At https://trac.torproject.org/projects/tor/ticket/24774#comment:5 , nickm stated:
I'm not sure that the sandboxing section is necessary. We should say that _all_ plugins should only access the network over Tor, unless they are using some comparably strong anonymity mechanism. [...]
In reply https://trac.torproject.org/projects/tor/ticket/24774#comment:6 , I ask:
The proposal as written states under §3.2, specifically discussing `'*'`:
Perhaps we trust the name plugin itself, but maybe the name system network could exploit this?
What does this mean? Is there any specific information on what potential exploits the spec authors have thought of? '''Would requiring Tor-only connections prevent these potential exploits?''' I should ask on `tor-dev`.
Per the discussion in the current version of the spec (686aaf1), there is concern that a '*' plugin may try to resolve ordinary DNS names. But this separate, quoted statement assumes a trustworthy plugin, which I take to mean that it would not grab .com, etc.
So, what was the concern behind that statement? (And are there any other potential exploits, which may or may not be prevented by requiring name resolution through Tor?)
-
nullius