[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] How evil is TLS cert collection?

To: tor-talk@xxxxxxxxxxxxxxxxxxxx
Subject: Re: [tor-talk] How evil is TLS cert collection?
From: coderman <coderman@xxxxxxxxx>
Date: Sun, 20 Mar 2011 19:21:43 -0700
Delivered-to: archiver@xxxxxxxx
Delivery-date: Sun, 20 Mar 2011 22:22:02 -0400
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=YtJ5A9eKH8phhDdQvXQUXC2hkXI/Z0tErKwiOIwnWgA=; b=PUomxughaPsOuOOChIq8fVepsY7F6KHBESyoFEcwBy/V+qPFrQpFsS8EU8gfVQME0d zeUacV55a8K+S/ZTmRNahTtAURiQuwxMEF7ITWB7ivWNQefGiD+uGGapaWuE61TtcFIW UjUmDf8RgT1s4U2yO75DRgrFLqweaPrC9qJZw=
Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; b=HptKJwN2eEEJSfo3x6cwUvzHxa+j4f/LLlDwKRpb+r3q8KYYgOGBOSI8Nt3eepAWaj 3VvZ9PGEcr5snDAqcydXC85aQ41GgdngZHxpU+gVxBUCgf6+9z/ESlu5O/atkFNKa7WG 6GVcEOtW5QAQjjOHxPGCeGo37618CaCmNVjxk=
In-reply-to: <20110321005806.GA15548@xxxxxxxxxx>
List-archive: <http://lists.torproject.org/pipermail/tor-talk>
List-help: <mailto:tor-talk-request@lists.torproject.org?subject=help>
List-id: "This mailing list is for all discussion about theory, design, and development of Onion Routing." <tor-talk.lists.torproject.org>
List-post: <mailto:tor-talk@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk>, <mailto:tor-talk-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-talk>, <mailto:tor-talk-request@lists.torproject.org?subject=unsubscribe>
References: <20110321005806.GA15548@xxxxxxxxxx>
Reply-to: tor-talk@xxxxxxxxxxxxxxxxxxxx
Sender: tor-talk-bounces@xxxxxxxxxxxxxxxxxxxx

On Sun, Mar 20, 2011 at 5:58 PM, Mike Perry <mikeperry@xxxxxxxxxx> wrote:
> I've spent some time working with the EFF recently to build a
> distributed version of the SSL Observatory
> (https://www.eff.org/observatory) to be included with HTTPS
> Everywhere. The draft API and design sketch is here:
> https://trac.torproject.org/projects/tor/wiki/HTTPSEverywhere/SSLObservatorySubmission

cool!


> The brief summary is that it will be submitting rare TLS certificates
> through Tor to EFF for analysis and storage. We will also leverage the
> database of certificates to provide notification in the event of
> targeted MITM attacks**.
>
> I am trying to decide if this is a bad thing to enable by default for
> users.

if EFF was presented with a national security letter or other legal
demand under seal demanding the existence of a given certificate not
be exposed, would they be bound to not present a MITM alert for that
cert?

(said another way, could this potentially be a false sense of
security, if all trust for anomaly notification was placed in the EFF
alone?)
_______________________________________________
tor-talk mailing list
tor-talk@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Follow-Ups:
- Re: [tor-talk] How evil is TLS cert collection?
  - From: Mike Perry

References:
- [tor-talk] How evil is TLS cert collection?
  - From: Mike Perry

Prev by Author: Re: [tor-talk] tor using SSH
Next by Author: Re: [tor-talk] how to install torrent tor
Previous by thread: [tor-talk] How evil is TLS cert collection?
Next by thread: Re: [tor-talk] How evil is TLS cert collection?
Index(es):
- Author
- Thread