[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] CA signed SSL bad for censorship resistance?



Miles Richardson writes:

> Has there been any research into the effect that CA signed SSL certs
> on .onion services have on the ability of Tor to circumvent censorship
> authorities? Is it possible there could be some leakage to the certificate
> authority that could be picked up by an ISP?

There's definitely a privacy issue about some sites because some
browsers may contact the CA's OCSP responder (mentioning which cert
they've just encountered).

https://en.wikipedia.org/wiki/Online_Certificate_Status_Protocol

The Tor Browser design document currently says

   We have verified that these settings and patches properly proxy HTTPS,
   OCSP, HTTP, FTP, gopher (now defunct), DNS, SafeBrowsing Queries,
   all JavaScript activity, including HTML5 audio and video objects,
   addon updates, wifi geolocation queries, searchbox queries, XPCOM
   addon HTTPS/HTTP activity, WebSockets, and live bookmark updates. We
   have also verified that IPv6 connections are not attempted, through
   the proxy or otherwise (Tor does not yet support IPv6). We have also
   verified that external protocol helpers, such as smb urls and other
   custom protocol handlers are all blocked.

So, when OCSP queries to the CA happen, they should also be sent over Tor.

Sites can help reduce the incidence of OCSP queries by implementing OCSP
stapling:

https://en.wikipedia.org/wiki/OCSP_stapling

-- 
Seth Schoen  <schoen@xxxxxxx>
Senior Staff Technologist                       https://www.eff.org/
Electronic Frontier Foundation                  https://www.eff.org/join
815 Eddy Street, San Francisco, CA  94109       +1 415 436 9333 x107
-- 
tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk