-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On 06/04/2011 09:56 PM, Mike Perry wrote: > Thus spake Robert Ransom ([email protected]): > >> On Sat, 4 Jun 2011 12:09:52 -0700 >> Mike Perry <[email protected]> wrote: >> >>> Thus spake Robert Ransom ([email protected]): >> >>>> My understanding was that EFF would query DNS for a hostname, and if >>>> the hostname does not exist, assume that it's private. (This should >>>> scare you even more.) >>> >>> EFF only needs to do this query if the browser could not (because it >>> was using an HTTP proxy without a SOCKS proxy). Does this scare you >>> less or more? I'm getting confused by the reactions in this thread. >> >> If EFF needs to perform a DNS query on each hostname it receives a >> certificate for, EFF will leak information to an attacker watching its >> servers. If EFF tries to not log hostnames which do not exist, EFF >> will leak a user's request time *every time* that it receives a >> certificate associated with a non-existent hostname. > > I think you missed the first half of my email where I explicitly said > EFF shouldn't need to do this under normal circumstances. It only > needs to do this when the browser fails to do so itself. Do you expect > this to be common? > > The observatory itself could also be running a tor client for these > resolutions, just in case they do end up being common. > > > P.S. When the browser does attempt to do these resolutions, should > they be done via Tor or via whatever local resolver/proxy was used to > access the domain? Doing it via Tor exposes potentially private names > to exits
Yes, instead of asking the EFF to resolve a hostname an internal client could just use Tor to get an "outside view" regarding a hostname. This way hostnames don't have to go through a central point (EFF) for the 'is this hostname private?' - check. -----BEGIN PGP SIGNATURE----- iF4EAREKAAYFAk3qkz0ACgkQyM26BSNOM7ZYBgEAjPYkTkP8R8BpJl5Wl24DvGve sRKAywVBTv4Vxeql9y4BAJ8AGofNSR5W/Y3HqY1ieWGRJksd+5GD2/QatB0oTEWl =SreM -----END PGP SIGNATURE----- _______________________________________________ tor-talk mailing list [email protected] https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
