[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] How evil is TLS cert collection?

Thus spake Robert Ransom (rransom.8774@xxxxxxxxx):

> On Tue, 21 Jun 2011 11:20:07 -0700
> Mike Perry <mikeperry@xxxxxxxxxx> wrote:
> > 2. User has private network on RFC 1918 space, yet uses an HTTP proxy
> > to access it (which means we can't tell that it is private IP space).
> > Said user is also using TLS certs signed by a public trusted root CA.
> > This config is less weird, and detectable by us. It makes me think we
> > should handle this user specially somehow?
> This could occur with a SOCKS proxy, too (such as that run by ???ssh
> -D???), since there is no standard way to ask a SOCKS proxy to resolve a
> hostname to an IP address.  (Tor allows this using a non-standard
> extension to SOCKS.)

Ugh, sorry. You've said this a couple times now, but each time I had
assumed that when OpenSSH added SOCKS4A+5, they also added this
extension. Turns out you are right, they did not. You still can't do
resolutions, so this type of SOCKS proxy is the same as an HTTP Proxy
in that respect.. Ugh.

> > > To give users the possibility to contribute while preventing leaks for
> > > specific domains they are concerned it would be great if the submission
> > > addon would have a blacklist feature where one could say
> > > never submit anything for  *.example.com.
> > 
> > This seems to be a reasonable option to me. I've added this to our
> > spec page above.
> > 
> > But is there a better option? Do you think it might be likely that
> > either of these users will disable OCSP for these certs, or otherwise
> > indicate anything about these public-yet-private certs that we can
> > detect in their config?
> There is no better option than a user-specified domain blacklist.  Any
> attempt to automatically detect these private certificates and avoid
> submitting them will defeat the most important purpose of the
> distributed SSL observatory project: detecting SSL MITM attacks.

Yes, the added attack potential worries me too. Does this tradeoff
mean we should turn on "[ ] Check/submit certificates for private DNS
domains" by default? I think it might.

The answer depends on if we prioritize providing protection over
automatically withholding info that may be private. It is my feeling
that since this feature is meant to be opt-in, we should prioritize

Mike Perry
Mad Computer Scientist
fscked.org evil labs

Attachment: pgpOOnHS6AG8w.pgp
Description: PGP signature

tor-talk mailing list