Aha. Let's see if I have the tor-dev address right at long long last. Apologies to Peter, who will have received more than one copy of this already.
(Apparently , I am told, the "lists." in tor-dev@lists.torproject.org is not optional.)
On Mon, Feb 21, 2011 at 12:52 PM, Nick Mathewson nickm@freehaven.net wrote:
On Sun, Feb 20, 2011 at 10:49 PM, Peter Gutmann pgut001@cs.auckland.ac.nz wrote:
Nick Mathewson nickm@freehaven.net writes:
Preliminary results suggest that there wasn't actually a crowd here: the reason that we switched the browser DH paramaters in the most recent releases is that the old (standard!) primes were in fact blocked by at least one nation-level censor because we used them. It seems that in practice, if we want to blend with a crowd, we need to use the hardwired DH parameters from mod_ssl.
So the SSL handshake was blocked if you used the Oakley (RFC 2412) DH values?
Just the 1024-bit one, I would guess (the one in section E.2 of RFC2412, a.k.a. the one from RFC2409 section 6.2, a.k.a Second Oakley Group). Or to be precise, we used to use that group, and then we were blocked, and when we changed to a different group, we weren't. It might be that they were blocking based on more than one factor, only one of which was the use of the prime in a TLS ephemeral DH handshake.
Is there a server in said location for which access gets blocked that I could test against? I'd love to try some variations on SSL handshakes to see what gets blocked and what doesn't.
The use in question was a client in the country trying to connect to a server outside the country, and the server providing this DH parameter value. I'll ask our contacts if they can get you shell access there.
On Mon, Feb 21, 2011 at 1:36 PM, Nick Mathewson nickm@freehaven.net wrote:
Aha. Let's see if I have the tor-dev address right at long long last. Apologies to Peter, who will have received more than one copy of this already.
I did a quick scan of a subset of the EFF Observatory data (where `subset' is defined as: I hit Ctrl-C after letting tar run for a while).
Selecting only self-signed certs and sorting by Organization, here are the counts:
<snip> 691 Internet Widgits Pty Ltd 757 NetKlass Techonoloy Inc 825 Apache Friends 882 HTTPS Management Certificate for SonicWALL (self-signed) 952 Cisco-Linksys, LLC 1141 DrayTek Corp. 1933 Xtera Communications, Taiwan 6803 SomeOrganization 10253 Hewlett-Packard Co. 11811 Fortinet Ltd.
(from 52341 total self-signed certs)
"Internet Widgits Pty Ltd" is the OpenSSL default. "Hewlett-Packard Co." are JetDirect printers. "Fortinet Ltd." is some gateway manufacturer.
Tor doesn't have to pick a single type I believe. It could pick between some number of templates at first-run (although Forinet tend to be 2048-bit and HP are 1024-bit). Here are examples of the HP and Fortinet certs:
Fortinet:
-----BEGIN CERTIFICATE----- MIIC4jCCAcqgAwIBAgIEllaMYTANBgkqhkiG9w0BAQUFADAzMRkwFwYDVQQDExBG RzEwMEMzRzA5NjAwMzM3MRYwFAYDVQQKEw1Gb3J0aW5ldCBMdGQuMB4XDTA5MDEy MTIyNTYwM1oXDTE5MDEyMjIyNTYwM1owMzEZMBcGA1UEAxMQRkcxMDBDM0cwOTYw MDMzNzEWMBQGA1UEChMNRm9ydGluZXQgTHRkLjCCASIwDQYJKoZIhvcNAQEBBQAD ggEPADCCAQoCggEBAM4qbL3qGi71AZBUB1mTkhFO03qP7Z7b7dXrT1fhw8QXknlA UtAGWBs5ZPWB39OKpyJoRK4+HG8D4fJ0kuwiTnpP/3WBe+manK5S13wCKgME05aV q5gRgWw/R5/1xyXF9a9YvuR3fJZvODtlR9MKjAa44YGHZguaPEucBKw8BtA7wCYc d8rVh8hNBH67QVSLLCm48lytrnmccjshNxo5eI8x3ESxc0Am7+8vrNkNsttsUMG+ D8knI0rJqf9JCaogtfv1lKzYF0I1EOpTsT+lwyS9g5yPAZ2qGGFeLt3C9aoGiXUS iX7tn3krpVn5/eM7gpG0VpY/4AnlUyvPevHRuqcCAwEAATANBgkqhkiG9w0BAQUF AAOCAQEAGT6/jxUOEWJ1YCliKZtdhY9K1/uz8da9FYrlmhFdPPIwnUh8sgtC4bSP bifq1hQIDPXTcJ6PirYc85EhaH/JiI5inAIUUQTJk8Cu13j+/DtxiiprOVa4iu73 VY2x0qFaxGfK0wOOFnbvqodibUmSKoCxKnowwqcPC8ZpSAojtLibGv1OcIHzoWSA WrmMGFxyilPb4nsuvFDcgjK6OlccI+sy0vLTzkOrRXq+hyCu05NCai99mnD1tWwG TBKXqKYTpQI+kuZ5HyUfzzOV47DyZ71BI3zqCxN0DEMWW4Mu/lw97rNY7iiiuZcC Qp5iGquemw/lF1FaAKRQEXS351SS8w== -----END CERTIFICATE-----
-----BEGIN CERTIFICATE----- MIIC4jCCAcqgAwIBAgIEaAxnSjANBgkqhkiG9w0BAQUFADAzMRkwFwYDVQQDExBG RzMwMEIzOTA5NjAzMDA1MRYwFAYDVQQKEw1Gb3J0aW5ldCBMdGQuMB4XDTEwMDMy NDIxMzYyNFoXDTIwMDMyNDIxMzYyNFowMzEZMBcGA1UEAxMQRkczMDBCMzkwOTYw MzAwNTEWMBQGA1UEChMNRm9ydGluZXQgTHRkLjCCASIwDQYJKoZIhvcNAQEBBQAD ggEPADCCAQoCggEBAKRnRUhLqL6DVQCcyao97X+l+7ntSaoU41ngK3tEIWgmlIdV rQ7kDyxkH0xPt7C/D6FEEfV3PNGs0QBgVa9Hp5jLKtJBKCgYvlFzaR0/tQcw+g+s j5yl6EoXDVtNdcR/Nfe4GaXSf9NKMMTskeHC71STak1l5wdB40Wjxm+YYR9/aQjB mypm7nzq+G+keOOmsOvJFlhFpvHaTwymdqyodeXrSS+t1Day07RfgLhPzvVXdm74 87XF+349foaxfVHdHVvsnM9JmJqwIoZFFvIp3Eo5K5xJllCL+x6yUJp8WdASflq7 qUnu1EQpw7J3Q65fzshr6pp3W5Ii7Vu6ScwOmvECAwEAATANBgkqhkiG9w0BAQUF AAOCAQEAk5tgoqJ0uUCdqn6bvzB/qClkCk+uWLg+SSJnPEAsM4WMfmmcdnuGSObl co4bcPSCNCsT2DYP69lMAuK3BfgFv45tfklOuFDzxvN3zr2S6NE+SG1jgpdQleov J5UQB8qJx0neKlXZBSlTDk/xbWhs9gUaY+DT+tS0aEmTvLha8/da/BzDMIlC1FCc igZu0oQ2nUnZrfKHvt+XimJW/5jJFXRgUN1KYPtJTRGrPm8pqb87aJvnPeEYPmt8 Wmo1pkLY8NPtn7uS8GN/8REQ2Wu0mc22mqGbifHBJgvwRNagPFId8E6D6bhsz7b+ 2YSmWPbgbCO0sll9OK3XAInkn7D0cw== -----END CERTIFICATE-----
HP:
-----BEGIN CERTIFICATE----- MIICYzCCAcygAwIBAgIBAjANBgkqhkiG9w0BAQQFADBmMR4wHAYDVQQDExVIUCBK ZXRkaXJlY3QgMEFFQ0MwNjcxHDAaBgNVBAoTE0hld2xldHQtUGFja2FyZCBDby4x FTATBgNVBAsTDDAwMTEwQUVDQzA2NzEPMA0GA1UECxMGSjc5MzRHMB4XDTA2MDQw MTAwMDAwMFoXDTExMDQwMTAwMDAwMFowZjEeMBwGA1UEAxMVSFAgSmV0ZGlyZWN0 IDBBRUNDMDY3MRwwGgYDVQQKExNIZXdsZXR0LVBhY2thcmQgQ28uMRUwEwYDVQQL EwwwMDExMEFFQ0MwNjcxDzANBgNVBAsTBko3OTM0RzCBnzANBgkqhkiG9w0BAQEF AAOBjQAwgYkCgYEAvEP7Lbw4+vQTXzNFZYlJhwuSXDLir8UapfVFXYWhrqNQw4kO VUFhI5DIhY5AFIQA3oXKqMmIzUQALugkYhCd9Wt+CGrR0uocx0Ea++5K9mnsvJPQ JFzketi/Ow8pEA5X18VhlIflwQ/GhezG/a9IA/DjeLs0lIUy9iaoR6hsZ7MCAwEA AaMhMB8wHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMA0GCSqGSIb3DQEB BAUAA4GBAANeDCx2M7ToEIf/Pt/EKFtZ+9nLb7byaqXzOv35hFum9ZqhWtBwa/yD +YQU33nakbM0UXsTQ8S3r8ojMNbmQMZMqqXg7M4Vh8bCPem9rWm33oKvBxYeQk9A ZTbWY3M+9TDV1OYim2BCKr6XkTjV8S65vNtpW+r5+znYcCnPCwlt -----END CERTIFICATE-----
-----BEGIN CERTIFICATE----- MIICYzCCAcygAwIBAgIBAjANBgkqhkiG9w0BAQQFADBmMR4wHAYDVQQDExVIUCBK ZXRkaXJlY3QgMzg4RUMyOTgxHDAaBgNVBAoTE0hld2xldHQtUGFja2FyZCBDby4x FTATBgNVBAsTDDAwMTQzODhFQzI5ODEPMA0GA1UECxMGSjc5NDlFMB4XDTA1MTEw MTAwMDAwMFoXDTEwMTEwMTAwMDAwMFowZjEeMBwGA1UEAxMVSFAgSmV0ZGlyZWN0 IDM4OEVDMjk4MRwwGgYDVQQKExNIZXdsZXR0LVBhY2thcmQgQ28uMRUwEwYDVQQL EwwwMDE0Mzg4RUMyOTgxDzANBgNVBAsTBko3OTQ5RTCBnzANBgkqhkiG9w0BAQEF AAOBjQAwgYkCgYEAxwIexEqFIClHQTjSELGOg5K5BvKVGbTYx8SHKL1TE5Wp9OSi geca3Nac4lURC+WEMZUIn8mo+EZ20w/NgsTx6igTSrK8kPQ9sjboKh3sCTHQORbw 2Tv8sNnrOp92IWRVeZl3p+zJ+c1XvKXFPPyL59d6o+SWPkb/2RP9X5SUOwkCAwEA AaMhMB8wHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMA0GCSqGSIb3DQEB BAUAA4GBAGoaU8ZXqzke+qfb3yYpfY68V0wVTeqiJApLRnQZ/YBfdvpapqr5mfus AoWTWDsqL0yQPAUaD7KngYhIO2FPNWV9Wy8gC8TtX6Zkr3s/4OiBXMBdwxVZ/Rab J2JGtyI2s0zILEXcwtQq1fM86Z4RCAOpz2EuIBbzmxcdLfsqGW0I -----END CERTIFICATE-----
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 2/21/2011 1:54 PM, Adam Langley wrote:
"Internet Widgits Pty Ltd" is the OpenSSL default. "Hewlett-Packard Co." are JetDirect printers. "Fortinet Ltd." is some gateway manufacturer.
Tor doesn't have to pick a single type I believe. It could pick between some number of templates at first-run (although Forinet tend to be 2048-bit and HP are 1024-bit).
Any time we define a single list of cert templates like this and choose from among them, we're creating an easy set of items which can be blocked. As I mentioned in my earlier posting today [1], I strongly doubt that an oppressive regime's censors are going to care if they block JetDirect printers or home routers as collateral damage when blocking Tor. Even if they do, what does this actually gain us over randomized organization names chosen from a large wordlist (or even total gibberish)?
Any static list is going to, by definition, have to exist within the source code, and thus will be very easy for an even moderately determined censor to find. If we're going to do that we had better be doing it with something that we know will cause massive collateral damage and thus would be much more likely to be avoided; I just don't see that happening with any of these devices.
Regards, Tim
[1] https://lists.torproject.org/pipermail/tor-dev/2011-February/000005.html
- -- Tim Wilde, Senior Software Engineer, Team Cymru, Inc. twilde@cymru.com | +1-630-230-5433 | http://www.team-cymru.org/
On Mon, Feb 21, 2011 at 2:34 PM, Tim Wilde twilde@cymru.com wrote:
Any static list is going to, by definition, have to exist within the source code, and thus will be very easy for an even moderately determined censor to find. If we're going to do that we had better be doing it with something that we know will cause massive collateral damage and thus would be much more likely to be avoided; I just don't see that happening with any of these devices.
I agree that forcing collateral damage is the key here. The current code generates `random' certificates, but it's pretty easy to pattern match them and there's no collateral damage to doing so.
The hope was that something would be an obvious candidate. I've seen the Internet Widgets certificate a fair bit in personal experience, but it appears much less frequently than I expected.
If the random generation could be made much better then it's a reasonable answer, at the cost of more code complexity and no collateral damage. I suspect that the cat and mouse game only stops when the collateral damage is too large, or all self-signed certs are blocked.
AGL
On Feb 21, 2011, at 12:54 PM, Adam Langley wrote:
I agree that forcing collateral damage is the key here. The current code generates `random' certificates, but it's pretty easy to pattern match them and there's no collateral damage to doing so.
The thing that seems most correct to me, and most true, and is also likely to look like a lot of self-signed HTTPS hosts, is to just create a cert that looks like what a "good" self-signed cert would look like: a subject name that matches the host's internet-facing identity (IP and/or hostname), with reasonably common cryptographic parameters, and real-ish information in the fields like OU and so on (perhaps automatically culled from hostnames or Tor relay names or something).
As the Observatory shows, self-signed certificates outnumber CA-signed certificates. Fitting in with the self-signed world, of which those CPE things like printers and routers are just a subset, seems reasonable.
I don't know if it's possible to do better than to "just sort of look like a web server with a self-signed cert".
-
Adam Langley -
Chris Palmer -
Nick Mathewson -
Tim Wilde