[tor-dev] xxx-draft-spec-for-TLS-normalization.txt

Tim Wilde twilde at cymru.com
Mon Feb 21 19:34:31 UTC 2011


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 2/21/2011 1:54 PM, Adam Langley wrote:
> "Internet Widgits Pty Ltd" is the OpenSSL default. "Hewlett-Packard
> Co." are JetDirect printers. "Fortinet Ltd." is some gateway
> manufacturer.
> 
> Tor doesn't have to pick a single type I believe. It could pick
> between some number of templates at first-run (although Forinet tend
> to be 2048-bit and HP are 1024-bit).

Any time we define a single list of cert templates like this and choose
from among them, we're creating an easy set of items which can be
blocked.  As I mentioned in my earlier posting today [1], I strongly
doubt that an oppressive regime's censors are going to care if they
block JetDirect printers or home routers as collateral damage when
blocking Tor.  Even if they do, what does this actually gain us over
randomized organization names chosen from a large wordlist (or even
total gibberish)?

Any static list is going to, by definition, have to exist within the
source code, and thus will be very easy for an even moderately
determined censor to find.  If we're going to do that we had better be
doing it with something that we know will cause massive collateral
damage and thus would be much more likely to be avoided; I just don't
see that happening with any of these devices.

Regards,
Tim

[1] https://lists.torproject.org/pipermail/tor-dev/2011-February/000005.html

- -- 
Tim Wilde, Senior Software Engineer, Team Cymru, Inc.
twilde at cymru.com | +1-630-230-5433 | http://www.team-cymru.org/
-----BEGIN PGP SIGNATURE-----

iEYEARECAAYFAk1ivkcACgkQluRbRini9tganQCeOTZ71jkAW42IVZ1G8H1KXN9U
3CUAniaXAA3wg7yHSjSBWvfqdIlntMa/
=144p
-----END PGP SIGNATURE-----
_______________________________________________
tor-dev mailing list
tor-dev at lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev



More information about the tor-dev mailing list