DuckDuckGo now operates a Tor exit enclave

Ted Smith teddks at gmail.com
Sun Aug 15 18:46:51 UTC 2010


On Sun, 2010-08-15 at 17:40 +0200, Michael Scheinost wrote:
> 2. Why is it offering HTTP
> If duckduckgo.com really cares for the anonymity and privacy of its
> users, why do they offer unencrypted HTTP?
> Even if tor users are encouraged to use HTTPS, some of them will
> forget
> doing so. 

There's no point in HTTPS if you're using an exit enclave. The traffic
is encrypted in the Tor cloud, exits that cloud **on the service's
localhost address**, and if it were encrypted, would be transmitted as
ciphertext to the service port on the local interface.

If you're proposing a threat model wherein loopback is an untrusted
connection, you have bigger problems than, well, anything.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 836 bytes
Desc: This is a digitally signed message part
URL: <http://lists.torproject.org/pipermail/tor-talk/attachments/20100815/49b7c7c6/attachment.pgp>


More information about the tor-talk mailing list