[Freedombox-discuss] TLS handshake client credential/identity exposure

[Michael Rogers]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 12/01/13 20:02, Daniel Kahn Gillmor wrote:
> If i'm understanding things properly, the server's initial
> certificate (offered during the first handshake) needs to be
> something that the client can use to verify the identity of the
> remote server, without the client proving its identity to the
> server.  As a consequence, even if you manage to encrypt the entire
> handshake in something like an anon-DH exchange, it will be
> available to anyone making a request.  So while an adversary might
> not be able to effectively snoop on the specific connection, but
> they'll be able to initiate a connection to the server and get the
> certificate.

I think your analysis is spot on - sooner or later, a persistent
adversary will start handshaking with servers to see what they reveal
after the first handshake.

But even so, if the implementation burden's not to great, I think it
might be worth raising the bar by implementing a double handshake -
because as with Tor, there will be some adversaries who are willing to
run a simple regex over plaintext traffic but who aren't willing to
MITM every TLS handshake or probe every server that receives TLS
connections.

Cheers,
Michael

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iQEcBAEBAgAGBQJQ8dp0AAoJEBEET9GfxSfMggkIAJKFfgpTkPfeWWvGTKtQEN9J
YT7o3mGVQO1ym0m73Tj4OVnIp/UkoMj5CFo7H9RL0Vxe5Urrt5mCJ0TFHqdWuaDf
NQLtsE6VOrj/jRABbg571SB2FDq5ox86eHUIICCgMdEj0CyBPoq5Hv1lMkYWyksr
gofr2UqjBefZnDLbUBpd5vhWxaPtRzdbO8hMTAuCDxrYZKgPyK7n5rFUcxsdz5QY
3LuMBP9isegM1X5+Nxn33ALo7OL7nufo1pkibA5jWrA6c39nv1Pb3+sszGaM6j2r
cbwxSIz99T+V0+B9qlbwhqbZbMAO21WRLGlRLi8I1NuT1YcWK6+h/lwYybX/F+I=
=ez6A
-----END PGP SIGNATURE-----