[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-bugs] #9767 [Tor]: Implement proposal 222: Eliminate client timestamps in Tor

Subject: Re: [tor-bugs] #9767 [Tor]: Implement proposal 222: Eliminate client timestamps in Tor
From: "Tor Bug Tracker & Wiki" <blackhole@xxxxxxxxxxxxxx>
Date: Fri, 20 Sep 2013 05:30:06 -0000
Auto-submitted: auto-generated
Delivered-to: archiver@xxxxxxxx
Delivery-date: Fri, 20 Sep 2013 01:30:18 -0400
In-reply-to: <045.791d2b02fdbab776ef65ae72ba872e0f@xxxxxxxxxxxxxx>
List-archive: <http://lists.torproject.org/pipermail/tor-bugs/>
List-help: <mailto:tor-bugs-request@lists.torproject.org?subject=help>
List-id: "auto: Tor bug tracker status mails" <tor-bugs.lists.torproject.org>
List-post: <mailto:tor-bugs@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs>, <mailto:tor-bugs-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-bugs>, <mailto:tor-bugs-request@lists.torproject.org?subject=unsubscribe>
References: <045.791d2b02fdbab776ef65ae72ba872e0f@xxxxxxxxxxxxxx>
Reply-to: tor-assistants@xxxxxxxxxxxxxx
Sender: "tor-bugs" <tor-bugs-bounces@xxxxxxxxxxxxxxxxxxxx>

#9767: Implement proposal 222: Eliminate client timestamps in Tor
-------------------------+-------------------------------------------------
     Reporter:  nickm    |      Owner:
         Type:  defect   |     Status:  needs_review
     Priority:  major    |  Milestone:  Tor: 0.2.4.x-final
    Component:  Tor      |    Version:
   Resolution:           |   Keywords:  tor-client fingerprinting time
Actual Points:           |  prop222
       Points:           |  Parent ID:
-------------------------+-------------------------------------------------

Comment (by nickm):

 Replying to [comment:7 andrea]:
 > Further thought on TLS/SSL timestamps: if NSA can MITM the connection
 and forge a server certificate with an expiration date of their choice,
 and the client strictly tests the expiration date against the local clock,
 then whether the client continues the handshake also leaks information
 about clock skew.  The client is probably fucked regardless in that case,
 but in the NAT/mobile client scenario under discussion it is a capability
 beyond just what the MITM alone would give them.

 Sure; for this patch, I'm not hypothesizing a fast cheap RSA1024-breaker,
 but a simple time-recorder.  We should defend against the former too (see
 proposal 220), but the latter is easier to exploit, and simpler to fix, I
 think?

-- 
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/9767#comment:11>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

References:
- [tor-bugs] #9767 [Tor]: Implement proposal 222: Eliminate client timestamps in Tor
  - From: Tor Bug Tracker & Wiki

Prev by Author: Re: [tor-bugs] #9767 [Tor]: Implement proposal 222: Eliminate client timestamps in Tor
Next by Author: Re: [tor-bugs] #9767 [Tor]: Implement proposal 222: Eliminate client timestamps in Tor
Previous by thread: Re: [tor-bugs] #9767 [Tor]: Implement proposal 222: Eliminate client timestamps in Tor
Next by thread: Re: [tor-bugs] #9767 [Tor]: Implement proposal 222: Eliminate client timestamps in Tor
Index(es):
- Author
- Thread