Onion address or clearnet address
Some sites such as RiseUp and DuckDuckGo could be accessed via onion addresses. I would like to know which address (onion address vs clearnet address) should I use when using TBB. I believe both ways are more or less the same in terms of identity protection and communication security (provided that the clearnet addresses are using HTTPS). Perhaps the main difference is using the clearnet addresses adds burden to the exit relays, while using onion addresses only consumes bandwidth of middle relays which is relatives more in supply. Am I right? Do I overlook anything? Or it doesn't matter at all for either way? Best Hang
On Wed, 2014-02-05 at 12:56 +0800, Hang wrote:
Some sites such as RiseUp and DuckDuckGo could be accessed via onion addresses. I would like to know which address (onion address vs clearnet address) should I use when using TBB. I believe both ways are more or less the same in terms of identity protection and communication security (provided that the clearnet addresses are using HTTPS). Perhaps the main difference is using the clearnet addresses adds burden to the exit relays, while using onion addresses only consumes bandwidth of middle relays which is relatives more in supply.
Am I right? Do I overlook anything? Or it doesn't matter at all for either way?
No you are not. Yes you are and it does matter. There are two main differences: 1. When you access the clearnet you need dns name resolving which need to be "proxyfied" to avoid dns leaks. This issue is supposed to be solved on decent OSes and with TBB, but it is difficult to guarantee that other software/OS won't try to bypass you proxy settings, so it's a permanent worry. When you connect to hidden services, name resolving is done inside tor, never leaving out. 2. when connecting to clearnet, tor will only guarantee geolocation privacy (or actually your wan IP gets hidden from the servers you are connecting to), but the contents of your connection would be exposed if the underlying protocol is not safe. When you connect to hidden services, you connection will never hit the "clear" and will be encrypted end to end, even if the underlying protocol is not safe. 3. Also, hidden services provide anonymity to both ends, though it's said that hidden services are in need of love; -- 010 001 111
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Thx a lot Luther for the detailed explanation. Best Hang Luther Blissett:
On Wed, 2014-02-05 at 12:56 +0800, Hang wrote:
Some sites such as RiseUp and DuckDuckGo could be accessed via onion addresses. I would like to know which address (onion address vs clearnet address) should I use when using TBB. I believe both ways are more or less the same in terms of identity protection and communication security (provided that the clearnet addresses are using HTTPS). Perhaps the main difference is using the clearnet addresses adds burden to the exit relays, while using onion addresses only consumes bandwidth of middle relays which is relatives more in supply.
Am I right? Do I overlook anything? Or it doesn't matter at all for either way?
No you are not. Yes you are and it does matter.
There are two main differences:
1. When you access the clearnet you need dns name resolving which need to be "proxyfied" to avoid dns leaks. This issue is supposed to be solved on decent OSes and with TBB, but it is difficult to guarantee that other software/OS won't try to bypass you proxy settings, so it's a permanent worry. When you connect to hidden services, name resolving is done inside tor, never leaving out.
2. when connecting to clearnet, tor will only guarantee geolocation privacy (or actually your wan IP gets hidden from the servers you are connecting to), but the contents of your connection would be exposed if the underlying protocol is not safe. When you connect to hidden services, you connection will never hit the "clear" and will be encrypted end to end, even if the underlying protocol is not safe.
3. Also, hidden services provide anonymity to both ends, though it's said that hidden services are in need of love;
_______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
-----BEGIN PGP SIGNATURE----- iQIcBAEBCgAGBQJS88bWAAoJEM1lEe8L667FbEcP/08qotW/r2yHyAsVnQ35B0HG ZAr3WQqI91RDTKSBoxnciF5MV1mH42zd9mx/YZhnK3pQqYeHmrSriEWJ5GU52tY7 6cWofgN1+jJgRktFNzdVolDvuBYrgdoifBcyudNmofUNseLZw18UfpKtNRvSXKkN CCV0iHXqJ5Dp3l0ZCSs7Hq1pSTMB9mA1EvOwotOfJdOfVyJP1Z3EmOfgpC3kb0qO mGkVyOGcg8uRn+yZM7bAHAp3InWmiPl8ocgrlKnFNCMPh113LMkHxLlyd9m7zmp5 1Sfcsan6uxWzbMwj//LU7GOf5wku5pXAfhPGjBZI7UdVnlmNxp9wN89hvPt+sZUO IE4RNzfkuS09AYxDhF8g1j+zv7LZ6fQ/9cTLc9/VTStJ8FalT/hZX6D2aoIPYh7g xENjG3db9qjPuTOrbZYP0vAuyfGnUzTaNAI4OiJG7MfQkVAdcddglOyH1Hc2C87Q O8lTpTZlldaqQk5h3rtWL+eu0DEnwq2+z9UGPY9Bs3i1PP2J6K74WAWTKqhH4dWx zt8T2+BTTDq2ZieyM1AHubmZ7b7b+TuWxsKEnxTEbtaqHWMyJ88XMuCpccxWSTI3 mN09iLWJSbp/7PeHocNgxqbxDNKL8RMY5Xc3FWRdvN7SyJGJo8z+huvNV9JYM3iv spERnCD59E/bmuHDY1F6 =kmnH -----END PGP SIGNATURE-----
Hi, Luther Blissett (lblissett@paranoici.org) wrote on 2014-02-06:
1. When you access the clearnet you need dns name resolving which need to be "proxyfied" to avoid dns leaks. This issue is supposed to be solved on decent OSes and with TBB, but it is difficult to guarantee that other software/OS won't try to bypass you proxy settings, so it's a permanent worry. When you connect to hidden services, name resolving is done inside tor, never leaving out.
I don't really get this concern. Assuming tor doesn't manage to intercept DNS resolution, won't trying to resolve a well-known .onion address leak as much information as resolving the equivalent clear address? ciao, -- [*Thomas Themel*] "Der Terminus bedeutet nämlich, mittels persönliche [Albulastrasse 52] Angriffe Sachauseinandersetzungen umgehen zu können." [ CH-8048 Zürich ] [*+41 78 9070988*] - Rainer Weikusat zu 'sozial kompetent'
On 6 February 2014 14:51, Thomas Themel <thomas@themel.com> wrote:
Hi, Luther Blissett (lblissett@paranoici.org) wrote on 2014-02-06:
1. When you access the clearnet you need dns name resolving which need to be "proxyfied" to avoid dns leaks. This issue is supposed to be solved on decent OSes and with TBB, but it is difficult to guarantee that other software/OS won't try to bypass you proxy settings, so it's a permanent worry. When you connect to hidden services, name resolving is done inside tor, never leaving out.
I don't really get this concern. Assuming tor doesn't manage to intercept DNS resolution, won't trying to resolve a well-known .onion address leak as much information as resolving the equivalent clear address?
I believe you're correct. If you're worried that some crazy combination of torsocks+adium might leak the DNS name, it might also leak the .onion. My mostly-normally-configured Windows testing desktop actually sends it out four times: A record for 'whatever.onion' A record for 'whatever.onion.apt' ('apt' being the internal domain, companies will often use .corp or some other brand) AAAA record for 'whatever.onion.apt' AAAA record for 'whatever.onion' And a published hidden service name is no more 'anonymous' than duckduckgo.com. -tom
On Fri, 2014-02-07 at 06:26 -0500, Tom Ritter wrote:
On 6 February 2014 14:51, Thomas Themel <thomas@themel.com> wrote:
Hi, Luther Blissett (lblissett@paranoici.org) wrote on 2014-02-06:
1. When you access the clearnet you need dns name resolving which need to be "proxyfied" to avoid dns leaks. This issue is supposed to be solved on decent OSes and with TBB, but it is difficult to guarantee that other software/OS won't try to bypass you proxy settings, so it's a permanent worry. When you connect to hidden services, name resolving is done inside tor, never leaving out.
I don't really get this concern. Assuming tor doesn't manage to intercept DNS resolution, won't trying to resolve a well-known .onion address leak as much information as resolving the equivalent clear address?
Thanks for pointing that out. This maybe a law standpoint security (not computer security but since both are interlinked), the dns request for a onion, aka not listed and invalid dns name, would prove just a bogus-bound-to-fail attempt to connect. So it's more like proof that "user could not connect" and technically there is no subsequent exchange of data which can be used to follow the user. On the user side, the attempt will crash and the problem will be more self-evident. But if the standard dns leaks, the connection will nonetheless complete and the user will be clueless about the issue, filling confident everything is working fine. And her subsequent connections will sum up to more "traceable evidence". But yes, it gets sent which is not ideal, that's why there's people working on Tails and Whonix. -- 010 001 111
participants (4)
-
Hang -
Luther Blissett -
Thomas Themel -
Tom Ritter