On 05/10/16 21:09, Philipp Winter wrote: > Web servers support ERP by advertising it in the "Tor-Exit-Pins" HTTP > header. The header contains two directives, "url" and "max-age": > > Tor-Exit-Pins: url="https://example.com/pins.txt";; max-age=2678400 > > The "url" directive points to the full policy, which MUST be HTTPS. > Tor Browser MUST NOT fetch the policy if it is not reachable over > HTTPS. Also, Tor Browser MUST abort the ERP procedure if the HTTPS > certificate is not signed by a trusted authority. The "max-age" > directive determines the time in seconds for how long Tor Browser > SHOULD cache the ERP policy. If I run a bad exit and intercept the user's first HTTP connection to the server, I can substitute the URL of a policy on my own server that permanently pins the user to my bad exit. Who cares if the policy has to be served over HTTPS, if I get to say where it's served from? A couple of possible mitigations: * Require the pin URL to have the same FQDN as the connection that supplies the header * Forbid the pin header from being served over plain HTTP, and apply the same trusted certificate rules to the connection that supplies the header as the connection that supplies the policy (sites that want pinning can use HSTS to upgrade HTTP to HTTPS before serving the pin header) Cheers, Michael
Attachment:
0x9FC527CC.asc
Description: application/pgp-keys
Attachment:
signature.asc
Description: OpenPGP digital signature
_______________________________________________ tor-dev mailing list tor-dev@xxxxxxxxxxxxxxxxxxxx https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev