On Feb 1, 2012, at 2:48 AM, Watson Ladd wrote: > On Tue, Jan 31, 2012 at 2:57 PM, Nick Mathewson <[email protected]> wrote: >> Another possibility is this: >> >> Browser's resolver -> Tor Client (as DNSPort): "Resolve >> www.example.com, give me an A, and give me DNSSec stuff too." >> Tor Client-> Tor net-> Tor Exit: "Yeah, resolve that stuff." >> Tor Exit -> Tor net -> Tor client: "Here's your answer." >> Tor client -> Browser's resolver: "Here's that A record you wanted, >> and some dnssec stuff." >> Browser -> Tor client: "Okay, now connect there." >> Tor client -> Tor net -> Tor exit: "Connect to <ip address>:80!" >> Exit node -> Tor net-> Tor Client: "CONNECTED: Connection is open." >> Tor Client -> Browser: "SOCKS5 connection complete." >> >> But that would involve an extra round trip that I'd rather save if possible. > We could cross our fingers and be optimistic, opening a connection to > the server queried. Probably a bad idea.
I'm not sure, maybe the idea isn't so bad after all. If we wait for the client to tell us whether it likes the dnssec stuff, I could easily be convinced that this can be used to fingerprint clients. We have the TLS false start stuff which is kind of similar, I feel. Maybe that means for us to go ahead, make the connection, and if we as a client decide not to like it we just try again on a new exit node a couple of times? _______________________________________________ tor-dev mailing list [email protected] https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev
