's
localhost address**, and if it were encrypted, would be transmitted as
ciphertext to the service port on the local interface.

If you're proposing a threat model wherein loopback is an untrusted
connection, you have bigger problems than, well, anything.

Attachment: signature.asc
Description: This is a digitally signed message part