Home Explore Help
Sign In
sengler
/
tor-parallel-relay-conn
1
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Tree: 2c221e923b
Branches Tags
tor-parallel...
/
doc
/
spec
/
proposals
/
106-less-tls-constraint.txt

106-less-tls-constraint.txt 4.1 KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113 
  1. Filename: 106-less-tls-constraint.txt
    2. 

  2. Title: Checking fewer things during TLS handshakes
    3. 

  3. Version: $Revision$
    4. 

  4. Last-Modified: $Date$
    5. 

  5. Author: Nick Mathewson
    6. 

  6. Created: 9-Feb-2007
    7. 

  7. Status: Closed
    8. 

  8. Implemented-In: 0.2.0.x
    9. 

  9. 

  10. Overview:
    11. 

  11. 

  12.     This document proposes that we relax our requirements on the context of
    13. 

  13.     X.509 certificates during initial TLS handshakes.
    14. 

  14. 

  15. Motivation:
    16. 

  16. 

  17.     Later, we want to try harder to avoid protocol fingerprinting attacks.
    18. 

  18.     This means that we'll need to make our connection handshake look closer
    19. 

  19.     to a regular HTTPS connection: one certificate on the server side and
    20. 

  20.     zero certificates on the client side.  For now, about the best we
    21. 

  21.     can do is to stop requiring things during handshake that we don't
    22. 

  22.     actually use.
    23. 

  23. 

  24. What we check now, and where we check it:
    25. 

  25. 

  26.  tor_tls_check_lifetime:
    27. 

  27.     peer has certificate
    28. 

  28.     notBefore <= now <= notAfter
    29. 

  29. 

  30.  tor_tls_verify:
    31. 

  31.     peer has at least one certificate
    32. 

  32.     There is at least one certificate in the chain
    33. 

  33.     At least one of the certificates in the chain is not the one used to
    34. 

  34.         negotiate the connection.  (The "identity cert".)
    35. 

  35.     The certificate _not_ used to negotiate the connection has signed the
    36. 

  36.         link cert
    37. 

  37. 

  38.  tor_tls_get_peer_cert_nickname:
    39. 

  39.     peer has a certificate.
    40. 

  40.     certificate has a subjectName.
    41. 

  41.     subjectName has a commonName.
    42. 

  42.     commonName consists only of characters in LEGAL_NICKNAME_CHARACTERS. [2]
    43. 

  43. 

  44.  tor_tls_peer_has_cert:
    45. 

  45.     peer has a certificate.
    46. 

  46. 

  47.  connection_or_check_valid_handshake:
    48. 

  48.     tor_tls_peer_has_cert [1]
    49. 

  49.     tor_tls_get_peer_cert_nickname [1]
    50. 

  50.     tor_tls_verify [1]
    51. 

  51.     If nickname in cert is a known, named router, then its identity digest
    52. 

  52.         must be as expected.
    53. 

  53.     If we initiated the connection, then we got the identity digest we
    54. 

  54.         expected.
    55. 

  55. 

  56.  USEFUL THINGS WE COULD DO:
    57. 

  57. 

  58.  [1] We could just not force clients to have any certificate at all, let alone
    59. 

  59.      an identity certificate.  Internally to the code, we could assign the
    60. 

  60.      identity_digest field of these or_connections to a random number, or even
    61. 

  61.      not add them to the identity_digest->or_conn map.
    62. 

  62.  [so if somebody connects with no certs, we let them. and mark them as
    63. 

  63.  a client and don't treat them as a server. great. -rd]
    64. 

  64. 

  65.  [2] Instead of using a restricted nickname character set that makes our
    66. 

  66.      commonName structure look unlike typical SSL certificates, we could treat
    67. 

  67.      the nickname as extending from the start of the commonName up to but not
    68. 

  68.      including the first non-nickname character.
    69. 

  69. 

  70.      Alternatively, we could stop checking commonNames entirely.  We don't
    71. 

  71.      actually _do_ anything based on the nickname in the certificate, so
    72. 

  72.      there's really no harm in letting every router have any commonName it
    73. 

  73.      wants.
    74. 

  74.  [this is the better choice -rd]
    75. 

  75.  [agreed. -nm]
    76. 

  76. 

  77. REMAINING WAYS TO RECOGNIZE CLIENT->SERVER CONNECTIONS:
    78. 

  78. 

  79.  Assuming that we removed the above requirements, we could then (in a later
    80. 

  80.  release) have clients not send certificates, and sometimes and started
    81. 

  81.  making our DNs a little less formulaic, client->server OR connections would
    82. 

  82.  still be recognizable by:
    83. 

  83.     having a two-certificate chain sent by the server
    84. 

  84.     using a particular set of ciphersuites
    85. 

  85.     traffic patterns
    86. 

  86.     probing the server later
    87. 

  87. 

  88. OTHER IMPLICATIONS:
    89. 

  89. 

  90.  If we stop verifying the above requirements:
    91. 

  91. 

  92.     It will be slightly (but only slightly) more common to connect to a non-Tor
    93. 

  93.     server running TLS, and believe that you're talking to a Tor server (until
    94. 

  94.     you send the first cell).
    95. 

  95. 

  96.     It will be far easier for non-Tor SSL clients to accidentally connect to
    97. 

  97.     Tor servers and speak HTTPS or whatever to them.
    98. 

  98. 

  99.  If, in a later release, we have clients not send certificates, and we make
    100. 

  100.  DNs less recognizable:
    101. 

  101. 

  102.     If clients don't send certs, servers don't need to verify them: win!
    103. 

  103. 

  104.     If we remove these restrictions, it will be easier for people to write
    105. 

  105.     clients to fuzz our protocol: sorta win!
    106. 

  106. 

  107.     If clients don't send certs, they look slightly less like servers.
    108. 

  108. 

  109. OTHER SPEC CHANGES:
    110. 

  110. 

  111.  When a client doesn't give us an identity, we should never extend any
    112. 

  112.  circuits to it (duh), and we should allow it to set circuit ID however it
    113. 

  113.  wants.
    114.