[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: Bridge scanning resistance



On Thu, Mar 19, 2009 at 05:28:13AM -0400, Gregory Maxwell wrote:
> People are unlikely to spend $$ to give their fake https sites real ca
> signed certs. Its easy to test for, impossible to fake, and given how
> the browser vendors handle self signed certs someone could claim they
> are trying to defeat security risks by blocking self signed
> webservers.
>

I've seen quite a number of legit sites with self-signed certs.
It could be the case that the operator of the site is a hobbyist,
and short on cash. For example, I seriously considered using a
self-signed cert for my https://www.mangrin.org remailer web
page, although I ultimately went with cacert.org's free offering.

> So I would guess that would put an upper limit on the level of disguse
> the common node would get. The ability to multiplex with a real ca
> signed https server might allow a few nodes to achieve better cover.
>

If bridges could produce an Apache "It works!" page along with a
self-signed cert, it'd look like someone testing their web server.
One challenge would be making that cert look like something
generated from the OpenSSL command line tools.

--
Christopher Davis
Mangrin Remailer Admin
PGP: 0x0F8DA163