path selection despite exit policies

Nick Mathewson nickm at alum.mit.edu
Mon Apr 7 17:49:35 UTC 2003


On Mon, 2003-04-07 at 13:18, Roger Dingledine wrote:
 [...]
 
I say "E" (ports only) for now, and eventually either "A" (clients
tunnel DNS requests) or "C" (guess and check).  "D" (servers publish
"hostnames-that-are-me") seems to address an entirely orthogonal issue.

Actually, I'd suggest a combination of "A" and "C":  Client says (over
tunnel) "Connect me to forbidden.seul.org:80".  Server says (over
tunnel) "Request to 18.244.0.188:80 denied", resolving the IP *and*
rejecting it.

In the successful case, this is as fast as we have today.  In the
failing case, this is as fast as a name lookup would be.  It's still
possible for an attacker to return a bogus IP, but that's not a problem
(IMO) for tor to address: we're anonymity, not MITM prevention.

-- 
Nick



More information about the tor-dev mailing list