[tor-relays] Onion address or clearnet address

[Luther Blissett]

On Fri, 2014-02-07 at 06:26 -0500, Tom Ritter wrote:
> On 6 February 2014 14:51, Thomas Themel <thomas at themel.com> wrote:
> > Hi,
> > Luther Blissett (lblissett at paranoici.org) wrote on 2014-02-06:
> >> 1. When you access the clearnet you need dns name resolving which need
> >> to be "proxyfied" to avoid dns leaks. This issue is supposed to be
> >> solved on decent OSes and with TBB, but it is difficult to guarantee
> >> that other software/OS won't try to bypass you proxy settings, so it's a
> >> permanent worry. When you connect to hidden services, name resolving is
> >> done inside tor, never leaving out.
> >
> > I don't really get this concern. Assuming tor doesn't manage to
> > intercept DNS resolution, won't trying to resolve a well-known .onion
> > address leak as much information as resolving the equivalent clear
> > address?

Thanks for pointing that out. This maybe a law standpoint security (not
computer security but since both are interlinked), the dns request for a
onion, aka not listed and invalid dns name, would prove just a
bogus-bound-to-fail attempt to connect. So it's more like proof that
"user could not connect" and technically there is no subsequent exchange
of data which can be used to follow the user.

On the user side, the attempt will crash and the problem will be more
self-evident. But if the standard dns leaks, the connection will
nonetheless complete and the user will be clueless about the issue,
filling confident everything is working fine. And her subsequent
connections will sum up to more "traceable evidence".

But yes, it gets sent which is not ideal, that's why there's people
working on Tails and Whonix.

-- 
010
001
111
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: This is a digitally signed message part
URL: <http://lists.torproject.org/pipermail/tor-relays/attachments/20140207/d3f75abb/attachment.sig>