Yesterday, Steve Lord (@stevelord on twitter) did a screen cast, where he was essentially dissecting the Cloak firmware. I was fully aware of his intentions and had in fact provided him with a firmware copy myself. I thoroughly enjoy being examined in this way as I do not believe in security by obscurity.
Overall I think we came out quite nicely. Steve did however point out one issue related to Cloak allowing access to .onion addresses even when clients are connected to the Open network. Originally I implemented this (which consisted of one network forward and one DNS forward) just because it was a damn cool thing. However, Steve Lord is of course absolutely right, from an anonymity perspective it was a really stupid “feature”. What can happen is that a web page on a hidden service can reference an image or a script on an open net server and your anonymity is shot to pieces.
I have of course immediately updated the source on Github and removed this issue.
Thanks to Steve for pointing this out.