[tor-talk] Yet another OpenSSL vulnerability
vitteaymeric at gmail.com
Thu Jun 5 21:50:13 UTC 2014
Le 05/06/2014 18:34, Nick Mathewson a écrit :
> But a MITM attack of this kind could still help traffic
> analysis, and likely other unexpected badness as well.
So let's ask the question : what's the absolute necessity of SSL/TLS in
the Tor protocol?
Self-signed certificates are used, the certs cells mechanism just
insures that you are talking to the one with whom you have negociated
the TLS connection with.
But this one can be the MITM itself.
A bridge/first node, accessed via "clear" created_fast cell over SSL/TLS
can be the MITM too.
It's not a big problem since in both cases they will not know what
happens next or what they are relaying.
Then, what SSL/TLS does really protect here?
You can disguise the SSL/TLS traffic with obfsproxy, but again what's
the use of SSL/TLS if you need to hide it?
You need to hide it because it's SSL/TLS, easy to detect and block, then
why not using/hidding a non SSL/TLS traffic? Much more difficult to detect.
Peersm : http://www.peersm.com
node-Tor : https://www.github.com/Ayms/node-Tor
GitHub : https://www.github.com/Ayms
More information about the tor-talk