[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-bugs] #7189 [Tor]: Disabling TLS tickets makes us look unlike firefox



#7189: Disabling TLS tickets makes us look unlike firefox
----------------------------+-----------------------------------------------
 Reporter:  nickm           |          Owner:                    
     Type:  defect          |         Status:  new               
 Priority:  major           |      Milestone:  Tor: 0.2.3.x-final
Component:  Tor             |        Version:                    
 Keywords:  tor-client tls  |         Parent:                    
   Points:                  |   Actualpoints:                    
----------------------------+-----------------------------------------------

Comment(by nickm):

 Replying to [comment:1 arma]:
 > Replying to [ticket:7189 nickm]:
 > > This is a nontrivial decision to make.  If a client says that it
 supports TLS tickets, and it is talking to an older Tor server that hasn't
 disabled them, it will get degraded PFS.  But if a client doesn't say it
 supports TLS tickets, it will apparently be more distinguishable.
 >
 > I'm not too worried about older Tors -- they will become more scarce
 over time.

 So the question is, whether they should be allowed to delay clients
 getting good fast PFS.  If we keep tickets out of client connections, then
 clients who have a new Tor get fast PFS on 100% of their TLS connections
 right away; and other clients get PFS on U of their TLS connections, where
 U is the fraction of Tor nodes that have upgraded. Node-to-node TLS has
 PFS with probability 1-(1-U)^2.

 But if we put tickets back in Tor servers, then all clients get fast PFS
 on U of their TLS connections, and node-to-node TLS has PFS with
 probability U.


 One other option to think about is to make this change, but make it later,
 once more servers have upgraded.  We can't make this change in a consensus
 parameter, though, since that would force us to change our behavior on the
 fly.


 We could probably help the network by having relays turn tickets off
 unconditionally, so that node-to-node TLS gets fast PFS if either peer is
 upgraded.

-- 
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/7189#comment:2>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs