Some sites such as RiseUp and DuckDuckGo could be accessed via onion addresses. I would like to know which address (onion address vs clearnet address) should I use when using TBB. I believe both ways are more or less the same in terms of identity protection and communication security (provided that the clearnet addresses are using HTTPS). Perhaps the main difference is using the clearnet addresses adds burden to the exit relays, while using onion addresses only consumes bandwidth of middle relays which is relatives more in supply.
Am I right? Do I overlook anything? Or it doesn't matter at all for either way?
Best Hang
On Wed, 2014-02-05 at 12:56 +0800, Hang wrote:
Some sites such as RiseUp and DuckDuckGo could be accessed via onion addresses. I would like to know which address (onion address vs clearnet address) should I use when using TBB. I believe both ways are more or less the same in terms of identity protection and communication security (provided that the clearnet addresses are using HTTPS). Perhaps the main difference is using the clearnet addresses adds burden to the exit relays, while using onion addresses only consumes bandwidth of middle relays which is relatives more in supply.
Am I right? Do I overlook anything? Or it doesn't matter at all for either way?
No you are not. Yes you are and it does matter.
There are two main differences:
1. When you access the clearnet you need dns name resolving which need to be "proxyfied" to avoid dns leaks. This issue is supposed to be solved on decent OSes and with TBB, but it is difficult to guarantee that other software/OS won't try to bypass you proxy settings, so it's a permanent worry. When you connect to hidden services, name resolving is done inside tor, never leaving out.
2. when connecting to clearnet, tor will only guarantee geolocation privacy (or actually your wan IP gets hidden from the servers you are connecting to), but the contents of your connection would be exposed if the underlying protocol is not safe. When you connect to hidden services, you connection will never hit the "clear" and will be encrypted end to end, even if the underlying protocol is not safe.
3. Also, hidden services provide anonymity to both ends, though it's said that hidden services are in need of love;
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512
Thx a lot Luther for the detailed explanation.
Best Hang
Luther Blissett:
On Wed, 2014-02-05 at 12:56 +0800, Hang wrote:
Some sites such as RiseUp and DuckDuckGo could be accessed via onion addresses. I would like to know which address (onion address vs clearnet address) should I use when using TBB. I believe both ways are more or less the same in terms of identity protection and communication security (provided that the clearnet addresses are using HTTPS). Perhaps the main difference is using the clearnet addresses adds burden to the exit relays, while using onion addresses only consumes bandwidth of middle relays which is relatives more in supply.
Am I right? Do I overlook anything? Or it doesn't matter at all for either way?
No you are not. Yes you are and it does matter.
There are two main differences:
- When you access the clearnet you need dns name resolving which
need to be "proxyfied" to avoid dns leaks. This issue is supposed to be solved on decent OSes and with TBB, but it is difficult to guarantee that other software/OS won't try to bypass you proxy settings, so it's a permanent worry. When you connect to hidden services, name resolving is done inside tor, never leaving out.
- when connecting to clearnet, tor will only guarantee
geolocation privacy (or actually your wan IP gets hidden from the servers you are connecting to), but the contents of your connection would be exposed if the underlying protocol is not safe. When you connect to hidden services, you connection will never hit the "clear" and will be encrypted end to end, even if the underlying protocol is not safe.
- Also, hidden services provide anonymity to both ends, though
it's said that hidden services are in need of love;
_______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Hi, Luther Blissett (lblissett@paranoici.org) wrote on 2014-02-06:
- When you access the clearnet you need dns name resolving which need
to be "proxyfied" to avoid dns leaks. This issue is supposed to be solved on decent OSes and with TBB, but it is difficult to guarantee that other software/OS won't try to bypass you proxy settings, so it's a permanent worry. When you connect to hidden services, name resolving is done inside tor, never leaving out.
I don't really get this concern. Assuming tor doesn't manage to intercept DNS resolution, won't trying to resolve a well-known .onion address leak as much information as resolving the equivalent clear address?
ciao,
On 6 February 2014 14:51, Thomas Themel thomas@themel.com wrote:
Hi, Luther Blissett (lblissett@paranoici.org) wrote on 2014-02-06:
- When you access the clearnet you need dns name resolving which need
to be "proxyfied" to avoid dns leaks. This issue is supposed to be solved on decent OSes and with TBB, but it is difficult to guarantee that other software/OS won't try to bypass you proxy settings, so it's a permanent worry. When you connect to hidden services, name resolving is done inside tor, never leaving out.
I don't really get this concern. Assuming tor doesn't manage to intercept DNS resolution, won't trying to resolve a well-known .onion address leak as much information as resolving the equivalent clear address?
I believe you're correct. If you're worried that some crazy combination of torsocks+adium might leak the DNS name, it might also leak the .onion. My mostly-normally-configured Windows testing desktop actually sends it out four times:
A record for 'whatever.onion' A record for 'whatever.onion.apt' ('apt' being the internal domain, companies will often use .corp or some other brand) AAAA record for 'whatever.onion.apt' AAAA record for 'whatever.onion'
And a published hidden service name is no more 'anonymous' than duckduckgo.com.
-tom
On Fri, 2014-02-07 at 06:26 -0500, Tom Ritter wrote:
On 6 February 2014 14:51, Thomas Themel thomas@themel.com wrote:
Hi, Luther Blissett (lblissett@paranoici.org) wrote on 2014-02-06:
- When you access the clearnet you need dns name resolving which need
to be "proxyfied" to avoid dns leaks. This issue is supposed to be solved on decent OSes and with TBB, but it is difficult to guarantee that other software/OS won't try to bypass you proxy settings, so it's a permanent worry. When you connect to hidden services, name resolving is done inside tor, never leaving out.
I don't really get this concern. Assuming tor doesn't manage to intercept DNS resolution, won't trying to resolve a well-known .onion address leak as much information as resolving the equivalent clear address?
Thanks for pointing that out. This maybe a law standpoint security (not computer security but since both are interlinked), the dns request for a onion, aka not listed and invalid dns name, would prove just a bogus-bound-to-fail attempt to connect. So it's more like proof that "user could not connect" and technically there is no subsequent exchange of data which can be used to follow the user.
On the user side, the attempt will crash and the problem will be more self-evident. But if the standard dns leaks, the connection will nonetheless complete and the user will be clueless about the issue, filling confident everything is working fine. And her subsequent connections will sum up to more "traceable evidence".
But yes, it gets sent which is not ideal, that's why there's people working on Tails and Whonix.
tor-relays@lists.torproject.org
-
Hang -
Luther Blissett -
Thomas Themel -
Tom Ritter