[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
Re: Thandy attacks / suggestions
- To: or-dev@xxxxxxxxxxxxx
- Subject: Re: Thandy attacks / suggestions
- From: coderman <coderman@xxxxxxxxx>
- Date: Mon, 8 Dec 2008 11:25:49 -0800
- Delivered-to: archiver@xxxxxxxx
- Delivered-to: or-dev-outgoing@xxxxxxxx
- Delivered-to: or-dev@xxxxxxxx
- Delivery-date: Mon, 08 Dec 2008 14:26:11 -0500
- Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to :subject:in-reply-to:mime-version:content-type :content-transfer-encoding:content-disposition:references; bh=PAckcygwBc3KqVH4PU8wzDaKS/C4Z91Fkvp2iUEHGic=; b=ZiTRN2H/2tYkdUEJee0SONEd8o9/GYpgmq09x0C3nLiEhBnplzl5cqUK2GEm32shi3 f0kh0W71a+LgyeivmqY8ss8N/GgYNza07WH4ow+Q5R4x3VPzPebjEDFfbUHYfndTkSKN SErHtmDUM5j01v7yoAJZRfXs7zqTOhQ3Ds3iE=
- Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:in-reply-to:mime-version :content-type:content-transfer-encoding:content-disposition :references; b=XKDSADbugzjhbxDhOYqziO8DXWp93BvzdsmUkc10d5Z7/vk1B1nhmjlcysppVGjX1x 7lyXJodSByAlJKbZ9yQdcozSvDo2CqPHHHXzsGKjmxwm3PtyhGuiaY95yzo4Y2GrN/XX YzU9I4sYrYMMbIBqxMZqPc4pto01c2qt3qUGI=
- In-reply-to: <20081208011442.GE6497@xxxxxxxxxxxxxx>
- References: <20081208011442.GE6497@xxxxxxxxxxxxxx>
- Reply-to: or-dev@xxxxxxxxxxxxx
- Sender: owner-or-dev@xxxxxxxxxxxxx
On Sun, Dec 7, 2008 at 5:14 PM, Roger Dingledine <arma@xxxxxxx> wrote:
> ...
> 1) Apparently python's urllib doesn't check SSL certs or cert chains.
> ... His suggested fix was to ship our SSL cert with the updater;
how critical is https given the signature checking on the files
downloaded? it looks like M2crypto or $something would be needed to
do SSL/https correctly. but M2crytpo is somewhat dated and big...
(how does shipping the cert help, if urllib still doesn't validate correctly?)
> C) We should stop letting every mirror serve the timestamp file, but
> instead serve it from a smaller more trusted subset of the mirrors
> ... I'm not sure how big a change this is
> from the spec, which says:
> Every mirror is a copy of some or all of the directory hierarchy
> containing at least the /meta, /bundles/, and /pkginfo directories.
what if clients only download that particular file from the (more)
trusted set? or should the confusion of a timestamp on a mirror where
it will never be requested be avoided?
best regards,