[tor-dev] prop279 global wildcard '*' exploits

[nullius]

At https://trac.torproject.org/projects/tor/ticket/24774#comment:5 , 
nickm stated:

>I'm not sure that the sandboxing section is necessary. We should say 
>that _all_ plugins should only access the network over Tor, unless they 
>are using some comparably strong anonymity mechanism. [...]

In reply https://trac.torproject.org/projects/tor/ticket/24774#comment:6 
, I ask:

>The proposal as written states under §3.2, specifically discussing 
>`'*'`:
>
>>Perhaps we trust the name plugin itself, but maybe the name system 
>>network could exploit this?
>
>What does this mean?  Is there any specific information on what 
>potential exploits the spec authors have thought of?  '''Would 
>requiring Tor-only connections prevent these potential exploits?'''  I 
>should ask on `tor-dev`.

Per the discussion in the current version of the spec (686aaf1), there 
is concern that a '*' plugin may try to resolve ordinary DNS names.  But 
this separate, quoted statement assumes a trustworthy plugin, which I 
take to mean that it would not grab .com, etc.

So, what was the concern behind that statement?  (And are there any 
other potential exploits, which may or may not be prevented by requiring 
name resolution through Tor?)

-- 
nullius at nym.zone | PGP ECC: 0xC2E91CD74A4C57A105F6C21B5A00591B2F307E0C
Bitcoin: bc1qcash96s5jqppzsp8hy8swkggf7f6agex98an7h | (Segwit nested:
3NULL3ZCUXr7RDLxXeLPDMZDZYxuaYkCnG)  (PGP RSA: 0x36EBB4AB699A10EE)
“‘If you’re not doing anything wrong, you have nothing to hide.’
No!  Because I do nothing wrong, I have nothing to show.” — nullius
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 228 bytes
Desc: not available
URL: <http://lists.torproject.org/pipermail/tor-dev/attachments/20180110/20cbee14/attachment-0001.sig>