On Fri, Nov 15, 2013 at 9:31 AM, Nick Mathewson <ni...@torproject.org> wrote: > Individual blogs might be at: > technology.cmktn5wni9uinp1niixoh8gzf2oqkcwckcexwe8zutfn5uu7zbb.onion, > lemurs.cmktn5wni9uinp1niixoh8gzf2oqkcwckcexwe8zutfn5uu7zbb.onion, > drama.cmktn5wni9uinp1niixoh8gzf2oqkcwckcexwe8zutfn5uu7zbb.onion > > My thought had been that the long addresses are likely to make people > a bit disinclined to use even longer addresses. But I guess we'll > see; there's no reason to actually remove the feature.
I don't think this is a reason to remove the feature altogether, but there is a good reason not to deploy a website with user-controllable subdomains as suggested: the browser has no way of knowing that .cmktn5wni9uinp1niixoh8gzf2oqkcwckcexwe8zutfn5uu7zbb.onion is a "public suffix" and will therefore allow lemurs.yada.onion to declare that its "origin" is the entire yada.onion domain and snoop on other sites hosted there. zw _______________________________________________ tor-dev mailing list tor-dev@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev