-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On 03/21/2011 01:58 AM, Mike Perry wrote: > I've spent some time working with the EFF recently to build a > distributed version of the SSL Observatory > (https://www.eff.org/observatory) to be included with HTTPS > Everywhere. The draft API and design sketch is here: > https://trac.torproject.org/projects/tor/wiki/HTTPSEverywhere/SSLObservatorySubmission > > The brief summary is that it will be submitting rare TLS certificates > through Tor to EFF for analysis and storage. We will also leverage the > database of certificates to provide notification in the event of > targeted MITM attacks**. > > I am trying to decide if this is a bad thing to enable by default for > users. > > On the one hand, we have taken a lot of precautions to ensure that the > EFF is given the minimal amount of useful information, and retains > even less (such as no high-resolution timing information). The EFF is > extremely trustworthy, and has an army of lawyers on-hand to defend > against subpoenas or legal requests for excessive data retention. > > Furthermore, the OCSP revocation servers have just as much or more > information, and who knows what they do with this same information. > In all likelihood, they probably sell it to netcraft and whoever else. > It is valuable. > > On the other hand, the EFF intends to publish as much of the > information gathered with this system as it can for analysis by the > wider Internet community. This will likely include raw SQL dumps of > the resulting certificate database. > > > So, the question for the bikeshed discussion then is what should the > default state of this collection be? Our thought is to provide > HTTPS-Everywhere users with this dialog on first-run > https://trac.torproject.org/projects/tor/wiki/HTTPSEverywhere/SSLObservatorySubmission#ClientUIandconfigurationVariables > > However, I'm not sure that this is going to work for Tor Browser > Bundle users (which ships with HTTPS Everywhere) who may have the TBB > on readonly USB keys or live cds. They may end up being asked each > time they start. > > Is this a decent compromise? The other option is to not even bother to > ask users who have a working tor installed, on the assumption that > since we can submit certs through tor, it is always safe to do so. We > may end up doing this instead of always asking them. Is this wrong? If > so, why?
Someone running this (SSLObservatorySubmission) in a non-public network (i.e. an internal corporate network) with Internet access will probably disclose internal hostnames including IP addresses, if that is the case I would identify this as an issue. What do you think about it? btw: sorry for my late reply to this topic, but it was still 'unread' till now on my side. -----BEGIN PGP SIGNATURE----- iF4EAREKAAYFAk3pgi8ACgkQyM26BSNOM7bfAQEAmib2/dGbUwP/kLJz9Dus2S3e 8h8KKCrFOQEypUz6SHAA+QFRPKGt7UJROpeCkd/aG0jZ4WuOXfQppGnPm+qeQFLW =6Ad/ -----END PGP SIGNATURE----- _______________________________________________ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk