[tor-talk] How evil is TLS cert collection?

Mike Perry mikeperry at fscked.org
Sat Jun 4 19:09:52 UTC 2011


Thus spake Robert Ransom (rransom.8774 at gmail.com):

> > >> Someone running this (SSLObservatorySubmission) in a non-public network
> > >> (i.e. an internal corporate network) with Internet access will probably
> > >> disclose internal hostnames including IP addresses, if that is the case
> > >> I would identify this as an issue. What do you think about it?
> > > 
> > > We're going to try really hard to avoid this by default. See the first
> > > two options in the client UI section under "advanced options":
> > > https://trac.torproject.org/projects/tor/wiki/HTTPSEverywhere/SSLObservatorySubmission#ClientUIandconfigurationVariables
> > 
> > These two options will prevent disclosure in many scenarios but I don't
> > think it will avoid the problem in a common scenario (internal hosts use
> > a valid FQDN and a valid cert).
> > 
> > IP address and hostname (and cert.) of intranet-server1.example.com
> > using a valid certificate *.example.com will be published even if the
> > first two options in the "advanced options" are enabled. Is that correct?
> > In such scenarios I'm not worried about the certificate being submitted
> > but the hostname and IP address (domain and server_ip arguments).
> >
> > I'm not sure if I understand "private DNS domains" correct.
> > "[x] Do not check/submit certificates for private DNS domains"

If this option is set, the browser addon itself will try to check the
server IP and determine if it is RFC1918 ("Address Allocation for
Private Internets"). If the domain resolves to a private range, it is
considered private. The browser should be able to perform this lookup
so long as the user isn't *only* using an HTTP proxy.

Are you saying that you expect there to be a lot of publicly routable
IP addresses that use certificates signed by CAs in the default root
set out there? How can these be considered private? They are already
in the observatory DB from the IPv4 scan..

Or are you saying you expect there to be a lot of HTTP proxy users out
there who do not have a SOCKS proxy but who access certs signed by
public CAs?

> > Are private DNS domains just non-existing TLDs? Something like
> > "foobar.localnet"?
> 
> My understanding was that EFF would query DNS for a hostname, and if
> the hostname does not exist, assume that it's private.  (This should
> scare you even more.)

EFF only needs to do this query if the browser could not (because it
was using an HTTP proxy without a SOCKS proxy). Does this scare you
less or more? I'm getting confused by the reactions in this thread.

-- 
Mike Perry
Mad Computer Scientist
fscked.org evil labs
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: <http://lists.torproject.org/pipermail/tor-talk/attachments/20110604/670372c4/attachment.pgp>


More information about the tor-talk mailing list