F. Fox wrote:
scar wrote:F. Fox @ 2008/06/26 02:39:7v5w7go9ub0o wrote: (snip)This actually creates another question (not to be argumentative :-) ). Given that there is no exit node, would an OnionCat to OnionCat connection over TOR need to be encrypted? Is it plain-text anywhere along the line?(snip) No, it wouldn't need extra encryption - a hidden-service connection has end-to-end encryption by its very nature.unless the nodes in the circuit were all using compromised ssh keys due to that recent debian bug, or other unknown future bugs. in this case, extra encryption might be the saving grace.True enough - the only downside to extra layers of encryption, is the computational burden; with modern machines, it can't help to provide "your own" layer. =:oD
The overall goal is to distribute all data and "processing" to the host/home computer, and make the next laptop (2 lb. Asus eee) a throw-away thin client (sigh.... I'd like to take it with me to Canada, and if some overzealous border guard wants to look at, copy, or confiscate it..... go ahead; there will be no financial or personal information onboard to be compromised through sloppy handling by govt. bureaucrats).
Part of this equation is that the laptop is an underpowered "sub". So the communications overhead placed on the little laptop becomes a consideration. FWIW, I plan on comparing a few alternatives for responsiveness: 1. NX/SSH direct with port-knocking (using http://www.cipherdyne.org/fwknop/ to unhide the otherwise firewall-hidden SSH service port). This is the current setup. 2. NX/SSH via OnionCat with port-knocking;3. NX via OnionCat without encryption beyond that provided by TOR hidden-service to hidden-service; fwknop hiding the SSH service port from script-kiddies cruising the OC nodes (Bernhard's concern).
Obviously, I'm hoping that alternative 2 proves viable; SCAR'ssuggestion of a MIM possibility with alt. 3, though it appears remote, seems also quite possible and is indeed disconcerting.
Thanks again for the feedback to this newbie!!