[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-dev] Summary of meek's costs, October 2015

To: tor-dev@xxxxxxxxxxxxxxxxxxxx
Subject: Re: [tor-dev] Summary of meek's costs, October 2015
From: Tom Ritter <tom@xxxxxxxxx>
Date: Fri, 20 Nov 2015 17:50:51 -0600
Delivered-to: archiver@xxxxxxxx
Delivery-date: Fri, 20 Nov 2015 18:51:22 -0500
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ritter.vg; s=vg; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :content-type:content-transfer-encoding; bh=rZFovrm5i4zPl3G8dwsBgSVqiydhLbmBdpAksJVpW2A=; b=PQ9XdC0IYvft6+KWs4xUzCh39l0MXmYIF6ZbddEf8uuARwtQ7XI1IOYYg+sr5CpQaW bpbM/rgcc+tBtxdwChHU/02aDycUtxnj5KE3EGkrRMw4fgT87KUUASx2dLS0lE6ejoAS +EThkz82+mNjmKgt/oLsNXKaAtML2Ljuzc96k=
In-reply-to: <20151118213227.GA29329@xxxxxxxxxxxxxxxxxxxxxxxx>
List-archive: <http://lists.torproject.org/pipermail/tor-dev/>
List-help: <mailto:tor-dev-request@lists.torproject.org?subject=help>
List-id: discussion regarding Tor development <tor-dev.lists.torproject.org>
List-post: <mailto:tor-dev@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev>, <mailto:tor-dev-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-dev>, <mailto:tor-dev-request@lists.torproject.org?subject=unsubscribe>
References: <20151118213227.GA29329@xxxxxxxxxxxxxxxxxxxxxxxx>
Reply-to: tor-dev@xxxxxxxxxxxxxxxxxxxx
Sender: "tor-dev" <tor-dev-bounces@xxxxxxxxxxxxxxxxxxxx>

On 18 November 2015 at 16:32, David Fifield <david@xxxxxxxxxxxxxxx> wrote:
> There was an unfortunate outage of meek-amazon (not the result of
> censorship, just operations failure). Between 30 September and 9 October
> the bridge had an expired HTTPS certificate.
>         [tor-talk] Outage of meek-amazon
>         https://lists.torproject.org/pipermail/tor-talk/2015-October/039231.html
>         https://lists.torproject.org/pipermail/tor-talk/2015-October/039234.html
> And then, as a side effect of installing a new certificate, the bridge's
> fingerprint changed, which caused Tor Browser to refuse to connect. It
> used to be that we didn't include fingerprints for the meek bridges, but
> now we do, so we didn't anticipate this error and didn't notice it
> quickly.
>         Update the meek-amazon fingerprint to B9E7141C594AF25699E0079C1F0146F409495296
>         https://trac.torproject.org/projects/tor/ticket/17473
>         [tor-talk] Changed fingerprint for meek-amazon bridge (attn support)
>         https://lists.torproject.org/pipermail/tor-talk/2015-November/039397.html
> Interestingly, the meek-amazon bridge still had about 400 simultaneous
> users (not as much as normal) during the time when the fingerprint
> didn't match. I would have expected it to go almost to zero. Maybe it's
> people using an old version of Tor Browser (from before March 2015) or
> some nonâTor Browser installation.

It seems like it would be better to use the SPKI rather than the cert
fingerprint, this would allow you to reissue the same key and keep
things working for older clients.

-tom
_______________________________________________
tor-dev mailing list
tor-dev@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev

Follow-Ups:
- Re: [tor-dev] Summary of meek's costs, October 2015
  - From: David Fifield

References:
- [tor-dev] Summary of meek's costs, October 2015
  - From: David Fifield

Prev by Author: Re: [tor-dev] Proposal 258: Denial-of-service resistance for directory authorities
Next by Author: Re: [tor-dev] Proposal: Adding x-namespace to relay descriptor for key:value pairs
Previous by thread: [tor-dev] Summary of meek's costs, October 2015
Next by thread: Re: [tor-dev] Summary of meek's costs, October 2015
Index(es):
- Author
- Thread