[tor-talk] Yet another OpenSSL vulnerability

Aymeric Vitte vitteaymeric at gmail.com
Thu Jun 5 21:50:13 UTC 2014


Le 05/06/2014 18:34, Nick Mathewson a écrit :
> But a MITM attack of this kind could still help traffic
> analysis, and likely other unexpected badness as well.

So let's ask the question : what's the absolute necessity of SSL/TLS in 
the Tor protocol?

Self-signed certificates are used, the certs cells mechanism just 
insures that you are talking to the one with whom you have negociated 
the TLS connection with.

But this one can be the MITM itself.

A bridge/first node, accessed via "clear" created_fast cell over SSL/TLS 
can be the MITM too.

It's not a big problem since in both cases they will not know what 
happens next or what they are relaying.

Then, what SSL/TLS does really protect here?

You can disguise the SSL/TLS traffic with obfsproxy, but again what's 
the use of SSL/TLS if you need to hide it?

You need to hide it because it's SSL/TLS, easy to detect and block, then 
why not using/hidding a non SSL/TLS traffic? Much more difficult to detect.

-- 
Peersm : http://www.peersm.com
node-Tor : https://www.github.com/Ayms/node-Tor
GitHub : https://www.github.com/Ayms



More information about the tor-talk mailing list