Revised TSL handshake proposal question
shamrock at cypherpunks.to
Wed Nov 21 06:30:22 UTC 2007
I read Steven.s proposal to change the Tor SSL handshake at
If I understand the preamble correctly, the goal of this proposal is to
solve the following problem:
- common https connections only involve presentation of an SSL server
- https connections that use client certificates are relatively rare.
- Tor authenticates both sides of the SSL connection using both server and
- A passive observer can therefore distinguish common https traffic from
Tor traffic by watching for a client cert being presented in the initial
It is therefore desirable to present the client cert after the initial
SSL-encrypted tunnel only using a server cert has been established. The
spec proposes a method to implement such capability.
If I misunderstand the goals of this proposal, you may ignore the
remainder of this post.
SSLv3 and TLS permit either the client or the server to request an SSL
renegotiation. The content of the renegotiation and any certificates
exchanged during the renegotiation are encrypted using the SSL connection
that was previously established.
This means that an SSL renegotiation permits the client to present an SSL
client cert to the server inside the initial SSL encrypted connection. Not
revealing the client cert to an observer was very much one of the use
cases considered during the initial SSLv3 and later TLS specification
efforts. The idea at the time was that clients may store a great many
certificates, one for each services they wish to access. For example, a
website portal containing health education information may offer a number
of forums, one for those suffering from cancer, another for those
suffering from AIDS. Each using a client cert rather than UID/PW to access
the forum. You wouldn't want the observer to be able to determine which
particular forum a visitor is logging into or that they are logging into a
forum at all.
While client certificates have not yet become as ubiquitous as was
considered possible during the SSLv3 specification days with individual
users potentially holding hundreds of certificates, the ability to request
a renegotiation of an SSL session to step up from a server authenticated
to a client authenticated connection is built into every major SSL/TLS
implementation, including OpenSSL.
With this in mind, it is not clear to me which security properties the
proposal will give you that you cannot natively obtain from TLS.
I of course recognize that an observer may be able to determine from
watching the number of encrypted bits exchanged that the encrypted SSL
connection likely contains an SSL renegotiation payload. Alas, there are
many aspects of Tor that would permit for protocol identification based on
You may wish to consider using TLS-native capabilities to obscure the
client certificate exchange by using SSL renegotiation instead.
More information about the tor-dev