xxx-draft-spec-for-TLS-normalization.txt

Jacob Appelbaum jacob at appelbaum.net
Wed Feb 2 16:48:26 UTC 2011


On 02/02/2011 05:34 AM, Bjarni Rúnar Einarsson wrote:
> Hi all!
> 
> (Hopefully this threads correctly, I copy-pasted the subject from the web,
> as I just subscribed and had no messages to reply to.)
> 
> I wanted to chime in and mention one advantage of using a non-random,
> predictable name for the certificate in the TLS handshake: leveraging TLS
> name-based virtual hosting to coexist with normal TLS-web servers.
> 
> Currently, the operator of a Tor entry node has to choose between running
> Tor on port 443, or running a normal HTTPS server. If you make the TLS cert
> name predictable (at least the name requested in the SNI header of the
> incoming request), then it becomes possible to use name-based virtual
> hosting tech to allow Tor and a regular HTTPS server to coexist on the same
> IP and the same port.
> 
> Software supporting this already exists: my pagekite.py front-end
> proxy/tunnel already does name-based proxying of TLS traffic (it doesn't
> terminate the TLS tunnel, just routes the stream to a back-end based on the
> SNI data in the handshake), the only reason I can't use it unmodified to
> route Tor connections is because of the random certificate names. I tried to
> start a discussion about the pros and cons of using Pagekite for this on
> or-talk a few weeks ago, following up on a suggestion from Linus Nordberg at
> FSCONS, but didn't get many takers. :-)
> 
> Presumably the main benefit of this would be to further hiding the Tor
> traffic. Not only can the entry node look like an HTTPS web server, it can
> *be* a normal HTTPS web server serving live web traffic. A secondary benefit
> would be making all the boxes currently serving HTTPS traffic into potential
> Tor entry nodes.
> 

Hi Bjarni!

Is there any reason that you can't route SSL/TLS traffic to Tor for all
non-SNI requests? Another thing that might work is knowing that all Tor
certificates currently end in .net. So while they're random, it's
certainly possible to know when someone explicitly wants to reach a
different server you certainly know about and isn't in your allowed
lookup table. Anything else can be routed to Tor.

Older clients without SNI will of course have issues and all be routed
to Tor but perhaps this can be documented - surely some people will
still use it?

All the best,
Jake



More information about the tor-dev mailing list