[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: Proposal 169: Eliminate TLS renegotiation for the Tor connection handshake

To: or-dev@xxxxxxxxxxxxx
Subject: Re: Proposal 169: Eliminate TLS renegotiation for the Tor connection handshake
From: Jacob Appelbaum <jacob@xxxxxxxxxxxxx>
Date: Thu, 28 Jan 2010 10:21:30 -0500
Delivered-to: archiver@xxxxxxxx
Delivered-to: or-dev-outgoing@xxxxxxxx
Delivered-to: or-dev@xxxxxxxx
Delivery-date: Thu, 28 Jan 2010 10:21:46 -0500
In-reply-to: <e8ac78311001272104x797bebe8q8520177d8bda890d@xxxxxxxxxxxxxx>
Openpgp: id=9D0FACE4; url=http://www.appelbaum.net/gpg.asc
References: <e8ac78311001272104x797bebe8q8520177d8bda890d@xxxxxxxxxxxxxx>
Reply-to: or-dev@xxxxxxxxxxxxx
Sender: owner-or-dev@xxxxxxxxxxxxx
User-agent: mutt

Nick Mathewson wrote:
> Filename: 169-eliminating-renegotiation.txt
> Title: Eliminate TLS renegotiation for the Tor connection handshake
> Author: Nick Mathewson
> Created: 27-Jan-2010
> Status: Draft
> Target: 0.2.2
> 

[...]

>    The new initiator behavior now looks like this:
> 

[...]

>              * If the CERT cell is a good cert signing the public
>                key in the x.509 certificate we got during the TLS
>                handshake, we connected to the server with that
>                identity key.  Otherwise close the connection.


I think this needs to be re-written to be clearer.

>              * Once the NETINFO cell arrives, continue as before.
> 

[...]

> 6. Open questions:
> 
>   - Should we use X.509 certificates instead of the certificate-ish
>     things we describe here?  They are more standard, but more ugly.

Do we get anything out of custom-ish things? It seems kludgy to make
stuff up on the fly but perhaps it's somehow simpler for our use?

> 
>   - May we cache which certificates we've already verified?  It
>     might leak in timing whether we've connected with a given server
>     before, and how recently.

It seems like timing information would be leaked. We should avoid that
if possible.

> 
>   - Is there a better secret than the master secret to use in the
>     AUTHENTICATE cell?  Say, a portable one?  Can we get at it for
>     other libraries besides OpenSSL?
> 

I'm not sure. It seems OK. What worries you about it?


>   - Can we give some way for clients to signal "I want to use the
>     V3 protocol if possible, but I can't renegotiate, so don't give
>     me the V2"?  Clients currently have a fair idea of server
>     versions, so they could potentially do the V3+ handshake with
>     servers that support it, and fall back to V1 otherwise.
> 

Does this open us up to downgrade attacks? Downgrade attacks here seem
like they might range in seriousness from simply potentially detecting
Tor users or perhaps doing something actually nasty...

>   - What should servers that don't have TLS renegotiation do?  For
>     now, I think they should just get it.  Eventually we can
>     deprecate the V2 handshake as we did with the V1 handshake.
> 

Seems reasonable.

Best,
Jake

Attachment: signature.asc
Description: OpenPGP digital signature

Follow-Ups:
- Re: Proposal 169: Eliminate TLS renegotiation for the Tor connection handshake
  - From: Nick Mathewson

References:
- Proposal 169: Eliminate TLS renegotiation for the Tor connection handshake
  - From: Nick Mathewson

Prev by Author: Thoughts on future upnp/nat-pmp support in Tor
Next by Author: Re: GIT repository down?
Previous by thread: Proposal 169: Eliminate TLS renegotiation for the Tor connection handshake
Next by thread: Re: Proposal 169: Eliminate TLS renegotiation for the Tor connection handshake
Index(es):
- Author
- Thread