[Freedombox-discuss] TLS handshake client credential/identity exposure [was: Re: Software as Data, Transformation as a Service]
-----BEGIN PGP SIGNED MESSAGE-----
On 10/01/13 17:15, Daniel Kahn Gillmor wrote:
> I agree that this is a problem, but it's an issue with the TLS
> handshake more generally, not with NullSignatureUseOpenPGP -- TLS
> is guaranteed to leak the proposed certificate of the server, and
> the current handshake leaks the certificate of the client (and all
> other TLS extensions), even to a passive eavesdropper.
Yup, sorry if I implied this was NullSignatureUseOpenPGP's problem
rather than TLS's - but pragmatically speaking, if we wait for the
IETF to standardise a fix and everyone to deploy it, we'll be waiting
in our graves. :-)
> There is a way to avoid the leak entirely with in the current TLS
> spec, though! But it requires server and client to cooperate, and
> it adds an additional set of round-trips to session setup. It
> looks like this:
> 0) initial handshake happens with client providing no interesting
> information beyond the secure-renegotiation extension.
> 1) immediately after initial handshake completes successfully, the
> session is renegotiated over the established channel. In this
> renegotiated handshake, the client can be confident that the server
> is who they expect it to be, and this "inner" handshake is
> protected from eavesdropping because it's negotiated within the
> encrypted outer channel.
> does this make sense?
It does! Is that what Tor does to avoid being blocked? Or does Tor
just rely on self-signed certs being common enough to avoid attracting
> Note that the NullSignatureUseOpenPGP extension is an X.509
> extension, not a TLS extension. From the TLS point of view, the
> certs passed are just X.509 certificates, and no signalling is
> given in the TLS handshake itself to indicate which kind of
> certificates are preferred.
In that case, could the certs be formatted like ordinary self-signed
X.509 certs? Or is it not possible to generate the appropriate
self-signature using a PGP key?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
-----END PGP SIGNATURE-----