On Thu, Dec 6, 2018 at 6:26 AM bo0od <bo...@riseup.net> wrote: > - Connecting to Youtube directly , then you are putting your security on > the SSL/TLS encryption. Whereas using in invidous hidden services your > security is through the Onion hidden services design >
One of the points made earlier though, is that this isn't entirely accurate. If you're talking about security, there's still a SSL/TLS link between invidious and Youtube over which your content must pass. The user has to assume (and I *hope* it's true) that Invidious will properly verify the cert that Youtube presents to ensure that there isn't a MiTM. But, added to this, what you as the user are doing is inserting a third party into the mix who's acting as a deliberate MiTM. Invidious could (probably isn't, but has the ability) be injecting something nasty at any point. That's no reflection on the intentions of the Invidious' operator, they may simply get compromised by someone who sees them as a juicy target - After all it seems unlikely that they've got the resources to put into security that Google has. So, whilst your initial connection has potentially gained some security (by going over Tor), your security posture is weakened because you've inserted a new potential attack vector, and just moved the point of origin for the original one (the SSL/TLS connection) as well as also outsourcing the task of verifying that TLS connection to a third party (who may very well be ignoring invalid/expired certs for all you know at time of connection). What you _have_ gained is some level of privacy. Youtube cannot see your source IP, and neither can Invidious. But that's not the same thing as increasing security - that's obviously ignoring any profiling that Youtube still manage to do on you, though. TL:DR - Security is weakened, Privacy is (potentially) strengthened -- Ben Tasker https://www.bentasker.co.uk -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
