Re: Browsers and .onion names from Eliot Lear on 2015-11-29 (ietf-http-wg@w3.org from October to December 2015)

From: Eliot Lear <lear@cisco.com>
Date: Sun, 29 Nov 2015 19:45:50 +0100
To: Cory Benfield <cory@lukasa.co.uk>, Mark Nottingham <mnot@mnot.net>
Cc: Jacob Appelbaum <jacob@appelbaum.net>, Willy Tarreau <w@1wt.eu>, HTTP Working Group <ietf-http-wg@w3.org>
Message-ID: <565B47DE.2020708@cisco.com>

Hi Cory,

On 11/29/15 10:52 AM, Cory Benfield wrote:
> Mark,
>
> I’m sorry if I was insufficiently clear. When I said “rely on users not to just throw .onion names into every settings field they find”, I specifically meant that many applications have settings fields that allow users to provide names that will be looked up. For example, at my previous employer we had a RADIUS implementation that would talk over the network, and so would emit a DNS lookup. Are we really saying that that software should be filtering .onion names because a telco operator *might* put a .onion name into the “RADIUS server” configuration field?

I'm still not entirely clear on what the concern is.  I *think* what is
being said is the following:

 1. .onion requires special handling.
 2. If you don't know how to handle it, pass an error back to the user.
 3. If you're about to query the DNS for a .onion name, then you don't
    know how to handle it.

Whether this is with a browser or curl or something else, that seems to
make sense to me.  I could easily envision a proxy that can handle
.onion.  That means one might never get to step 3 if you're using a proxy.

Or have I missed the point?

Eliot

Received on Sunday, 29 November 2015 18:46:24 UTC