[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] Yet another OpenSSL vulnerability

To: tor-talk@xxxxxxxxxxxxxxxxxxxx
Subject: Re: [tor-talk] Yet another OpenSSL vulnerability
From: Aymeric Vitte <vitteaymeric@xxxxxxxxx>
Date: Thu, 05 Jun 2014 23:50:13 +0200
Delivered-to: archiver@xxxxxxxx
Delivery-date: Thu, 05 Jun 2014 17:58:33 -0400
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:subject:references :in-reply-to:content-type:content-transfer-encoding; bh=qH1VUOwLiTqSDI4FCeQZh9Xv18H7/GrPOoNWL/3UY6I=; b=YMyHptWXQzjcUgMjgbRuXAd7KK1a7XFOi3ZrTNxKe3Vu9IJSoeZfVgfVjyalIkfBJY DkYIk+tIFf68vBGXEMYBetHEOliqdQri1Oru0YMTg7ZCUg2eN6oEFj0A6JlN1pGXiebf JMg6lMQar2kmz/hhLWU2cfZuD1D06ODnu+L13syUaoN4OzJYv0R9GePaTYbTxTpNWNRE YgP7kiGPnkszFiOnavezgW4JJonLU9tfBztdPyjSm8RiGRWmjRi3/vJA+nuwJZZYj6Ow 6NT30W89DdbPiYH3FR8wu5gty9g3Tm/mdPTtR2iRlTKFp946DH5NfukraGwjyuh2EC62 Tc7w==
In-reply-to: <CAKDKvuwEkdpZCOGiAY0Aaze5MMTVayCf5qSX2pDHJD=1JxFu4g@xxxxxxxxxxxxxx>
List-archive: <http://lists.torproject.org/pipermail/tor-talk/>
List-help: <mailto:tor-talk-request@lists.torproject.org?subject=help>
List-id: "all discussion about theory, design, and development of Onion Routing" <tor-talk.lists.torproject.org>
List-post: <mailto:tor-talk@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk>, <mailto:tor-talk-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-talk>, <mailto:tor-talk-request@lists.torproject.org?subject=unsubscribe>
References: <CAKDKvuwEkdpZCOGiAY0Aaze5MMTVayCf5qSX2pDHJD=1JxFu4g@xxxxxxxxxxxxxx>
Reply-to: tor-talk@xxxxxxxxxxxxxxxxxxxx
Sender: "tor-talk" <tor-talk-bounces@xxxxxxxxxxxxxxxxxxxx>
User-agent: Mozilla/5.0 (Windows NT 6.3; rv:24.0) Gecko/20100101 Thunderbird/24.5.0


Le 05/06/2014 18:34, Nick Mathewson a écrit :

But a MITM attack of this kind could still help traffic
analysis, and likely other unexpected badness as well.

So let's ask the question : what's the absolute necessity of SSL/TLS inthe Tor protocol?

Self-signed certificates are used, the certs cells mechanism justinsures that you are talking to the one with whom you have negociatedthe TLS connection with.


But this one can be the MITM itself.

A bridge/first node, accessed via "clear" created_fast cell over SSL/TLScan be the MITM too.

It's not a big problem since in both cases they will not know whathappens next or what they are relaying.


Then, what SSL/TLS does really protect here?

You can disguise the SSL/TLS traffic with obfsproxy, but again what'sthe use of SSL/TLS if you need to hide it?

You need to hide it because it's SSL/TLS, easy to detect and block, thenwhy not using/hidding a non SSL/TLS traffic? Much more difficult to detect.


--
Peersm : http://www.peersm.com
node-Tor : https://www.github.com/Ayms/node-Tor
GitHub : https://www.github.com/Ayms

--
tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

References:
- [tor-talk] Yet another OpenSSL vulnerability
  - From: Nick Mathewson

Prev by Author: Re: [tor-talk] how to stream videos using Tor
Next by Author: Re: [tor-talk] Onionoo docs JSON parser?
Previous by thread: [tor-talk] Yet another OpenSSL vulnerability
Next by thread: [tor-talk] Blacklisting CVE-2014-0224 affected relays? (was: Yet another OpenSSL vulnerability)
Index(es):
- Author
- Thread