Clearnet is back online and accessible at
whirlwind.money.
You may be surprised that we are using Cloudflare after all the discussions we had in regards to MITM, but continue reading until the end and you'll find out why in our case it's safe and what's the difference between Whirlwind and any other competitor when it comes to this.
Before starting the explanation there are a few important things worth mentioning:
-Cloudflare can still see your IP
-If you use Clearnet and close the window and clear your local storage you won't be able to access the deposit page anymore, so make sure you save your Letter of Guarantee
before broadcasting the transaction. Everything will be processed without any issues even if you close the window, the only problem is that you wouldn't be able to save the Letter of Guarantee anymore if you didn't do it before.
-Even with all the security precautions we took we still highly recommend using the Tor version
-We will tweak Cloudflare parameters during the next hours so it's not as annoying when you first enter the website
Now for the interesting part:
If we just used Cloudflare without our custom encryption scheme, Cloudflare would have been able to de-anonymize users accessing the clearnet website. This is because, when using Cloudflare, even if data is encrypted, it's not end-to-end encrypted with our backend server. The client sends an encrypted (TLS) request to Cloudflare, which decrypts it, and this is where they could, and almost certainly are storing logs of the De-Anonymyzing Data (D.A.D). This is any data that could comrpomise the anonymity of a user: deposit address, withdraw address, pay-to-note data, etc. Cloudflare then encrypts the data again, and sends it over to the backend server. With the .onion link, this is not a problem, since data doesn't travel through a third-party and always remains encrypted, but if we want to use Cloudflare DDoS protection on the clearnet website, this is unacceptable.
Any privacy service that implements Cloudflare or any other DDoS protection 'out of the box' (which basically all our competitors do) is careless at best, or they simply do not have the technical knowledge necessary to realise how huge of a problem this is and that they are willingly putting their customers at risk by doing so.
This is why we implemented our custom encryption scheme, which creates an encrypted tunnel between the client (frontend) and the backend server. So even if Cloudflare slashes the first layer of encryption (their layer a.k.a the TLS layer), the D.A.D would still be encrypted with our layer, which they cannot decrypt, so data inspection is not possible.
We decided to use an Asymmetric encryption scheme based on Elliptic Curves, more specifically the Elliptic Curve Augmented Encryption Scheme or Elliptic Curve Integrated Encryption Scheme (ECIES). Please note, this is not a signature algorithm just to prove the D.A.D is untampered with, but an encryption algorithm, which makes the data unreadable. This is how the system works:
If you are using TOR, this extra layer of encryption will not be used since it's redundant. TOR encryption is already extremly powerful, and the D.A.D will never get anywhere in plaintext form, except our backend server where it's processed.
If you are accessing the website from the clearnet link, the frontend will generate an Elliptic Curve Cryptography (ECC) key pair, and will never send the private key anywhere. The backend server already has a permanent ECC key pair generated, and its public key is stored in the frontend. With the ECIES scheme, you can encrypt data using the public key and you can only decrypt it using the private key. When the client needs to send any kind of D.A.D to the backend, it appends the frontend generated public key to the said D.A.D, and then encrypts it using the backend's public key. Now, Cloudflare can read the ECC encrypted data, but they cannot read the plaintext data. When the encrypted D.A.D reaches the backend, it will be decrypted using the permanent private key. The backend then processes the request, and the response must also be encrypted since it contains potential D.A.D, so it encrypts the response using the client's public key that it received within the request. When the response gets to the client (frontend), it is decrypted using the private key generated locally. This is how full end-to-end encryption and privacy between the user and the backend server was achieved, even with Cloudflare decrypting TLS data.
You can check all of this happens simply by looking at any outgoing/incoming data from the API while on the clearnet version. Just right-click the web page, go into Inpsect Element or just Inspect and click on the Network tab. Then, watch any request that may contain D.A.D. You will notice that on the TOR onion link you will be able to read that data (on the Request/Response tab), meanwhile on the clearnet version, it's just a long encrypted hex string.
It's enough that ''someone'' continue DDOS attacking your website and take them down or find your real location.
DDoS is not a problem since even if Clearnet is down, Tor will always be online so it's not a concern. Finding the real location would mean we failed spectacularly, but even if that somehow happens we don't really have reasons to be concerned since we are not doing anything illegal and never did. We didn't commit any crimes such as identity theft, we are not advertising in any places that could be considered shady by any means even though that would certainly bring in easy profits. In fact the bitcointalk signature campaign is the only 'marketing' we have. This is a business like any other and our goal is to make money, but we are not making any compromises or taking any risks that could give anyone reasons to target us.
That means you and receiver would both have private keys for those addresses?
If that is the case, than my answer is No.
Thank you for your input, we will still wait for more opinions on this but we are on the same page, we don't think this feature is needed as it doesen't necessarily strenghten the privacy that Whirlwind offers. Besides this it could also introduce other risks and more responsability on our side.