On 24/11/2017 16:43, Yury Bulka wrote:
Great to hear!
I have one caveat with it though - if I understand it correctly, it is currently in a man-in-the-middle position between the visitor and WMF, as it provides its own self-signed https certificate and performs various URL rewriting on the traffic to change the URLs to the onion domain.
It is.
Using Tor <-> clearnet WMF (HTTPS) still provides:
- censorship circumvention;
- location anonymity;
- opaque encryption between the visitor and the WMF;
The #3 is missing if the onion service is not operated by the WMF itself.
Please correct me if I'm wrong.
I do think it's very good that such effort is taking place - but we need to make sure there's no weak points security-wise that aren't communicated prominently enough to the users.
You are absolutely right, but the point of this service is that this is an experiment(*) (and its maintainer says he will will be running it for just some time, it is not permanent[1]), It is just a proof of concept to see that it can be done.
Of course it would make more sense if the WMF would run this service directly so that we would have an official service (also, in this case you wouldn't experience the problem with self-signed certificates).
Cristian
(*) Just for reference, Alec is running the whole thing on Amazon Web Services on a micro instance[2]. Which is a less-than-10USD-a-month virtual server.
[1]: https://twitter.com/AlecMuffett/status/933735934272704512 [2]: https://twitter.com/AlecMuffett/status/933738958143590401