On Fri, 2014-02-07 at 06:26 -0500, Tom Ritter wrote:
On 6 February 2014 14:51, Thomas Themel thomas@themel.com wrote:
Hi, Luther Blissett (lblissett@paranoici.org) wrote on 2014-02-06:
- When you access the clearnet you need dns name resolving which need
to be "proxyfied" to avoid dns leaks. This issue is supposed to be solved on decent OSes and with TBB, but it is difficult to guarantee that other software/OS won't try to bypass you proxy settings, so it's a permanent worry. When you connect to hidden services, name resolving is done inside tor, never leaving out.
I don't really get this concern. Assuming tor doesn't manage to intercept DNS resolution, won't trying to resolve a well-known .onion address leak as much information as resolving the equivalent clear address?
Thanks for pointing that out. This maybe a law standpoint security (not computer security but since both are interlinked), the dns request for a onion, aka not listed and invalid dns name, would prove just a bogus-bound-to-fail attempt to connect. So it's more like proof that "user could not connect" and technically there is no subsequent exchange of data which can be used to follow the user.
On the user side, the attempt will crash and the problem will be more self-evident. But if the standard dns leaks, the connection will nonetheless complete and the user will be clueless about the issue, filling confident everything is working fine. And her subsequent connections will sum up to more "traceable evidence".
But yes, it gets sent which is not ideal, that's why there's people working on Tails and Whonix.