[tor-bugs] #7189 [Tor]: Disabling TLS tickets makes us look unlike firefox
Tor Bug Tracker & Wiki
torproject-admin at torproject.org
Tue Oct 23 15:23:36 UTC 2012
#7189: Disabling TLS tickets makes us look unlike firefox
----------------------------+-----------------------------------------------
Reporter: nickm | Owner:
Type: defect | Status: new
Priority: major | Milestone: Tor: 0.2.3.x-final
Component: Tor | Version:
Keywords: tor-client tls | Parent:
Points: | Actualpoints:
----------------------------+-----------------------------------------------
Comment(by nickm):
Replying to [comment:1 arma]:
> Replying to [ticket:7189 nickm]:
> > This is a nontrivial decision to make. If a client says that it
supports TLS tickets, and it is talking to an older Tor server that hasn't
disabled them, it will get degraded PFS. But if a client doesn't say it
supports TLS tickets, it will apparently be more distinguishable.
>
> I'm not too worried about older Tors -- they will become more scarce
over time.
So the question is, whether they should be allowed to delay clients
getting good fast PFS. If we keep tickets out of client connections, then
clients who have a new Tor get fast PFS on 100% of their TLS connections
right away; and other clients get PFS on U of their TLS connections, where
U is the fraction of Tor nodes that have upgraded. Node-to-node TLS has
PFS with probability 1-(1-U)^2.
But if we put tickets back in Tor servers, then all clients get fast PFS
on U of their TLS connections, and node-to-node TLS has PFS with
probability U.
One other option to think about is to make this change, but make it later,
once more servers have upgraded. We can't make this change in a consensus
parameter, though, since that would force us to change our behavior on the
fly.
We could probably help the network by having relays turn tickets off
unconditionally, so that node-to-node TLS gets fast PFS if either peer is
upgraded.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/7189#comment:2>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list