On Feb 1, 2012, at 2:48 AM, Watson Ladd wrote:
On Tue, Jan 31, 2012 at 2:57 PM, Nick Mathewson nickm@alum.mit.edu wrote:
Another possibility is this:
Browser's resolver -> Tor Client (as DNSPort): "Resolve www.example.com, give me an A, and give me DNSSec stuff too." Tor Client-> Tor net-> Tor Exit: "Yeah, resolve that stuff." Tor Exit -> Tor net -> Tor client: "Here's your answer." Tor client -> Browser's resolver: "Here's that A record you wanted, and some dnssec stuff." Browser -> Tor client: "Okay, now connect there." Tor client -> Tor net -> Tor exit: "Connect to <ip address>:80!" Exit node -> Tor net-> Tor Client: "CONNECTED: Connection is open." Tor Client -> Browser: "SOCKS5 connection complete."
But that would involve an extra round trip that I'd rather save if possible.
We could cross our fingers and be optimistic, opening a connection to the server queried. Probably a bad idea.
I'm not sure, maybe the idea isn't so bad after all. If we wait for the client to tell us whether it likes the dnssec stuff, I could easily be convinced that this can be used to fingerprint clients. We have the TLS false start stuff which is kind of similar, I feel. Maybe that means for us to go ahead, make the connection, and if we as a client decide not to like it we just try again on a new exit node a couple of times?