[tor-talk] Exit enclaves
tor at aspector.com
Tue Dec 20 14:04:10 UTC 2011
I have some questions regarding enclaved servers and hope you can help
me finding the answer to these questions. I have tried to find those
answers on this mailing list and also in the TOR documentation and the
wiki, but to no avail. If my questions have been answered over and over
again somewhere, please feel free to kick my ass for bothering you - but
please provide me with a pointer to the appropriate documentation first ;)
Q1: Can the relay on the same node as the enclaved server also act as
a "normal" TOR exit node?
All examples of exit policies for relays with an enclaved server I
have found so far only accept exits to the enclaved server and to
nowhere else. Is this kind of exit policy mandatory?
Q2: How is it ensured that requests to an enclaved server are always
routed through the TOR relay on the same machine?
The TOR wiki page "https://trac.torproject.org/projects/tor/wiki
/doc/ExitEnclave" states that the relay becomes the 'preferred'
path to the enclaved server. That does not sound very strict. What
can be done to ensure this behaviour?
Let's assume that the enclaved server is a webserver. It is my
understanding that if a user's browser requests a resource from an
enclaved webserver, the existing 3-hop circuit (entry, middle and exit
node) is extended towards the relay that hosts the enclaved server.
Q3: Does the circuit extension also work if the URL of the enclaved
webserver entered in the user's browser is based on a domain name
rather than explicit IP addresses? It is my understanding that
TOR-based DNS resolution is not happening in the local proxy but on
the exit node; so how does the proxy know that the resource is on
an enclaved server and can initiate the circuit extension?
Q4: Is it possible for someone that monitors the user traffic to detect
this circuit extension by any means, so that it is obvious that the
user is talking to an enclaved server? Are there any known attacks?
Any answer to these questions is appreciated.
More information about the tor-talk