> i am concerned about https not being enough to protect tor2web > users. In particular, I am concerned about what subdomain a user is > visiting being leaked. Are there any established ways of preventing > the subdomain from being leaked? Because none spring to my mind.
I've just reviewed a packet dump and found that you should indeed be concerned. The SNI HTTPS extension lists the exact host I was connecting to. This is performed right at the beginning of the HTTPS transaction, before encryption. DNSSEC won't solve this because you will still be using HTTPS. If Tor2web ran as a CGI proxy that may avoid the issue, or if it supported something like https://tor2web.org/?url=blah, but the root cause here is that browsers support SNI and it would need to be disabled there. Unfortunately, this would have an impact on sites which require SNI. -- kat -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
