[tor-talk] How evil is TLS cert collection?

Robert Ransom rransom.8774 at gmail.com
Sat Jun 4 10:52:49 UTC 2011


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Sat, 04 Jun 2011 12:37:14 +0200
tagnaq <tagnaq at gmail.com> wrote:

> >> Someone running this (SSLObservatorySubmission) in a non-public network
> >> (i.e. an internal corporate network) with Internet access will probably
> >> disclose internal hostnames including IP addresses, if that is the case
> >> I would identify this as an issue. What do you think about it?
> > 
> > We're going to try really hard to avoid this by default. See the first
> > two options in the client UI section under "advanced options":
> > https://trac.torproject.org/projects/tor/wiki/HTTPSEverywhere/SSLObservatorySubmission#ClientUIandconfigurationVariables
> 
> These two options will prevent disclosure in many scenarios but I don't
> think it will avoid the problem in a common scenario (internal hosts use
> a valid FQDN and a valid cert).
> 
> IP address and hostname (and cert.) of intranet-server1.example.com
> using a valid certificate *.example.com will be published even if the
> first two options in the "advanced options" are enabled. Is that correct?
> In such scenarios I'm not worried about the certificate being submitted
> but the hostname and IP address (domain and server_ip arguments).
> 
> 
> I'm not sure if I understand "private DNS domains" correct.
> "[x] Do not check/submit certificates for private DNS domains"
> 
> Are private DNS domains just non-existing TLDs? Something like
> "foobar.localnet"?

My understanding was that EFF would query DNS for a hostname, and if
the hostname does not exist, assume that it's private.  (This should
scare you even more.)


Robert Ransom
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (FreeBSD)

iQEcBAEBAgAGBQJN6g6FAAoJENmcrTGPJVyVilYH/iVcZd4GbSA19BIYUWCWJwah
tImYDiS+5v1ai2fXgPLabvSrNHdxqrfgoUnXOaaHMiZiSqJx8ekVOe5ah5rfd67E
d+ONg5NWX9qyB+wpEtCJ0hHooMuBt9jcUlrVZAYNkyRy1BoyjB4PkqkXBh8S3mF1
xEtC/SDAoDU3g6hWC3q5OW3USykETKH2lI0WF0QFt4lY9GnUz8cn+l+HV9uCU/0C
sMo9Q0BhhoSwyzr10VBLyuSm2HG1AzbJfS2eT2UPtitBbxNPjaCni/abvRlfzRxn
CcOjl79oQ+xaM7qJrQt/tmMnD0t2LbkRdEbSM8vU5XAe4nPB7HmZ5+lV+VM3/BQ=
=cCCI
-----END PGP SIGNATURE-----


More information about the tor-talk mailing list