On Mon, Apr 03, 2017 at 10:48:26AM -0400, Ian Goldberg wrote:
The other thing to remember is that didn't we already say that
facebookgbiyeqv3ebtjnlntwyvjoa2n7rvpnnaryd4a.onion
and
face-book-gbiy-eqv3-ebtj-nlnt-wyvj-oa2n-7rvp-nnar-yd4a.onion
will mean the same thing?
Did we? I admit that I haven't been paying enough attention to anything lately, but last I checked, we thought that was a terrible idea because people can make a bunch of different versions of the address, and use them as tracking mechanisms for users. (For example, I put two versions of the same address on my two different pages, and now when somebody goes to that onion address, I can distinguish which page they came from. In the extreme versions of this idea, I give a unique version of my address to the target, and then I can spot him when he uses it.)
Ultimately the problem is that the browser is too good at giving away the hostname that it thinks it's going to -- in various headers, in cross-site isolation, etc etc.
So, if we have indeed decided to allow many versions of format for onion addresses, I hope we thought through this attack and decided it was worth it. :)
--Roger