Bjarni Rúnar Einarsson bre at
Wed Feb 2 20:51:53 UTC 2011

2011/2/2 Jacob Appelbaum <jacob at>

> Hi Bjarni!
> Is there any reason that you can't route SSL/TLS traffic to Tor for all
> non-SNI requests? Another thing that might work is knowing that all Tor
> certificates currently end in .net. So while they're random, it's
> certainly possible to know when someone explicitly wants to reach a
> different server you certainly know about and isn't in your allowed
> lookup table. Anything else can be routed to Tor.

This would work, but the "default fallback" is somewhat of a coveted
position as there are lots of web browsers out there that don't send SNI. So
in a shared environment you want to define your "favorite" web-site as the
default fall-back, not Tor.

I suppose I could add a feature to Pagekite where the default is different
for requests with SNI from requests without... best add that to the list, I
guess. :-)

I was also approaching this from the POV of a service provider, offering
front-ends to a large number of random people. Most of them would be running
websites, but if some wanted to contribute to Tor via my service, I would
like to let them. But without a SNI name I can use to choose between them,
that doesn't really work, as picking a random tor backend would probably
break the path decision logic in Tor if I understand things correctly.

Older clients without SNI will of course have issues and all be routed
> to Tor but perhaps this can be documented - surely some people will
> still use it?


Bjarni R. Einarsson
The Beanstalks Project ehf.

Making personal web-pages fly:
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the tor-dev mailing list