Delivery-Date: Sat, 10 Jan 2015 17:07:15 -0500
Return-Path: <tor-talk-bounces@lists.torproject.org>
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on moria.seul.org
X-Spam-Level: 
X-Spam-Status: No, score=-4.7 required=5.0 tests=BAYES_00,DKIM_SIGNED,
	FREEMAIL_FROM,RCVD_IN_DNSWL_MED,RP_MATCHES_RCVD,T_DKIM_INVALID,URIBL_BLOCKED
	autolearn=ham version=3.3.1
X-Original-To: archiver@seul.org
Delivered-To: archiver@seul.org
Received: from eugeni.torproject.org (eugeni.torproject.org [38.229.72.13])
	(using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by khazad-dum.seul.org (Postfix) with ESMTPS id 6D0B61E01AA
	for <archiver@seul.org>; Sat, 10 Jan 2015 17:07:13 -0500 (EST)
Received: from eugeni.torproject.org (localhost [127.0.0.1])
	by eugeni.torproject.org (Postfix) with ESMTP id DDCB031B2E;
	Sat, 10 Jan 2015 22:07:10 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
 by eugeni.torproject.org (Postfix) with ESMTP id 88A9B31A99
 for <tor-talk@lists.torproject.org>; Sat, 10 Jan 2015 22:07:07 +0000 (UTC)
X-Virus-Scanned: Debian amavisd-new at 
Received: from eugeni.torproject.org ([127.0.0.1])
 by localhost (eugeni.torproject.org [127.0.0.1]) (amavisd-new, port 10024)
 with ESMTP id 1OfsKui8-ALC for <tor-talk@lists.torproject.org>;
 Sat, 10 Jan 2015 22:07:07 +0000 (UTC)
Received: from forward3p.cmail.yandex.net (forward3p.cmail.yandex.net
 [IPv6:2a02:6b8:0:1465::13])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client CN "forwards.mail.yandex.net",
 Issuer "Certum Level IV CA" (not verified))
 by eugeni.torproject.org (Postfix) with ESMTPS id 4F34430687
 for <tor-talk@lists.torproject.org>; Sat, 10 Jan 2015 22:07:07 +0000 (UTC)
X-Greylist: delayed 447 seconds by postgrey-1.34 at eugeni;
 Sat, 10 Jan 2015 22:07:07 UTC
Received: from smtp17.mail.yandex.net (smtp17.mail.yandex.net [95.108.252.17])
 by forward3p.cmail.yandex.net (Yandex) with ESMTP id 3BC8712FD
 for <tor-talk@lists.torproject.org>; Sun, 11 Jan 2015 00:59:35 +0300 (MSK)
Received: from smtp17.mail.yandex.net (localhost [127.0.0.1])
 by smtp17.mail.yandex.net (Yandex) with ESMTP id 16CE1190014A
 for <tor-talk@lists.torproject.org>; Sun, 11 Jan 2015 00:59:34 +0300 (MSK)
Received: from assk2.torservers.net (assk2.torservers.net [78.108.63.44])
 by smtp17.mail.yandex.net (nwsmtp/Yandex) with ESMTPSA id YIHm1w4YBL-xVhOrVh8; 
 Sun, 11 Jan 2015 00:59:33 +0300
 (using SSLv3 with cipher AES128-SHA (128/128 bits))
 (Client certificate not present)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yandex.com; s=mail;
 t=1420927174; bh=7W3sLgBdJ1ieW/4BUd7LDIqDybhTRAYvwrxQxP0wXeU=;
 h=Date:From:To:Subject:Message-ID:In-Reply-To:References:X-Mailer:
 Mime-Version:Content-Type:Content-Transfer-Encoding;
 b=qvVd6+P8jU5lvKmGv191GFFngNT/3mOAJs+yN3lFfpvZfxrG2ivNgQVxlE04lsnqr
 yMwZq45w3pxwzKbfcPfpvF0b4c80ukjnhoodyCTayrlpDYP4VWFDYHqdP7MGzTVPLv
 HeRCl2EqpEYs/miHPopK9J0M9ttCOkkjQwUlRF90=
Authentication-Results: smtp17.mail.yandex.net; dkim=pass header.i=@yandex.com
Date: Sun, 11 Jan 2015 07:59:12 +1000
From: Katya Titov <kattitov@yandex.com>
To: tor-talk@lists.torproject.org
Message-ID: <20150111075912.7fc55aff@localhost.localdomain>
In-Reply-To: <CADop2NGrjgJRkfM+C0PxEC10mQk+zJ1sSOEe-vT2ePOmX2KzkQ@mail.gmail.com>
References: <CADop2NGrjgJRkfM+C0PxEC10mQk+zJ1sSOEe-vT2ePOmX2KzkQ@mail.gmail.com>
X-Mailer: Claws Mail 3.8.1 (GTK+ 2.24.10; x86_64-pc-linux-gnu)
Mime-Version: 1.0
Subject: Re: [tor-talk] DNSSEC better protecting users?
X-BeenThere: tor-talk@lists.torproject.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: tor-talk@lists.torproject.org
List-Id: "all discussion about theory, design,
 and development of Onion Routing" <tor-talk.lists.torproject.org>
List-Unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-talk>, 
 <mailto:tor-talk-request@lists.torproject.org?subject=unsubscribe>
List-Archive: <http://lists.torproject.org/pipermail/tor-talk/>
List-Post: <mailto:tor-talk@lists.torproject.org>
List-Help: <mailto:tor-talk-request@lists.torproject.org?subject=help>
List-Subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk>, 
 <mailto:tor-talk-request@lists.torproject.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: tor-talk-bounces@lists.torproject.org
Sender: "tor-talk" <tor-talk-bounces@lists.torproject.org>

> i am concerned about https not being enough to protect tor2web
> users.  In particular, I am concerned about what subdomain a user is
> visiting being leaked.  Are there any established ways of preventing
> the subdomain from being leaked?  Because none spring to my mind.

I've just reviewed a packet dump and found that you should indeed be
concerned. The SNI HTTPS extension lists the exact host I was
connecting to. This is performed right at the beginning of the HTTPS
transaction, before encryption.

DNSSEC won't solve this because you will still be using HTTPS.

If Tor2web ran as a CGI proxy that may avoid the issue, or if it
supported something like https://tor2web.org/?url=blah, but the root
cause here is that browsers support SNI and it would need to be
disabled there. Unfortunately, this would have an impact on sites which
require SNI.
-- 
kat
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

