On Sat, 4 Jun 2011 12:09:52 -0700 Mike Perry <[email protected]> wrote:
> Thus spake Robert Ransom ([email protected]): > > My understanding was that EFF would query DNS for a hostname, and if > > the hostname does not exist, assume that it's private. (This should > > scare you even more.) > > EFF only needs to do this query if the browser could not (because it > was using an HTTP proxy without a SOCKS proxy). Does this scare you > less or more? I'm getting confused by the reactions in this thread. If EFF needs to perform a DNS query on each hostname it receives a certificate for, EFF will leak information to an attacker watching its servers. If EFF tries to not log hostnames which do not exist, EFF will leak a user's request time *every time* that it receives a certificate associated with a non-existent hostname. Robert Ransom
signature.asc
Description: PGP signature
_______________________________________________ tor-talk mailing list [email protected] https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
