-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Sat, 04 Jun 2011 12:37:14 +0200 tagnaq <[email protected]> wrote:
> >> Someone running this (SSLObservatorySubmission) in a non-public network > >> (i.e. an internal corporate network) with Internet access will probably > >> disclose internal hostnames including IP addresses, if that is the case > >> I would identify this as an issue. What do you think about it? > > > > We're going to try really hard to avoid this by default. See the first > > two options in the client UI section under "advanced options": > > https://trac.torproject.org/projects/tor/wiki/HTTPSEverywhere/SSLObservatorySubmission#ClientUIandconfigurationVariables > > These two options will prevent disclosure in many scenarios but I don't > think it will avoid the problem in a common scenario (internal hosts use > a valid FQDN and a valid cert). > > IP address and hostname (and cert.) of intranet-server1.example.com > using a valid certificate *.example.com will be published even if the > first two options in the "advanced options" are enabled. Is that correct? > In such scenarios I'm not worried about the certificate being submitted > but the hostname and IP address (domain and server_ip arguments). > > > I'm not sure if I understand "private DNS domains" correct. > "[x] Do not check/submit certificates for private DNS domains" > > Are private DNS domains just non-existing TLDs? Something like > "foobar.localnet"? My understanding was that EFF would query DNS for a hostname, and if the hostname does not exist, assume that it's private. (This should scare you even more.) Robert Ransom -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.17 (FreeBSD) iQEcBAEBAgAGBQJN6g6FAAoJENmcrTGPJVyVilYH/iVcZd4GbSA19BIYUWCWJwah tImYDiS+5v1ai2fXgPLabvSrNHdxqrfgoUnXOaaHMiZiSqJx8ekVOe5ah5rfd67E d+ONg5NWX9qyB+wpEtCJ0hHooMuBt9jcUlrVZAYNkyRy1BoyjB4PkqkXBh8S3mF1 xEtC/SDAoDU3g6hWC3q5OW3USykETKH2lI0WF0QFt4lY9GnUz8cn+l+HV9uCU/0C sMo9Q0BhhoSwyzr10VBLyuSm2HG1AzbJfS2eT2UPtitBbxNPjaCni/abvRlfzRxn CcOjl79oQ+xaM7qJrQt/tmMnD0t2LbkRdEbSM8vU5XAe4nPB7HmZ5+lV+VM3/BQ= =cCCI -----END PGP SIGNATURE----- _______________________________________________ tor-talk mailing list [email protected] https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
