On 08/11/11 07:55, Jérémy Bobbio wrote:
On Tue, Nov 08, 2011 at 12:46:45AM +0100, George Kadianakis wrote:
Tor clients who use bridges and want to pin their SSL certificates must specify the bridge's SSL certificate fingerprint as in: Bridge 12.34.56.78 shared_secret=934caff420aa7852b855 \ link_cert_fpr=38b0712e90bed729df81f2a22811d3dd89e91406d2522f4482ae4079e5245187
This starts to look like a lot of numbers. The kind that will be hard to hand out on paper without making a mistake…
In another thread (admittedly the wrong thread), there was brief discussion around the idea of using some sort of covert challenge/response handshake where the bridge proved that it knew the connection's SSL fingerprint. This would avoid having to distribute the fingerprint itself. George had some concerns about this but it wasn't clear whether he was intending to write the idea off entirely or whether there was room to explore it further.
Julian