[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] New HTTP authorization attack

Thus spake Julie C (julie@xxxxxxx):

> On Tue, Aug 23, 2011 at 8:23 AM, Mike Perry <mikeperry@xxxxxxxxxx> wrote:
> >
> > <snip>
> >
> > SSL certificates are not isolated. They might never be. The SSL stack
> > is a nightmare.
> >
> >
> Mike, can you provide some specifics on how the SSL stack is a nightmare? I
> am working on development of an open source C-based libevent2-based
> stand-alone SSL MiTM proxy but have not yet hit any of the ugly stuff.
> Pointers to information would also be appreciated.

I was referring to the integration of NSS with the rest of Firefox.
Based on my limited experience, NSS generally doesn't seem to like its
state munged around with. It sort of lives in its own world and the
interfaces to it are prone to race conditions and optimizations that
are build on the assumption that the current use case (one set of SSL
state for the entire browser) is the only desirable one.

But good luck on your sketch project. May the intermediate certs be
with you!

Mike Perry
Mad Computer Scientist
fscked.org evil labs

Attachment: pgpixJlSVjEry.pgp
Description: PGP signature

tor-talk mailing list