[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] DNSSEC better protecting users?



> i am concerned about https not being enough to protect tor2web
> users.  In particular, I am concerned about what subdomain a user is
> visiting being leaked.  Are there any established ways of preventing
> the subdomain from being leaked?  Because none spring to my mind.

I've just reviewed a packet dump and found that you should indeed be
concerned. The SNI HTTPS extension lists the exact host I was
connecting to. This is performed right at the beginning of the HTTPS
transaction, before encryption.

DNSSEC won't solve this because you will still be using HTTPS.

If Tor2web ran as a CGI proxy that may avoid the issue, or if it
supported something like https://tor2web.org/?url=blah, but the root
cause here is that browsers support SNI and it would need to be
disabled there. Unfortunately, this would have an impact on sites which
require SNI.
-- 
kat
-- 
tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk