2011/2/2 Jacob Appelbaum <[email protected]> > Hi Bjarni! > > Is there any reason that you can't route SSL/TLS traffic to Tor for all > non-SNI requests? Another thing that might work is knowing that all Tor > certificates currently end in .net. So while they're random, it's > certainly possible to know when someone explicitly wants to reach a > different server you certainly know about and isn't in your allowed > lookup table. Anything else can be routed to Tor. >
This would work, but the "default fallback" is somewhat of a coveted position as there are lots of web browsers out there that don't send SNI. So in a shared environment you want to define your "favorite" web-site as the default fall-back, not Tor. I suppose I could add a feature to Pagekite where the default is different for requests with SNI from requests without... best add that to the list, I guess. :-) I was also approaching this from the POV of a service provider, offering front-ends to a large number of random people. Most of them would be running websites, but if some wanted to contribute to Tor via my service, I would like to let them. But without a SNI name I can use to choose between them, that doesn't really work, as picking a random tor backend would probably break the path decision logic in Tor if I understand things correctly. Older clients without SNI will of course have issues and all be routed > to Tor but perhaps this can be documented - surely some people will > still use it? > Hopefully! -- Bjarni R. Einarsson The Beanstalks Project ehf. Making personal web-pages fly: http://pagekite.net/
