[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] DNSSEC better protecting users?



I would guess the idea is you may be able to tell the user is using tor2web
but not what they're accessing.

Because the domain name is sent in the clear as part of the SSL handshake
(the client Hello to be precise) it discloses what is being looked at.

The only way to avoid that is to use something that is only sent once the
handshake is complete - part of the request URI, the path or cookies -
though each has their issues.

It'd potentially mean rewriting responses (to make sure paths are relative)
but I'd be inclined to make the first section of the path identify the
service - example.com/foo.onion/index.html.

Just my 2p

Ben
On 11 Jan 2015 16:16, "l.m" <ter.one.leeboi@xxxxxxxx> wrote:

> > i am concerned about https not being enough to protect tor2web
> > users.  In particular, I am concerned about what subdomain a user is
> > visiting being leaked.  Are there any established ways of preventing
> > the subdomain from being leaked?  Because none spring to my mind.
>
> Where might this be a problem? tor2web protects the publisher not the
> user. If you were worried about the user wouldn't you use Tor and
> instead replace the .tor2web.org part of the address with .onion?
>
> -- leeroy
> --
> tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
> To unsubscribe or change other settings go to
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
>
-- 
tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk