Re: Browsers and .onion names from Cory Benfield on 2015-11-28 (ietf-http-wg@w3.org from October to December 2015)

From: Cory Benfield <cory@lukasa.co.uk>
Date: Sat, 28 Nov 2015 16:59:02 +0000
To: Jacob Appelbaum <jacob@appelbaum.net>
Cc: Willy Tarreau <w@1wt.eu>, Mark Nottingham <mnot@mnot.net>, HTTP Working Group <ietf-http-wg@w3.org>
Message-Id: <52C00696-9B16-438D-B13D-38EF378C8C7A@lukasa.co.uk>

> On 28 Nov 2015, at 11:56, Jacob Appelbaum <jacob@appelbaum.net> wrote:
> We solve a real problem with RFC7686 and browsers, as well
> as other software, have a duty of care to implement the solution.

The browsers part makes sense to me, it really does, and I (and maybe Willy) would not have objected in the slightest if this was brought up as a suggestion instead of what felt like a mandate. I don’t object to browsers refusing to process .onion domains, that makes perfect sense. I care much more about claiming that the requirement extends to anything that processes domain names (your “other software", even if that application makes no claim to support Tor or actively claims it does not.

It is worth remembering that the space of things an piece of software does not implement is far larger than the space of things it does. It is a difficult and fraught endeavour to try to mandate behaviour in implementations whose authors had no reason to read your RFC because they had no plans to go anywhere near the Tor protocol.

It’s also unhelpful to claim that all software that does DNS lookups has a duty to filter out .onion URLs to save users from themselves. This requirement is prima facie absurd: are we to require that, for example, Python’s logging library should filter .onion URLs in case a user tries to put a syslog daemon behind such a domain? Or, a more extreme case, that RADIUS implementations should do so? Remember, any RADIUS application is an “application that does not implement the Tor protocol”, so RFC 7686 would appear to affect those as well. This is so obviously absurd that I assume that it was not the intent of RFC 7686, but RFC 7686 is certainly worded so broadly that it can be read that way.

There is nothing wrong with wanting browsers to filter .onion domains, because browsers can be extended to support the Tor protocol. There’s nothing wrong with wanting tools that could in principle support the Tor protocol, or that do not rule out doing so, to also special case the .onion domain. It is, however, totally barmy to claim a normative requirement on all DNS applications to filter out .onion domains and to (presumably) use that requirement as a cudgel to punish them with if they do not. Many applications that process domain names come nowhere near a protocol or use that Tor is intended for, and shouldn’t be bound by this requirement. At some point, we have to rely on users not to just throw .onion names into every settings field they find.

Received on Saturday, 28 November 2015 16:59:38 UTC