Bridge scanning resistance
Christopher Davis
chrisd at mangrin.org
Thu Mar 19 16:34:51 UTC 2009
On Thu, Mar 19, 2009 at 05:28:13AM -0400, Gregory Maxwell wrote:
> People are unlikely to spend $$ to give their fake https sites real ca
> signed certs. Its easy to test for, impossible to fake, and given how
> the browser vendors handle self signed certs someone could claim they
> are trying to defeat security risks by blocking self signed
> webservers.
>
I've seen quite a number of legit sites with self-signed certs.
It could be the case that the operator of the site is a hobbyist,
and short on cash. For example, I seriously considered using a
self-signed cert for my https://www.mangrin.org remailer web
page, although I ultimately went with cacert.org's free offering.
> So I would guess that would put an upper limit on the level of disguse
> the common node would get. The ability to multiplex with a real ca
> signed https server might allow a few nodes to achieve better cover.
>
If bridges could produce an Apache "It works!" page along with a
self-signed cert, it'd look like someone testing their web server.
One challenge would be making that cert look like something
generated from the OpenSSL command line tools.
--
Christopher Davis
Mangrin Remailer Admin
PGP: 0x0F8DA163
More information about the tor-talk
mailing list