[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

[tor-commits] [torbutton/master] Add an item for TLS issues and APIs.

To: tor-commits@xxxxxxxxxxxxxxxxxxxx
Subject: [tor-commits] [torbutton/master] Add an item for TLS issues and APIs.
From: mikeperry@xxxxxxxxxxxxxx
Date: Sat, 26 Mar 2011 00:17:43 +0000 (UTC)
Delivered-to: archiver@xxxxxxxx
Delivery-date: Fri, 25 Mar 2011 20:18:03 -0400
List-archive: <http://lists.torproject.org/pipermail/tor-commits>
List-help: <mailto:tor-commits-request@lists.torproject.org?subject=help>
List-id: code repository commits <tor-commits.lists.torproject.org>
List-post: <mailto:tor-commits@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-commits>, <mailto:tor-commits-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-commits>, <mailto:tor-commits-request@lists.torproject.org?subject=unsubscribe>
Patch-author: Mike Perry <mikeperry-git@xxxxxxxxxx>
Sender: tor-commits-bounces@xxxxxxxxxxxxxxxxxxxx

commit 09f55fbe0bc0ed2802fd1bd00790d1646ea6b64f
Author: Mike Perry <mikeperry-git@xxxxxxxxxx>
Date:   Fri Mar 25 17:16:42 2011 -0700

    Add an item for TLS issues and APIs.
    
    We don't have Bugzilla entries for this yet, but it should be listed.
---
 website/design/design.xml |   22 ++++++++++++++++++++++
 1 files changed, 22 insertions(+), 0 deletions(-)

diff --git a/website/design/design.xml b/website/design/design.xml
index 3f906b3..b137caf 100644
--- a/website/design/design.xml
+++ b/website/design/design.xml
@@ -2137,7 +2137,29 @@ feature.
 
       </para>
      </listitem>
+     <listitem>Give more visibility into and control over TLS
+negotiation
+     <para>
 
+There are several <ulink
+url="https://trac.torproject.org/projects/tor/ticket/2482";>TLS issues
+impacting Torbutton security</ulink>. It is not clear if these should be one
+Firefox bug or several, but in particular we need better control over various
+aspects of TLS connections. Firefox currently provides no observer capable of
+extracting TLS parameters or certificates early enough to cancel a TLS
+request. We would like to be able to provide <ulink
+url="https://www.eff.org/https-everywhere";>HTTPS-Everywhere</ulink> users with
+the ability to <ulink
+url="https://trac.torproject.org/projects/tor/wiki/HTTPSEverywhere/SSLObservatorySubmission";>have
+their certificates audited</ulink> by a <ulink
+url="http://www.networknotary.org/";>Perspectives</ulink>-style set of
+notaries. The problem with this is that the API observer points do not exist
+for any Firefox addon to actually block authentication token submission over a
+TLS channel, so every addon to date (including Perspectives) is actually
+providing users with notification *after* their authentication tokens have
+already been compromised. This obviously needs to be fixed.
+     </para>
+     </listitem>
      <listitem><ulink
 url="https://bugzilla.mozilla.org/show_bug.cgi?id=575230";>Bug 575230 - Provide option to
 reduce precision of Date()</ulink>



_______________________________________________
tor-commits mailing list
tor-commits@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-commits

Prev by Author: [tor-commits] [torbutton/master] Update compiled html.
Next by Author: [tor-commits] r24291: {website} modified version for new Android build (website/trunk/include)
Previous by thread: [tor-commits] [torbutton/master] Update compiled html.
Next by thread: [tor-commits] r24445: {website} Update design html. (website/trunk/torbutton/en/design)
Index(es):
- Author
- Thread