nullius
2018-01-10 20:18:21 UTC
At https://trac.torproject.org/projects/tor/ticket/24774#comment:5 ,
is concern that a '*' plugin may try to resolve ordinary DNS names. But
this separate, quoted statement assumes a trustworthy plugin, which I
take to mean that it would not grab .com, etc.
So, what was the concern behind that statement? (And are there any
other potential exploits, which may or may not be prevented by requiring
name resolution through Tor?)
I'm not sure that the sandboxing section is necessary. We should say
that _all_ plugins should only access the network over Tor, unless they
are using some comparably strong anonymity mechanism. [...]
In reply https://trac.torproject.org/projects/tor/ticket/24774#comment:6that _all_ plugins should only access the network over Tor, unless they
are using some comparably strong anonymity mechanism. [...]
The proposal as written states under §3.2, specifically discussing
potential exploits the spec authors have thought of? '''Would
requiring Tor-only connections prevent these potential exploits?''' I
should ask on `tor-dev`.
Per the discussion in the current version of the spec (686aaf1), therePerhaps we trust the name plugin itself, but maybe the name system
network could exploit this?
What does this mean? Is there any specific information on whatnetwork could exploit this?
potential exploits the spec authors have thought of? '''Would
requiring Tor-only connections prevent these potential exploits?''' I
should ask on `tor-dev`.
is concern that a '*' plugin may try to resolve ordinary DNS names. But
this separate, quoted statement assumes a trustworthy plugin, which I
take to mean that it would not grab .com, etc.
So, what was the concern behind that statement? (And are there any
other potential exploits, which may or may not be prevented by requiring
name resolution through Tor?)
--
***@nym.zone | PGP ECC: 0xC2E91CD74A4C57A105F6C21B5A00591B2F307E0C
Bitcoin: bc1qcash96s5jqppzsp8hy8swkggf7f6agex98an7h | (Segwit nested:
3NULL3ZCUXr7RDLxXeLPDMZDZYxuaYkCnG) (PGP RSA: 0x36EBB4AB699A10EE)
ââIf youâre not doing anything wrong, you have nothing to hide.â
No! Because I do nothing wrong, I have nothing to show.â â nullius
***@nym.zone | PGP ECC: 0xC2E91CD74A4C57A105F6C21B5A00591B2F307E0C
Bitcoin: bc1qcash96s5jqppzsp8hy8swkggf7f6agex98an7h | (Segwit nested:
3NULL3ZCUXr7RDLxXeLPDMZDZYxuaYkCnG) (PGP RSA: 0x36EBB4AB699A10EE)
ââIf youâre not doing anything wrong, you have nothing to hide.â
No! Because I do nothing wrong, I have nothing to show.â â nullius