[Freedombox-discuss] TLS handshake client credential/identity exposure [was: Re: Software as Data, Transformation as a Service]

Michael Rogers michael at briarproject.org
Thu Jan 10 17:57:04 UTC 2013

Hash: SHA1

Hi Daniel,

On 10/01/13 17:15, Daniel Kahn Gillmor wrote:
> I agree that this is a problem, but it's an issue with the TLS 
> handshake more generally, not with NullSignatureUseOpenPGP -- TLS
> is guaranteed to leak the proposed certificate of the server, and
> the current handshake leaks the certificate of the client (and all
> other TLS extensions), even to a passive eavesdropper.

Yup, sorry if I implied this was NullSignatureUseOpenPGP's problem
rather than TLS's - but pragmatically speaking, if we wait for the
IETF to standardise a fix and everyone to deploy it, we'll be waiting
in our graves. :-)

> There is a way to avoid the leak entirely with in the current TLS
> spec, though!  But it requires server and client to cooperate, and
> it adds an additional set of round-trips to session setup.  It
> looks like this:
> 0) initial handshake happens with client providing no interesting 
> information beyond the secure-renegotiation extension.
> 1) immediately after initial handshake completes successfully, the 
> session is renegotiated over the established channel.  In this 
> renegotiated handshake, the client can be confident that the server
> is who they expect it to be, and this "inner" handshake is
> protected from eavesdropping because it's negotiated within the
> encrypted outer channel.
> does this make sense?

It does! Is that what Tor does to avoid being blocked? Or does Tor
just rely on self-signed certs being common enough to avoid attracting

> Note that the NullSignatureUseOpenPGP extension is an X.509
> extension, not a TLS extension.  From the TLS point of view, the
> certs passed are just X.509 certificates, and no signalling is
> given in the TLS handshake itself to indicate which kind of
> certificates are preferred.

In that case, could the certs be formatted like ordinary self-signed
X.509 certs? Or is it not possible to generate the appropriate
self-signature using a PGP key?


Version: GnuPG v1.4.10 (GNU/Linux)


More information about the Freedombox-discuss mailing list