[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] hidden service on same location as public service

On Mon, Jul 9, 2012 at 5:00 PM, Juenca R <juenca@xxxxxxxxx> wrote:
> ok good that was actually my other question, why run exit enclave if you run a hidden service.
> i guess you answered my question.  they service different purpose.

Right. Enclaves work for people using the global domain names, onion
addresses do not.

I would always run an enclave for such a service even if all it did
was detect tor use and punt people to the onion url.

> are there no security-related concerns of running both ways?
> (actually three ways; regular i-net, hidden service & exit enclave, all on same server for same site content)
> only problem is docs make it sound like you have to be more careful setting up for exit enclave
> actually docs say this about exit enclave "A great idea but not such a great implementation"

Exit enclaves have a number of limitations. For example, they're just
by IP but if the user uses your DNS name they'll make their first
request out some other exit (which could MITM redirect them) before
switching to the enclave.

They also add a hop compared to regular exiting (easily made up for by
being able to avoid congested exits)... but fewer hops than hidden

The only concern I'd see if that you may have some problems sorting
out which users are enclaves vs onion, so you wouldn't know what
internal absolute URLS to use internally.  Though if you gave people
who showed up via the enclave onion URLs for further links that
wouldn't be the end of the world.
tor-talk mailing list