[tor-talk] CA signed SSL bad for censorship resistance?
Seth David Schoen
schoen at eff.org
Fri Dec 12 20:57:01 UTC 2014
Miles Richardson writes:
> Has there been any research into the effect that CA signed SSL certs
> on .onion services have on the ability of Tor to circumvent censorship
> authorities? Is it possible there could be some leakage to the certificate
> authority that could be picked up by an ISP?
There's definitely a privacy issue about some sites because some
browsers may contact the CA's OCSP responder (mentioning which cert
they've just encountered).
https://en.wikipedia.org/wiki/Online_Certificate_Status_Protocol
The Tor Browser design document currently says
We have verified that these settings and patches properly proxy HTTPS,
OCSP, HTTP, FTP, gopher (now defunct), DNS, SafeBrowsing Queries,
all JavaScript activity, including HTML5 audio and video objects,
addon updates, wifi geolocation queries, searchbox queries, XPCOM
addon HTTPS/HTTP activity, WebSockets, and live bookmark updates. We
have also verified that IPv6 connections are not attempted, through
the proxy or otherwise (Tor does not yet support IPv6). We have also
verified that external protocol helpers, such as smb urls and other
custom protocol handlers are all blocked.
So, when OCSP queries to the CA happen, they should also be sent over Tor.
Sites can help reduce the incidence of OCSP queries by implementing OCSP
stapling:
https://en.wikipedia.org/wiki/OCSP_stapling
--
Seth Schoen <schoen at eff.org>
Senior Staff Technologist https://www.eff.org/
Electronic Frontier Foundation https://www.eff.org/join
815 Eddy Street, San Francisco, CA 94109 +1 415 436 9333 x107
More information about the tor-talk
mailing list