[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: OnionCat -- An IP-Transparent TOR Hidden Service Connector

F. Fox wrote:

scar wrote:
F. Fox @ 2008/06/26 02:39:
7v5w7go9ub0o wrote:
This actually creates another question (not to be argumentative :-) ).
Given that there is no exit node, would an OnionCat to OnionCat
connection over TOR need to be encrypted? Is it plain-text anywhere
along the line?
No, it wouldn't need extra encryption - a hidden-service connection has
end-to-end encryption by its very nature.

unless the nodes in the circuit were all using compromised ssh keys due
to that recent debian bug, or other unknown future bugs.  in this case,
extra encryption might be the saving grace.

True enough - the only downside to extra layers of encryption, is the
computational burden; with modern machines, it can't help to provide
"your own" layer. =:oD

The overall goal is to distribute all data and "processing" to the host/home computer, and make the next laptop (2 lb. Asus eee) a throw-away thin client (sigh.... I'd like to take it with me to Canada, and if some overzealous border guard wants to look at, copy, or confiscate it..... go ahead; there will be no financial or personal information onboard to be compromised through sloppy handling by govt. bureaucrats).

Part of this equation is that the laptop is an underpowered "sub".

So the communications overhead placed on the little laptop becomes a
consideration. FWIW, I plan on comparing a few alternatives for

1. NX/SSH direct with port-knocking (using
http://www.cipherdyne.org/fwknop/ to unhide the otherwise
firewall-hidden SSH service port).      This is the current setup.

2. NX/SSH via OnionCat with port-knocking;

3. NX via OnionCat without encryption beyond that provided by TOR hidden-service to hidden-service; fwknop hiding the SSH service port from script-kiddies cruising the OC nodes (Bernhard's concern).

Obviously, I'm hoping that alternative 2 proves viable; SCAR's
suggestion of a MIM possibility with alt. 3, though it appears remote, seems also quite possible and is indeed disconcerting.

Thanks again for the feedback to this newbie!!