On Mon, Jul 9, 2012 at 5:00 PM, Juenca R <[email protected]> wrote: > ok good that was actually my other question, why run exit enclave if you run > a hidden service. > i guess you answered my question. they service different purpose.
Right. Enclaves work for people using the global domain names, onion addresses do not. I would always run an enclave for such a service even if all it did was detect tor use and punt people to the onion url. > are there no security-related concerns of running both ways? > (actually three ways; regular i-net, hidden service & exit enclave, all on > same server for same site content) > only problem is docs make it sound like you have to be more careful setting > up for exit enclave > actually docs say this about exit enclave "A great idea but not such a great > implementation" Exit enclaves have a number of limitations. For example, they're just by IP but if the user uses your DNS name they'll make their first request out some other exit (which could MITM redirect them) before switching to the enclave. They also add a hop compared to regular exiting (easily made up for by being able to avoid congested exits)... but fewer hops than hidden services. The only concern I'd see if that you may have some problems sorting out which users are enclaves vs onion, so you wouldn't know what internal absolute URLS to use internally. Though if you gave people who showed up via the enclave onion URLs for further links that wouldn't be the end of the world. _______________________________________________ tor-talk mailing list [email protected] https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
