Speaking of which ...
It is a critical flaw that fails open. The DNS continues to work but users are put into harm's way. ...
Also please keep in mind that we're having this discussion because of design tradeoffs in the implementation of Tor. If they'd made onion a URI scheme rather than a pseudo-domain, onion://blah rather than http://blah.onion, there's be no leakage problem since browsers that don't know about onion: would just reject them. ...
I'm aware of the context, I'm a co-author of the RFC in question. The solution you present is not practical for integration across most programs without huge modifications to nearly every program.
So, just to clarify, the DNS leaks and it's a critical flaw, but Tor applications leak and that's just the way it is?
I'm not opposed to mitigating the damage, but let's think more carefully about the stones we're throwing, please.
R's, John _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
