[Freedombox-discuss] TLS handshake client credential/identity exposure [was: Re: Software as Data, Transformation as a Service]

[Michael Rogers]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Daniel,

On 10/01/13 17:15, Daniel Kahn Gillmor wrote:
> I agree that this is a problem, but it's an issue with the TLS 
> handshake more generally, not with NullSignatureUseOpenPGP -- TLS
> is guaranteed to leak the proposed certificate of the server, and
> the current handshake leaks the certificate of the client (and all
> other TLS extensions), even to a passive eavesdropper.

Yup, sorry if I implied this was NullSignatureUseOpenPGP's problem
rather than TLS's - but pragmatically speaking, if we wait for the
IETF to standardise a fix and everyone to deploy it, we'll be waiting
in our graves. :-)

> There is a way to avoid the leak entirely with in the current TLS
> spec, though!  But it requires server and client to cooperate, and
> it adds an additional set of round-trips to session setup.  It
> looks like this:
> 
> 0) initial handshake happens with client providing no interesting 
> information beyond the secure-renegotiation extension.
> 
> 1) immediately after initial handshake completes successfully, the 
> session is renegotiated over the established channel.  In this 
> renegotiated handshake, the client can be confident that the server
> is who they expect it to be, and this "inner" handshake is
> protected from eavesdropping because it's negotiated within the
> encrypted outer channel.
> 
> does this make sense?

It does! Is that what Tor does to avoid being blocked? Or does Tor
just rely on self-signed certs being common enough to avoid attracting
attention?

> Note that the NullSignatureUseOpenPGP extension is an X.509
> extension, not a TLS extension.  From the TLS point of view, the
> certs passed are just X.509 certificates, and no signalling is
> given in the TLS handshake itself to indicate which kind of
> certificates are preferred.

In that case, could the certs be formatted like ordinary self-signed
X.509 certs? Or is it not possible to generate the appropriate
self-signature using a PGP key?

Cheers,
Michael


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iQEcBAEBAgAGBQJQ7wDwAAoJEBEET9GfxSfMIUAIAIXHMrAcbsgCBuJ0l+25LRpw
oRM6gQIlhNOxhsGvxdWklf8y41FxHpnOPpOYxCURhQmPnJpG8MCPM8+XlL3y//1A
DwHr23e1GFab36SkmibJKL0Mixjl2lSTSwLqKVJPxD1Pi+hOCQr0wdz96GCWhfQ7
YRSK99ZNJlq+uFrLfRr/zg2Q1fidhUHIzEVu03A8cyGQoThZLKpfo/yMW/iLDgFk
b7BVnpyyMORO9faFCepnPs25xD5nmnj1nVmNqTZwuo78IHmridNzQa71Pd3mgfaq
C8oBxH1HwOjAB1wylP5Neznf4oO3nXADNjPz4zWVtOcyqWIa6olE/tTMeS++4eA=
=jgmU
-----END PGP SIGNATURE-----