[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
Re: [tor-talk] How evil is TLS cert collection?
-----BEGIN PGP SIGNED MESSAGE-----
On Sat, 04 Jun 2011 12:37:14 +0200
tagnaq <tagnaq@xxxxxxxxx> wrote:
> >> Someone running this (SSLObservatorySubmission) in a non-public network
> >> (i.e. an internal corporate network) with Internet access will probably
> >> disclose internal hostnames including IP addresses, if that is the case
> >> I would identify this as an issue. What do you think about it?
> > We're going to try really hard to avoid this by default. See the first
> > two options in the client UI section under "advanced options":
> > https://trac.torproject.org/projects/tor/wiki/HTTPSEverywhere/SSLObservatorySubmission#ClientUIandconfigurationVariables
> These two options will prevent disclosure in many scenarios but I don't
> think it will avoid the problem in a common scenario (internal hosts use
> a valid FQDN and a valid cert).
> IP address and hostname (and cert.) of intranet-server1.example.com
> using a valid certificate *.example.com will be published even if the
> first two options in the "advanced options" are enabled. Is that correct?
> In such scenarios I'm not worried about the certificate being submitted
> but the hostname and IP address (domain and server_ip arguments).
> I'm not sure if I understand "private DNS domains" correct.
> "[x] Do not check/submit certificates for private DNS domains"
> Are private DNS domains just non-existing TLDs? Something like
My understanding was that EFF would query DNS for a hostname, and if
the hostname does not exist, assume that it's private. (This should
scare you even more.)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (FreeBSD)
-----END PGP SIGNATURE-----
tor-talk mailing list