[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] How evil is TLS cert collection?

Thus spake Robert Ransom (rransom.8774@xxxxxxxxx):

> On Tue, 22 Mar 2011 21:19:46 -0700
> Mike Perry <mikeperry@xxxxxxxxxx> wrote:
> > Yeah, we need to start issuing requests for the IP, because the DNS
> > request itself is an anonymity set fragmentation issue (since it won't
> > go to the enclave, but will be mixed with other tor traffic). The EFF
> > says using the IP for submission should be doable: the IP address they
> > plan to use should be stable in the medium term.
> Will you be able to get a certificate valid for that IP address (rather
> than hostname)?

Supposedly some CAs will sign certs for IPs. We can alternatively
distribute a self-signed cert with the xpi and install it
pragmatically. Not sure which route to take. The latter is more
secure, but the cert will show up in the user's "trusted certs" window
in Firefox, which may or may not bother people.

Mike Perry
Mad Computer Scientist
fscked.org evil labs

Attachment: pgpTyOrhdJmpH.pgp
Description: PGP signature

tor-talk mailing list