[tor-talk] DNSSEC better protecting users?
Ben Tasker
ben at bentasker.co.uk
Sun Jan 11 18:48:58 UTC 2015
I would guess the idea is you may be able to tell the user is using tor2web
but not what they're accessing.
Because the domain name is sent in the clear as part of the SSL handshake
(the client Hello to be precise) it discloses what is being looked at.
The only way to avoid that is to use something that is only sent once the
handshake is complete - part of the request URI, the path or cookies -
though each has their issues.
It'd potentially mean rewriting responses (to make sure paths are relative)
but I'd be inclined to make the first section of the path identify the
service - example.com/foo.onion/index.html.
Just my 2p
Ben
On 11 Jan 2015 16:16, "l.m" <ter.one.leeboi at hush.com> wrote:
> > i am concerned about https not being enough to protect tor2web
> > users. In particular, I am concerned about what subdomain a user is
> > visiting being leaked. Are there any established ways of preventing
> > the subdomain from being leaked? Because none spring to my mind.
>
> Where might this be a problem? tor2web protects the publisher not the
> user. If you were worried about the user wouldn't you use Tor and
> instead replace the .tor2web.org part of the address with .onion?
>
> -- leeroy
> --
> tor-talk mailing list - tor-talk at lists.torproject.org
> To unsubscribe or change other settings go to
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
>
More information about the tor-talk
mailing list