Hi Faidon,
Thank you for taking the time to respond to this thread.
On 14/06/2017 16:57, Faidon Liambotis wrote:
[ I didn't see this email from Alec on the thread, was it off-list? ]
[no, it's on the list and in the archive [1] ]
I've been in touch with Alec and other Tor project members on emails, in-person Tor project meetings and videoconferences on multiple occasions in the past couple of years (the last one being a couple of months ago), so I can speak a little bit about this idea in general, as well as EOTK specifically.
The EOTK stuff are interesting but not really an option for us -- they rely on a edge (nginx) server performing content manipulation blindly, which is a bad idea for many reasons, security amongst them.
It is possible and feasible to actually do it properly, by making some modifications across our stack (MediaWiki, Varnish/nginx). Just to mention a couple of issues: one of them is that we need MediaWiki to emit different URLs for e.g. upload.wikimedia.org resources to point to the onion address that we will designate for media. For other resources (like gadgets) it may be even more complicated or even impossible. Another challenge would be to make Extension:TorBlock aware of the Onion connections, so that they can be appropriately blocked, as well as figure out what to log as the users' IP address when they edit, if they are pre-approved to do so.
Overall, it's not a super complicated project but not a trivial one either. Maybe a couple of months time for a motivated individual, who is already familiar with our stack.
If it wasn't obvious from the above, I have put quite a bit of thought into it and that's because I share your sentiments about how this is an important feature we should support and provide to our users, in alignment with our mission.
Thank you. Also, I never thought that setting up a production service would be easy. (I mean, a test service that goes down when somebody sneezes too hard, yeah, it would be easy and I could do that ;-), a production service no).
However, it hasn't been a priority for me or my team for these reasons:
- As long as communities feel so-and-so about Tor overall, and e.g. block edits from Tor users, it's hard to justify us in the Foundation investing more time into it, at the expense of other projects. It feels at odds with our communities' wishes a little bit.
From what I have read from the previous discussions (and in this thread
as well), the main problem that has been raised is related with editing over Tor for the issues of vandalism, spamming and (more importantly) sockpuppeting.
I understand that it is natural to consider editing when discussing about this, but it is a much harder problem. From what I see in this thread I would say, "let's think about one problem at a time".
- Accessing our sites over the Tor network *is* possible, regardless of whether we provide an Onion service or not, via exit nodes. An Onion service is more of a security and performance optimization and, perhaps more importantly, a statement of support. Making a statement of support while at the same time communities continue blocking edits over Tor and we keep maintaining Extension:TorBlock, would be a little hypocritical of us, the Wikimedia movement, IMHO.
I disagree, on one hand we can show that from a technical and a community perspective reading and editing are two different problems, on the other hand we have being blocking Tor for more than 10 years, so if somebody wants to call us hypocrites they can already do that.
Also, let me say that my impression from the past discussions is that some requests (coming from people more knowledgeable about Tor than our projects) were overlooking how the projects and our community works. I do not want to disparage anybody, simply point out that it is not automatic to know how ours projects work.
All said, though, this is not an excuse not to make a step in the right direction.
As for the statement of support, this is true. This service would be a statement of support towards Tor, but as for statements: * we oppose blocking of Wikipedia by governments; * our flagship organization is suing the NSA because it has been spying on our users; We are already making statements about what is aligned and what is against our movement's mission and values.
Also - and this is a response to the remark made by Risker - let me say that the "dark web" is dark only for the part that we let it be dark.
Any statement you can make about the dark web is probably true about the web in general. The web is still full of many places where you don't want to go - and, case in point, possibly even more so in 2001 - but this is not a good reason not to broadcast our project as much as we can.
The web would be a worse place if this movement and our project didn't exist and exactly for this reason they need to get on the "dark web".
I really like the take of Alec Muffett when he says that we should treat Tor as technological stack that for "End-to-End Encryption for Computers to talk to other Computers"[2].
- Looking at it more broadly, Foundation-wide, if we had to invest resources into our Tor support, I think adding Tor support to our mobile apps would be a better use of our limited resources.
It would probably be the most useful thing to do, also better than nothing :-).
Hope this helps. Happy to help you move this forward if there are ways to do so.
I am trying to do what I can.
Cristian
[1]: https://lists.wikimedia.org/pipermail/wikimedia-l/2017-June/087753.html [2]: https://medium.com/@alecmuffett/tor-is-end-to-end-encryption-for-computers-t...