[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] DNSSEC better protecting users?

To: tor-talk@xxxxxxxxxxxxxxxxxxxx
Subject: Re: [tor-talk] DNSSEC better protecting users?
From: Ben Tasker <ben@xxxxxxxxxxxxxxx>
Date: Sun, 11 Jan 2015 18:48:58 +0000
Delivered-to: archiver@xxxxxxxx
Delivery-date: Sun, 11 Jan 2015 13:49:10 -0500
In-reply-to: <20150111161549.1F49BC0357@xxxxxxxxxxxxxxxxx>
List-archive: <http://lists.torproject.org/pipermail/tor-talk/>
List-help: <mailto:tor-talk-request@lists.torproject.org?subject=help>
List-id: "all discussion about theory, design, and development of Onion Routing" <tor-talk.lists.torproject.org>
List-post: <mailto:tor-talk@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk>, <mailto:tor-talk-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-talk>, <mailto:tor-talk-request@lists.torproject.org?subject=unsubscribe>
References: <CADop2NGrjgJRkfM+C0PxEC10mQk+zJ1sSOEe-vT2ePOmX2KzkQ@xxxxxxxxxxxxxx> <20150111075912.7fc55aff@xxxxxxxxxxxxxxxxxxxxx> <20150111161549.1F49BC0357@xxxxxxxxxxxxxxxxx>
Reply-to: tor-talk@xxxxxxxxxxxxxxxxxxxx
Sender: "tor-talk" <tor-talk-bounces@xxxxxxxxxxxxxxxxxxxx>

I would guess the idea is you may be able to tell the user is using tor2web
but not what they're accessing.

Because the domain name is sent in the clear as part of the SSL handshake
(the client Hello to be precise) it discloses what is being looked at.

The only way to avoid that is to use something that is only sent once the
handshake is complete - part of the request URI, the path or cookies -
though each has their issues.

It'd potentially mean rewriting responses (to make sure paths are relative)
but I'd be inclined to make the first section of the path identify the
service - example.com/foo.onion/index.html.

Just my 2p

Ben
On 11 Jan 2015 16:16, "l.m" <ter.one.leeboi@xxxxxxxx> wrote:

> > i am concerned about https not being enough to protect tor2web
> > users.  In particular, I am concerned about what subdomain a user is
> > visiting being leaked.  Are there any established ways of preventing
> > the subdomain from being leaked?  Because none spring to my mind.
>
> Where might this be a problem? tor2web protects the publisher not the
> user. If you were worried about the user wouldn't you use Tor and
> instead replace the .tor2web.org part of the address with .onion?
>
> -- leeroy
> --
> tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
> To unsubscribe or change other settings go to
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
>
-- 
tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

References:
- [tor-talk] DNSSEC better protecting users?
  - From: Virgil Griffith
- Re: [tor-talk] DNSSEC better protecting users?
  - From: Katya Titov
- Re: [tor-talk] DNSSEC better protecting users?
  - From: l.m

Prev by Author: Re: [tor-talk] WebRTC to uncover local IP
Next by Author: Re: [tor-talk] Deep Web Business Models
Previous by thread: Re: [tor-talk] DNSSEC better protecting users?
Next by thread: Re: [tor-talk] DNSSEC better protecting users?
Index(es):
- Author
- Thread