Hints and Tips for Whistleblowers - their comments on Tor and SSL - I don't understand.
Seth David Schoen
schoen at eff.org
Thu Oct 28 00:43:30 UTC 2010
Mike Perry writes:
> Thus spake Seth David Schoen (schoen at eff.org):
>
> > > Hi,
> > > I don't understand, too and in my opinion, this is utter nonsense. I'm
> > > not aware of any negative impacts on privacy due to the usage of
> > > https://,
> >
> > Session resumption can be used to recognize an individual browser
> > that connects from different IP addresses, or even over Tor. This
> > kind of recognition can be perfect because the resumption involves
> > a session key which is large, random, and could not legitimately
> > have been known to any other browser. :-(
>
> This is not true if the user is using Torbutton. See the paragraph
> about security.enable_ssl2 in:
> https://www.torproject.org/torbutton/en/design/#browseroverlay
Sorry, I only wanted to point out that the use of HTTPS in general
does create this tracking mechanism (and that Tor and other
TCP-level proxies won't remove it by themselves). Your thoroughness
in dealing with details like this is a tremendous argument for
always using Torbutton.
--
Seth Schoen
Senior Staff Technologist schoen at eff.org
Electronic Frontier Foundation https://www.eff.org/
454 Shotwell Street, San Francisco, CA 94110 +1 415 436 9333 x107
***********************************************************************
To unsubscribe, send an e-mail to majordomo at torproject.org with
unsubscribe or-talk in the body. http://archives.seul.org/or/talk/
More information about the tor-talk
mailing list