[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] How evil is TLS cert collection?

Hash: SHA512

On 03/21/2011 01:58 AM, Mike Perry wrote:
> I've spent some time working with the EFF recently to build a
> distributed version of the SSL Observatory
> (https://www.eff.org/observatory) to be included with HTTPS
> Everywhere. The draft API and design sketch is here:
> https://trac.torproject.org/projects/tor/wiki/HTTPSEverywhere/SSLObservatorySubmission
> The brief summary is that it will be submitting rare TLS certificates
> through Tor to EFF for analysis and storage. We will also leverage the
> database of certificates to provide notification in the event of
> targeted MITM attacks**.
> I am trying to decide if this is a bad thing to enable by default for
> users.
> On the one hand, we have taken a lot of precautions to ensure that the
> EFF is given the minimal amount of useful information, and retains
> even less (such as no high-resolution timing information). The EFF is
> extremely trustworthy, and has an army of lawyers on-hand to defend
> against subpoenas or legal requests for excessive data retention.
> Furthermore, the OCSP revocation servers have just as much or more
> information, and who knows what they do with this same information.
> In all likelihood, they probably sell it to netcraft and whoever else.
> It is valuable.
> On the other hand, the EFF intends to publish as much of the
> information gathered with this system as it can for analysis by the
> wider Internet community. This will likely include raw SQL dumps of
> the resulting certificate database.
> So, the question for the bikeshed discussion then is what should the
> default state of this collection be? Our thought is to provide
> HTTPS-Everywhere users with this dialog on first-run
> https://trac.torproject.org/projects/tor/wiki/HTTPSEverywhere/SSLObservatorySubmission#ClientUIandconfigurationVariables
> However, I'm not sure that this is going to work for Tor Browser
> Bundle users (which ships with HTTPS Everywhere) who may have the TBB
> on readonly USB keys or live cds.  They may end up being asked each
> time they start.
> Is this a decent compromise? The other option is to not even bother to
> ask users who have a working tor installed, on the assumption that
> since we can submit certs through tor, it is always safe to do so. We
> may end up doing this instead of always asking them. Is this wrong? If
> so, why?

Someone running this (SSLObservatorySubmission) in a non-public network
(i.e. an internal corporate network) with Internet access will probably
disclose internal hostnames including IP addresses, if that is the case
I would identify this as an issue. What do you think about it?

btw: sorry for my late reply to this topic, but it was still 'unread'
till now on my side.

tor-talk mailing list