W3C home > Mailing lists > Public > ietf-http-wg@w3.org > October to December 2015

Re: Browsers and .onion names

From: Mark Nottingham <mnot@mnot.net>
Date: Sat, 28 Nov 2015 10:40:32 +1100
Cc: Willy Tarreau <w@1wt.eu>, HTTP Working Group <ietf-http-wg@w3.org>
Message-Id: <99E12E0B-7BF4-43E8-BD1D-6B3C70071709@mnot.net>
To: Cory Benfield <cory@lukasa.co.uk>
Hi Cory,

> On 27 Nov 2015, at 7:32 pm, Cory Benfield <cory@lukasa.co.uk> wrote:
> I agree with Willy here, sadly. I have absolutely no intention of adding this exception for .onion names to any software I work on.
> Why is this the DNS client’s problem? If we really don’t want .onion names to leak over DNS, why don’t we add a new DNS RFC that specifies that conformant resolvers don’t emit queries for .onion names?

7686 requires both resolvers and applications to stop emitting queries for .onion names. This is defence in depth; updating DNS resolvers takes time, so applications that care about their users' privacy will assure that those queries are stopped earlier.

You can certainly choose not to implement RFC7686 (there are no RFC police), and there won't be any reduction in interoperability, just security (due to the leakage of requests).

That said, I don't see how it serves your users well to reject it out of hand. If they accidentally make .onion queries without configuring to use Tor, they'll be unpleasantly surprised (and the consequences could be much worst, depending on their situation).


Mark Nottingham   https://www.mnot.net/
Received on Friday, 27 November 2015 23:41:03 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 1 March 2016 11:11:40 UTC