[tor-talk] Exit enclaves

tor tor at aspector.com
Tue Dec 20 14:04:10 UTC 2011


I have some questions regarding enclaved servers and hope you can help
me finding the answer to these questions. I have tried to find those
answers on this mailing list and also in the TOR documentation and the
wiki, but to no avail. If my questions have been answered over and over
again somewhere, please feel free to kick my ass for bothering you - but
please provide me with a pointer to the appropriate documentation first ;)

Q1: Can the relay on the same node as the enclaved server also act as
    a "normal" TOR exit node?

    All examples of exit policies for relays with an enclaved server I
    have found so far only accept exits to the enclaved server and to
    nowhere else. Is this kind of exit policy mandatory?

Q2: How is it ensured that requests to an enclaved server are always
    routed through the TOR relay on the same machine?

    The TOR wiki page "https://trac.torproject.org/projects/tor/wiki
    /doc/ExitEnclave" states that the relay becomes the 'preferred'
    path to the enclaved server. That does not sound very strict. What
    can be done to ensure this behaviour?

Let's assume that the enclaved server is a webserver. It is my
understanding that if a user's browser requests a resource from an
enclaved webserver, the existing 3-hop circuit (entry, middle and exit
node) is extended towards the relay that hosts the enclaved server.

Q3: Does the circuit extension also work if the URL of the enclaved
    webserver entered in the user's browser is based on a domain name
    rather than explicit IP addresses? It is my understanding that
    TOR-based DNS resolution is not happening in the local proxy but on
    the exit node; so how does the proxy know that the resource is on
    an enclaved server and can initiate the circuit extension?

Q4: Is it possible for someone that monitors the user traffic to detect
    this circuit extension by any means, so that it is obvious that the
    user is talking to an enclaved server? Are there any known attacks?

Any answer to these questions is appreciated.

Regards,  >Y<

More information about the tor-talk mailing list