[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] You Can Now Watch YouTube Videos with Onion Hidden Services

On Thu, Dec 6, 2018 at 6:26 AM bo0od <bo0od@xxxxxxxxxx> wrote:

> - Connecting to Youtube directly , then you are putting your security on
> the SSL/TLS encryption. Whereas using in invidous hidden services your
> security is through the Onion hidden services design

One of the points made earlier though, is that this isn't entirely accurate.

If you're talking about security, there's still a SSL/TLS link between
invidious and Youtube over which your content must pass. The user has to
assume (and I *hope* it's true) that Invidious will properly verify the
cert that Youtube presents to ensure that there isn't a MiTM.

But, added to this, what you as the user are doing is inserting a third
party into the mix who's acting as a deliberate MiTM. Invidious could
(probably isn't, but has the ability) be injecting something nasty at any
point. That's no reflection on the intentions of the Invidious' operator,
they may simply get compromised by someone who sees them as a juicy target
- After all it seems unlikely that they've got the resources to put into
security that Google has.

So, whilst your initial connection has potentially gained some security (by
going over Tor), your security posture is weakened because you've inserted
a new potential attack vector, and just moved the point of origin for the
original one (the SSL/TLS connection) as well as also outsourcing the task
of verifying that TLS connection to a third party (who may very well be
ignoring invalid/expired certs for all you know at time of connection).

What you _have_ gained is some level of privacy. Youtube cannot see your
source IP, and neither can Invidious. But that's not the same thing as
increasing security - that's obviously ignoring any profiling that Youtube
still manage to do on you, though.

TL:DR - Security is weakened, Privacy is (potentially) strengthened

Ben Tasker
tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsubscribe or change other settings go to