[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: Bridge scanning resistance

On Thu, Mar 19, 2009 at 05:28:13AM -0400, Gregory Maxwell wrote:
> People are unlikely to spend $$ to give their fake https sites real ca
> signed certs. Its easy to test for, impossible to fake, and given how
> the browser vendors handle self signed certs someone could claim they
> are trying to defeat security risks by blocking self signed
> webservers.

I've seen quite a number of legit sites with self-signed certs.
It could be the case that the operator of the site is a hobbyist,
and short on cash. For example, I seriously considered using a
self-signed cert for my https://www.mangrin.org remailer web
page, although I ultimately went with cacert.org's free offering.

> So I would guess that would put an upper limit on the level of disguse
> the common node would get. The ability to multiplex with a real ca
> signed https server might allow a few nodes to achieve better cover.

If bridges could produce an Apache "It works!" page along with a
self-signed cert, it'd look like someone testing their web server.
One challenge would be making that cert look like something
generated from the OpenSSL command line tools.

Christopher Davis
Mangrin Remailer Admin
PGP: 0x0F8DA163