Delivery-Date: Fri, 12 Dec 2014 15:57:15 -0500
Return-Path: <tor-talk-bounces@lists.torproject.org>
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on moria.seul.org
X-Spam-Level: 
X-Spam-Status: No, score=-4.7 required=5.0 tests=BAYES_00,DKIM_SIGNED,
	RCVD_IN_DNSWL_MED,RP_MATCHES_RCVD,T_DKIM_INVALID,URIBL_BLOCKED autolearn=ham
	version=3.3.1
X-Original-To: archiver@seul.org
Delivered-To: archiver@seul.org
Received: from eugeni.torproject.org (eugeni.torproject.org [38.229.72.13])
	(using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by khazad-dum.seul.org (Postfix) with ESMTPS id 712E91E0DDC;
	Fri, 12 Dec 2014 15:57:12 -0500 (EST)
Received: from eugeni.torproject.org (localhost [127.0.0.1])
	by eugeni.torproject.org (Postfix) with ESMTP id 7B10132257;
	Fri, 12 Dec 2014 20:57:09 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
 by eugeni.torproject.org (Postfix) with ESMTP id 1CDAA32245
 for <tor-talk@lists.torproject.org>; Fri, 12 Dec 2014 20:57:05 +0000 (UTC)
X-Virus-Scanned: Debian amavisd-new at 
Received: from eugeni.torproject.org ([127.0.0.1])
 by localhost (eugeni.torproject.org [127.0.0.1]) (amavisd-new, port 10024)
 with ESMTP id a4R7nup4VLUJ for <tor-talk@lists.torproject.org>;
 Fri, 12 Dec 2014 20:57:05 +0000 (UTC)
Received: from mail2.eff.org (mail2.eff.org [173.239.79.204])
 (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits))
 (Client did not present a certificate)
 by eugeni.torproject.org (Postfix) with ESMTPS id ED23D32240
 for <tor-talk@lists.torproject.org>; Fri, 12 Dec 2014 20:57:04 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=eff.org;
 s=mail2; 
 h=In-Reply-To:Content-Type:MIME-Version:References:Message-ID:Subject:To:From:Date;
 bh=l6cCbWn+h/V6sRqkbF3Wv/whx23jGL+tR5nMhPEcNMs=; 
 b=bwOoudSvlgS5x03u/A2sy3WcLROSN0AE9Uok++mpVN0b7KEoZQtJQ8r7lIiHiqT9xLdz9iSNH4dhW0E33UCxFA53F79fxcVU9ImFmLdO0b9SvYXrSgRDm6paqu+jlRrb45K0iPMNLt72NTgJZF3apDxbgNoG/OMOMQ80qXS6WmY=;
Received: ; Fri, 12 Dec 2014 12:57:01 -0800
Date: Fri, 12 Dec 2014 12:57:01 -0800
From: Seth David Schoen <schoen@eff.org>
To: tor-talk@lists.torproject.org
Message-ID: <20141212205701.GU23933@mail2.eff.org>
References: <CAAvGZPETMZ7BrWyHX-e1MkB6cJhzNw6=jttrUbwaKWgQsVO8Ug@mail.gmail.com>
MIME-Version: 1.0
Content-Disposition: inline
In-Reply-To: <CAAvGZPETMZ7BrWyHX-e1MkB6cJhzNw6=jttrUbwaKWgQsVO8Ug@mail.gmail.com>
User-Agent: Mutt/1.5.21 (2010-09-15)
Subject: Re: [tor-talk] CA signed SSL bad for censorship resistance?
X-BeenThere: tor-talk@lists.torproject.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: tor-talk@lists.torproject.org
List-Id: "all discussion about theory, design,
 and development of Onion Routing" <tor-talk.lists.torproject.org>
List-Unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-talk>, 
 <mailto:tor-talk-request@lists.torproject.org?subject=unsubscribe>
List-Archive: <http://lists.torproject.org/pipermail/tor-talk/>
List-Post: <mailto:tor-talk@lists.torproject.org>
List-Help: <mailto:tor-talk-request@lists.torproject.org?subject=help>
List-Subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk>, 
 <mailto:tor-talk-request@lists.torproject.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: tor-talk-bounces@lists.torproject.org
Sender: "tor-talk" <tor-talk-bounces@lists.torproject.org>

Miles Richardson writes:

> Has there been any research into the effect that CA signed SSL certs
> on .onion services have on the ability of Tor to circumvent censorship
> authorities? Is it possible there could be some leakage to the certificate
> authority that could be picked up by an ISP?

There's definitely a privacy issue about some sites because some
browsers may contact the CA's OCSP responder (mentioning which cert
they've just encountered).

https://en.wikipedia.org/wiki/Online_Certificate_Status_Protocol

The Tor Browser design document currently says

   We have verified that these settings and patches properly proxy HTTPS,
   OCSP, HTTP, FTP, gopher (now defunct), DNS, SafeBrowsing Queries,
   all JavaScript activity, including HTML5 audio and video objects,
   addon updates, wifi geolocation queries, searchbox queries, XPCOM
   addon HTTPS/HTTP activity, WebSockets, and live bookmark updates. We
   have also verified that IPv6 connections are not attempted, through
   the proxy or otherwise (Tor does not yet support IPv6). We have also
   verified that external protocol helpers, such as smb urls and other
   custom protocol handlers are all blocked.

So, when OCSP queries to the CA happen, they should also be sent over Tor.

Sites can help reduce the incidence of OCSP queries by implementing OCSP
stapling:

https://en.wikipedia.org/wiki/OCSP_stapling

-- 
Seth Schoen  <schoen@eff.org>
Senior Staff Technologist                       https://www.eff.org/
Electronic Frontier Foundation                  https://www.eff.org/join
815 Eddy Street, San Francisco, CA  94109       +1 415 436 9333 x107
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

