Thandy attacks / suggestions

[coderman]

On Sun, Dec 7, 2008 at 5:14 PM, Roger Dingledine <arma at mit.edu> wrote:
> ...
> 1) Apparently python's urllib doesn't check SSL certs or cert chains.
> ... His suggested fix was to ship our SSL cert with the updater;

how critical is https given the signature checking on the files
downloaded?  it looks like M2crypto or $something would be needed to
do SSL/https correctly.  but M2crytpo is somewhat dated and big...
(how does shipping the cert help, if urllib still doesn't validate correctly?)


> C) We should stop letting every mirror serve the timestamp file, but
> instead serve it from a smaller more trusted subset of the mirrors
> ... I'm not sure how big a change this is
> from the spec, which says:
>  Every mirror is a copy of some or all of the directory hierarchy
>  containing at least the /meta, /bundles/, and /pkginfo directories.

what if clients only download that particular file from the (more)
trusted set?  or should the confusion of a timestamp on a mirror where
it will never be requested be avoided?

best regards,