[tor-commits] [torbutton/master] Add an item for TLS issues and APIs.

mikeperry at torproject.org mikeperry at torproject.org
Sat Mar 26 00:17:43 UTC 2011 

commit 09f55fbe0bc0ed2802fd1bd00790d1646ea6b64f
Author: Mike Perry <mikeperry-git at fscked.org>
Date:   Fri Mar 25 17:16:42 2011 -0700

    Add an item for TLS issues and APIs.
    
    We don't have Bugzilla entries for this yet, but it should be listed.
---
 website/design/design.xml |   22 ++++++++++++++++++++++
 1 files changed, 22 insertions(+), 0 deletions(-)

diff --git a/website/design/design.xml b/website/design/design.xml
index 3f906b3..b137caf 100644
--- a/website/design/design.xml
+++ b/website/design/design.xml
@@ -2137,7 +2137,29 @@ feature.
 
       </para>
      </listitem>
+     <listitem>Give more visibility into and control over TLS
+negotiation
+     <para>
 
+There are several <ulink
+url="https://trac.torproject.org/projects/tor/ticket/2482">TLS issues
+impacting Torbutton security</ulink>. It is not clear if these should be one
+Firefox bug or several, but in particular we need better control over various
+aspects of TLS connections. Firefox currently provides no observer capable of
+extracting TLS parameters or certificates early enough to cancel a TLS
+request. We would like to be able to provide <ulink
+url="https://www.eff.org/https-everywhere">HTTPS-Everywhere</ulink> users with
+the ability to <ulink
+url="https://trac.torproject.org/projects/tor/wiki/HTTPSEverywhere/SSLObservatorySubmission">have
+their certificates audited</ulink> by a <ulink
+url="http://www.networknotary.org/">Perspectives</ulink>-style set of
+notaries. The problem with this is that the API observer points do not exist
+for any Firefox addon to actually block authentication token submission over a
+TLS channel, so every addon to date (including Perspectives) is actually
+providing users with notification *after* their authentication tokens have
+already been compromised. This obviously needs to be fixed.
+     </para>
+     </listitem>
      <listitem><ulink
 url="https://bugzilla.mozilla.org/show_bug.cgi?id=575230">Bug 575230 - Provide option to
 reduce precision of Date()</ulink>

More information about the tor-commits mailing list