[tor-talk] How evil is TLS cert collection?
Mike Perry
mikeperry at fscked.org
Wed Mar 23 23:14:42 UTC 2011
Thus spake Robert Ransom (rransom.8774 at gmail.com):
> On Tue, 22 Mar 2011 21:19:46 -0700
> Mike Perry <mikeperry at fscked.org> wrote:
> > Yeah, we need to start issuing requests for the IP, because the DNS
> > request itself is an anonymity set fragmentation issue (since it won't
> > go to the enclave, but will be mixed with other tor traffic). The EFF
> > says using the IP for submission should be doable: the IP address they
> > plan to use should be stable in the medium term.
>
> Will you be able to get a certificate valid for that IP address (rather
> than hostname)?
Supposedly some CAs will sign certs for IPs. We can alternatively
distribute a self-signed cert with the xpi and install it
pragmatically. Not sure which route to take. The latter is more
secure, but the cert will show up in the user's "trusted certs" window
in Firefox, which may or may not bother people.
--
Mike Perry
Mad Computer Scientist
fscked.org evil labs
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: <http://lists.torproject.org/pipermail/tor-talk/attachments/20110323/b75c48ef/attachment.pgp>
More information about the tor-talk
mailing list