Thus spake Seth David Schoen (schoen@xxxxxxx): > > Hi, > > I don't understand, too and in my opinion, this is utter nonsense. I'm > > not aware of any negative impacts on privacy due to the usage of > > https://, > > Session resumption can be used to recognize an individual browser > that connects from different IP addresses, or even over Tor. This > kind of recognition can be perfect because the resumption involves > a session key which is large, random, and could not legitimately > have been known to any other browser. :-( This is not true if the user is using Torbutton. See the paragraph about security.enable_ssl2 in: https://www.torproject.org/torbutton/en/design/#browseroverlay This hack causes us to clear all TLS session ID and resumption state. It's bloody, but it works. Firefox has also created an official API for us to do this the "right" way that we will begin using in 1.2.6: https://trac.torproject.org/projects/tor/ticket/1624 Torbutton also has code to isolate custom stored client and server certificates, but this code tends to crash Firefox because of refcounting issues in the TLS cert manager, so it is disabled by default. We're waiting on this bug to be fixed to enable it: https://bugzilla.mozilla.org/show_bug.cgi?id=435159 In other words, like we do with everything else, we have spent quite a bit of effort in dealing with TLS privacy issues, and the "Whistleblower howto" link in question is almost 100% nonsense that the author seemingly made up on the spot based on incorrect assumptions that they didn't bother to verify or investigate... -- Mike Perry Mad Computer Scientist fscked.org evil labs
Attachment:
pgpUl974HcbKd.pgp
Description: PGP signature