-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On 05/19/2014 06:24 AM, Anders Andersson wrote: > On Mon, May 19, 2014 at 7:06 AM, grarpamp <grarp...@gmail.com> wrote: > >> Users leaking dns / failing to redirect dns into tor is not a tor problem. >> > *** That is a common technologist / U.S. liberal / libertarian issue to give responsibility to "the user" for "their" "failures" to do anything. The poor-is-lazy argument.
But for non-hackers, the reality is that apart from booting Tails and enjoying a proper Tor setup, installing the Tor package on most distros does not come with pre-installed DNS and *will* leak queries by default. So technically, you may argue that it's not Tor's responsibility, and leave it there. But if you're honest you must consider the objectives of the software, and distros, and end-users as being part of the "Tor system". > I think that's a rather arrogant point of view. > *** And irresponsible as well. > > If someone would register .onion I see two problems: > > 1) A malevolent registrar could redirect all .onion lookups to their own > proxy, essentially routing all "hidden" traffic through their own machine. > *** That effectively suppresses the anonymization of Tor in that case, against a global adversary that is Not So American and have capacity for eyes around the globe to pin your digital footprint to your ICBM location in real time. > I think that's a usability issue, and not something that > should simply be ignored. Maybe it's not something that can easily be > solved, but that is why there must be a discussion about it. Maybe the only > solution is to strongly warn users. > *** One complexity factor here is that not all systems resolve names the same way, so you need to figure out from Tor whether the name was resolved securely or not, which is not necessarily doable. > 2) Useful websites could actually pop up under .onion, making a plugin that > takes over that domain seem intrusive and less attractive. This is less of > a problem I think. > *** If useful websites can pop up under .onion, fake copycats can also pop up that will mimick the original target without the user being able to notice due to the natural latency of the Tor network. Then you can't trust Tor anymore to do its job: for an end-user .onion means the site was obtained via the Tor network. If it was not, because a DNS leak brought you to the site via the clear Web, you're done. The only meaningful failure for the leak of .onion to the DNS is loud failure, aka NXDOMAIN, which is why it's technically important that IANA forbids registration of .onion in the first place. As far as the DNS supporters at IETF are concerned, it should be Tor's responsibility to "use DNS properly" and avoid "integrating top-level domains into the browser's location bar for convenience" (both quotes condensed paraphrases). I guess one of the tasks for the next P2P-Names draft is to properly decouple the DNS issue from the browser-location issue so that .onion is not anymore a DNS-abuse issue, nor a convenience issue, but a strong usability issue. Aside, a second task is to maintain the cohesion of Tor and non-Tor systems as a single technical non-DNS-based Peer-to-Peer name resolution issue to avoid "special treatment" of minority networks, and ensure a future for a techno-diversity of name resolution systems. Societies of control like to think their (human) identity systems as definitive, and history tend to consistently prove them wrong. The last thing we want is to force all name resolution into a top-down, non-autonomous technique, administratively-controlled centralized system that prevents better techniques from evolving. == hk -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iQJ8BAEBCgBmBQJTef7UXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXRFQ0IyNkIyRTNDNzEyMTc2OUEzNEM4ODU0 ODA2QzM2M0ZDMTg5ODNEAAoJEEgGw2P8GJg9b6sP/06KLOnWmk0Vf1mpru6O9JH4 0qQlVnhYo8IIvOXuM2ose8UhlQrIlgN+wAh9AdAogjU7kvMIlOlN4g3CoNc+VVVM 5HYPquXrI+5wtdBa6BAtjpHTfOmcJcnmvty8fidqk9ViMlBgiYbNDGJktUS+/Tro Y0FhOx6bEKwpzOOUXcumnQZjs0vi70GFFIG1gdPKaGZBU2KuMDBRg9edr6JaNR80 smQPbZ/z4/d8YOHVmKLkqT8TZU+Bl/C2IF7xoCm1j2Qdokw7PRfUnpSlQEY1mAB7 8BcrRS3l/f5A2L86VYg7o43uvb5gjMcKJlrdqjB5robNT2VOhTYrN0SQxDHpZl6w 36ukVrMdGWPjiN/6jV6Ga3YPfEvMOULvdFl1MuLzWHEgGTz2IvpI1VriAzAiQUar BAtiScHek4fSP8uZJ9MFvVHjiEy3UzA2i2xyUtA96N5JVHC1bcxl2X/6cNxPP0mI if8u51TfGENIYhD0hkY9w/y/XqFrDLrCxK7VIrf/XoCLw1tz1TwFfSpHJig/zZ37 Ht+JI0YNtxY5kcGyf12bPEcUiF/rDIjlFzewdhU5+xbWXYBe6/Q1ajWL8IV+ESTN G3cJlUC8VrsraQ4mXAVLmfhFPgQVKcBNeo9jgu4jzGm9zP0iWAc6OYQerVThdUyc QIStXree59ROPpKCOyT8 =g4/Y -----END PGP SIGNATURE----- -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
