Hints and Tips for Whistleblowers - their comments on Tor and SSL - I don't understand.

Seth David Schoen schoen at eff.org
Thu Oct 28 00:43:30 UTC 2010


Mike Perry writes:

> Thus spake Seth David Schoen (schoen at eff.org):
> 
> > > Hi,
> > > I don't understand, too and in my opinion, this is utter nonsense. I'm
> > > not aware of any negative impacts on privacy due to the usage of
> > > https://,
> > 
> > Session resumption can be used to recognize an individual browser
> > that connects from different IP addresses, or even over Tor.  This
> > kind of recognition can be perfect because the resumption involves
> > a session key which is large, random, and could not legitimately
> > have been known to any other browser. :-(
> 
> This is not true if the user is using Torbutton. See the paragraph
> about security.enable_ssl2 in:
> https://www.torproject.org/torbutton/en/design/#browseroverlay

Sorry, I only wanted to point out that the use of HTTPS in general
does create this tracking mechanism (and that Tor and other
TCP-level proxies won't remove it by themselves).  Your thoroughness
in dealing with details like this is a tremendous argument for
always using Torbutton.

-- 
Seth Schoen
Senior Staff Technologist                         schoen at eff.org
Electronic Frontier Foundation                    https://www.eff.org/
454 Shotwell Street, San Francisco, CA  94110     +1 415 436 9333 x107
***********************************************************************
To unsubscribe, send an e-mail to majordomo at torproject.org with
unsubscribe or-talk    in the body. http://archives.seul.org/or/talk/



More information about the tor-talk mailing list