[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: Hints and Tips for Whistleblowers - their comments on Tor and SSL - I don't understand.



Thus spake Seth David Schoen (schoen@xxxxxxx):

> > Hi,
> > I don't understand, too and in my opinion, this is utter nonsense. I'm
> > not aware of any negative impacts on privacy due to the usage of
> > https://,
> 
> Session resumption can be used to recognize an individual browser
> that connects from different IP addresses, or even over Tor.  This
> kind of recognition can be perfect because the resumption involves
> a session key which is large, random, and could not legitimately
> have been known to any other browser. :-(

This is not true if the user is using Torbutton. See the paragraph
about security.enable_ssl2 in:
https://www.torproject.org/torbutton/en/design/#browseroverlay

This hack causes us to clear all TLS session ID and resumption state.
It's bloody, but it works. Firefox has also created an official API
for us to do this the "right" way that we will begin using in 1.2.6:
https://trac.torproject.org/projects/tor/ticket/1624

Torbutton also has code to isolate custom stored client and server
certificates, but this code tends to crash Firefox because of
refcounting issues in the TLS cert manager, so it is disabled by
default. We're waiting on this bug to be fixed to enable it:
https://bugzilla.mozilla.org/show_bug.cgi?id=435159


In other words, like we do with everything else, we have spent quite a
bit of effort in dealing with TLS privacy issues, and the
"Whistleblower howto" link in question is almost 100% nonsense that
the author seemingly made up on the spot based on incorrect
assumptions that they didn't bother to verify or investigate...


-- 
Mike Perry
Mad Computer Scientist
fscked.org evil labs

Attachment: pgpUl974HcbKd.pgp
Description: PGP signature