[tor-bugs] #4583 [Tor Bridge]: Implement certificate start time fuzzing (part of proposal 179)
Tor Bug Tracker & Wiki
torproject-admin at torproject.org
Sun Nov 27 14:52:08 UTC 2011
#4583: Implement certificate start time fuzzing (part of proposal 179)
------------------------+---------------------------------------------------
Reporter: asn | Owner:
Type: defect | Status: needs_review
Priority: normal | Milestone:
Component: Tor Bridge | Version:
Keywords: | Parent: #3972
Points: | Actualpoints:
------------------------+---------------------------------------------------
Comment(by nickm):
Hm. The right fix here is to actually use the cert for a long time, not
just to claim that we're using it for a long time. This fix doesn't help
so much if we're going to keep rotating our initially presented CA certs
so often.
Also, using "exactly 365*24*60*60 seconds" as our idea of the length of a
year probably is more fingerprintable than rotating our certs too often.
When actual CAs sell certs, I believe they don't do it like that. Some of
them do stuff more along the times of timegm/gmtime manipulation -- some
so that notBefore is at 00:00:00 GMT and notAfter is 23:59:59 GMT. We
should probably see what openssl self-signed certs tend to have in this
regard.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/4583#comment:2>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list