On Sat, 4 Jun 2011 12:56:15 -0700 Mike Perry <mikeperry@xxxxxxxxxx> wrote: > Thus spake Robert Ransom (rransom.8774@xxxxxxxxx): > > > On Sat, 4 Jun 2011 12:09:52 -0700 > > Mike Perry <mikeperry@xxxxxxxxxx> wrote: > > > > > Thus spake Robert Ransom (rransom.8774@xxxxxxxxx): > > > > > > My understanding was that EFF would query DNS for a hostname, and if > > > > the hostname does not exist, assume that it's private. (This should > > > > scare you even more.) > > > > > > EFF only needs to do this query if the browser could not (because it > > > was using an HTTP proxy without a SOCKS proxy). Does this scare you > > > less or more? I'm getting confused by the reactions in this thread. > > > > If EFF needs to perform a DNS query on each hostname it receives a > > certificate for, EFF will leak information to an attacker watching its > > servers. If EFF tries to not log hostnames which do not exist, EFF > > will leak a user's request time *every time* that it receives a > > certificate associated with a non-existent hostname. > > I think you missed the first half of my email where I explicitly said > EFF shouldn't need to do this under normal circumstances. It only > needs to do this when the browser fails to do so itself. Do you expect > this to be common? Firefox cannot resolve hostnames to IP addresses when it is using *any* proxy. Anyone who uses an SSH tunnel as a SOCKS to connect to an intranet will risk this leakage, and SSH tunnels can be made fairly easy to use. I have no information on how widely used that configuration is. > The observatory itself could also be running a tor client for these > resolutions, just in case they do end up being common. That would be a Good Thing, just to decrease the incentive for attackers to monitor EFF's Internet connection. > P.S. When the browser does attempt to do these resolutions, should > they be done via Tor or via whatever local resolver/proxy was used to > access the domain? Doing it via Tor exposes potentially private names > to exits, but doing it locally will fail to detect attacks where the > MITM is able to operate on the user's own infrastructure (because they > can just make sure that the domains they MITM resolve to RFC1918). Either way, the attacker wins -- if you resolve hostnames over Tor, the attacker can use a homoglyph or near-homoglyph of a target hostname for its attack, and simply not allow DNS servers accessible outside its victim network to see the attack hostname. Robert Ransom
Attachment:
signature.asc
Description: PGP signature
_______________________________________________ tor-talk mailing list tor-talk@xxxxxxxxxxxxxxxxxxxx https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk