[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-bugs] #4570 [Tor Bridge]: Implement certificate serial number covert channel (part of proposal 179)

To: undisclosed-recipients:;
Subject: Re: [tor-bugs] #4570 [Tor Bridge]: Implement certificate serial number covert channel (part of proposal 179)
From: "Tor Bug Tracker & Wiki" <torproject-admin@xxxxxxxxxxxxxx>
Date: Sat, 26 Nov 2011 00:48:14 -0000
Auto-submitted: auto-generated
Delivered-to: archiver@xxxxxxxx
Delivery-date: Fri, 25 Nov 2011 19:48:25 -0500
In-reply-to: <043.c2bcd68b3d62ae75ee95d571148f5406@xxxxxxxxxxxxxx>
List-archive: <http://lists.torproject.org/pipermail/tor-bugs>
List-help: <mailto:tor-bugs-request@lists.torproject.org?subject=help>
List-id: Tor bug tracker status mails <tor-bugs.lists.torproject.org>
List-post: <mailto:tor-bugs@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs>, <mailto:tor-bugs-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-bugs>, <mailto:tor-bugs-request@lists.torproject.org?subject=unsubscribe>
References: <043.c2bcd68b3d62ae75ee95d571148f5406@xxxxxxxxxxxxxx>
Reply-to: tor-assistants@xxxxxxxxxxxxxx
Sender: tor-bugs-bounces@xxxxxxxxxxxxxxxxxxxx

#4570: Implement certificate serial number covert channel (part of proposal 179)
------------------------+---------------------------------------------------
 Reporter:  asn         |          Owner:       
     Type:  defect      |         Status:  new  
 Priority:  normal      |      Milestone:       
Component:  Tor Bridge  |        Version:       
 Keywords:              |         Parent:  #3972
   Points:              |   Actualpoints:       
------------------------+---------------------------------------------------
Changes (by asn):

 * cc: ioerror (added)


Comment:

 Replying to [comment:3 nickm]:
 > Replying to [comment:2 asn]:
 >
 > > We will always have false positives with this scheme, till all the
 non-0.2.3.x relays disappear from the network.
 >
 > Unless we use the other v3-indicating cert features plus the SN to
 indicate
 >
 > Let's take a step back -- do you currently think this feature is a good
 idea?  I don't think it's workable if we have user-provided certs, and I
 think that getting user-provided certs to work is more important than
 this.
 >

 I don't think it's a good idea.

 I can see a use for it, but like you said, it kills the user-provided/CA-
 signed certs idea (which is *very* important). Less importantly, it
 provides a "at 75% this is a Tor relay" fingerprint to censors, and it
 feels very hacky and last-hope to a problem we are not currently having,
 since:
 - v3 seems good.
 - future 'in-protocol' link protocols can be negotiated by sending a
 v3-signaling SSL handshake and then negotiating v4 over VERSIONS.
 - if we ever need to negotiate 'some other kind of TLS handshake' (for
 whatever reason) we can use signalling in the SSL handshake but outside of
 the Certificate. For example, we can use the SessionTicket field in the
 ServerHello (which relays currently send empty), or use another TLS
 extension (which are getting popular lately with ECC).

-- 
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/4570#comment:4>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

References:
- [tor-bugs] #4570 [Tor Bridge]: Implement certificate start time fuzzing and serial number covert channel (part of proposal 179)
  - From: Tor Bug Tracker & Wiki

Prev by Author: Re: [tor-bugs] #3460 [Tor Hidden Services]: Replay-detection window for HS INTRODUCE2 cells causes HS reachability failures
Next by Author: Re: [tor-bugs] #4548 [Tor Bridge]: Implement dynamic (rakshasa) primes (part of proposal 179)
Previous by thread: Re: [tor-bugs] #4570 [Tor Bridge]: Implement certificate serial number covert channel (part of proposal 179)
Next by thread: Re: [tor-bugs] #4570 [Tor Bridge]: Implement certificate serial number covert channel (part of proposal 179)
Index(es):
- Author
- Thread