[tor-talk] DNSSEC better protecting users?
Katya Titov
kattitov at yandex.com
Sat Jan 10 21:59:12 UTC 2015
> i am concerned about https not being enough to protect tor2web
> users. In particular, I am concerned about what subdomain a user is
> visiting being leaked. Are there any established ways of preventing
> the subdomain from being leaked? Because none spring to my mind.
I've just reviewed a packet dump and found that you should indeed be
concerned. The SNI HTTPS extension lists the exact host I was
connecting to. This is performed right at the beginning of the HTTPS
transaction, before encryption.
DNSSEC won't solve this because you will still be using HTTPS.
If Tor2web ran as a CGI proxy that may avoid the issue, or if it
supported something like https://tor2web.org/?url=blah, but the root
cause here is that browsers support SNI and it would need to be
disabled there. Unfortunately, this would have an impact on sites which
require SNI.
--
kat
More information about the tor-talk
mailing list