On Sat, Jun 28, 2008 at 12:30:48PM +0100, Dawney Smith wrote: > Hello, > > Regarding icann's announcement on Thursday about the opening up of TLD's > detailed at this url: > > http://www.icann.org/en/announcements/announcement-4-26jun08-en.htm > > What would be the hidden service privacy implications of someone > registering the .onion tld? Is this something the tor project should > look into doing next year?
Well, the first thing to keep in mind is that the Tor client intercepts addresses, notices whether they're a .onion address, and handles them itself. So if suddenly a top-level .onion domain springs into existence, the only real change will be that Tor users won't be able to reach the new "real" .onion sites. There remains a security concern for folks who think they're using Tor and accidentally aren't -- they will attempt to resolve the .onion address locally. Currently they'll get a resolve failure, but if there's a new tld they could get a page back. I don't think this is much of a new vulnerability though, because a local attacker can already spoof DNS responses and send you to their page. But again this is only a worry if you have your Tor misconfigured. (Insert request for well-documented secure transparent proxying solution here. :) --Roger
