DuckDuckGo now operates a Tor exit enclave
teddks at gmail.com
Sun Aug 15 18:46:51 UTC 2010
On Sun, 2010-08-15 at 17:40 +0200, Michael Scheinost wrote:
> 2. Why is it offering HTTP
> If duckduckgo.com really cares for the anonymity and privacy of its
> users, why do they offer unencrypted HTTP?
> Even if tor users are encouraged to use HTTPS, some of them will
> doing so.
There's no point in HTTPS if you're using an exit enclave. The traffic
is encrypted in the Tor cloud, exits that cloud **on the service's
localhost address**, and if it were encrypted, would be transmitted as
ciphertext to the service port on the local interface.
If you're proposing a threat model wherein loopback is an untrusted
connection, you have bigger problems than, well, anything.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 836 bytes
Desc: This is a digitally signed message part
More information about the tor-talk