[tor-dev] Proposal 195: TLS certificate normalization for Tor 0.2.4.x
George Kadianakis
desnacked at riseup.net
Sat Mar 10 01:18:30 UTC 2012
Robert Ransom <rransom.8774 at gmail.com> writes:
> On 2012-03-10, George Kadianakis <desnacked at riseup.net> wrote:
>> Nick Mathewson <nickm at freehaven.net> writes:
>>
>>> Filename: 195-TLS-normalization-for-024.txt
>>> Title: TLS certificate normalization for Tor 0.2.4.x
>>> Author: Jacob Appelbaum, Gladys Shufflebottom, Nick Mathewson, Tim Wilde
>>> Created: 6-Mar-2012
>>> Status: Draft
>>> Target: 0.2.4.x
>>>
>>> <snip>
>>>
>>> 2. TLS handshake issues
>>>
>>> 2.1. Session ID.
>>>
>>> Currently we do not send an SSL session ID, as we do not support
>>> session
>>> resumption. However, Apache (and likely other major SSL servers) do
>>> have
>>> this support, and do send a 32 byte SSLv3/TLSv1 session ID in their
>>> Server
>>> Hello cleartext. We should do the same to avoid an easy fingerprinting
>>> opportunity. It may be necessary to lie to OpenSSL to claim that we
>>> are
>>> tracking session IDs to cause it to generate them for us.
>>>
>>> (We should not actually support session resumption.)
>>>
>>
>> This is a nice idea, but it opens us to the obvious active attack of
>> Them checking if a host *actually* supports session resumption or if
>> it's faking it.
>>
>> What is the reason we don't like session resumption? Does it still
>> makes sense to keep it disabled even after #4436 is implemented?
>
> Session resumption requires keeping some key material around after a
> TLS connection is closed, thereby possibly denting Tor's link-protocol
> forward secrecy if a bridge/relay is compromised soon after a
> connection ends.
>
IIRC stateless TLS session resumption does not quire keeping key
material. The required key material are all stored on the client side.
More information about the tor-dev
mailing list