[cryptography] Client certificates, Tor-exit nodes and renegotiation

Guido Witmond guido at witmond.nl
Fri Mar 14 11:40:35 EDT 2014

Dear all,

I have a question regarding TLS, client certificates and Tor Exit nodes.

Am I correct in my assumption that when a client connects to a
TLS-server, both the server and client certificate are passed in
clear-text (clear enough) to the other end before the certificates are
validated and the secured connection gets established?

If so, does it mean that using client certificates over Tor allows every
exit node and system on-route to the server to learn both the
client-certificate and the end-point, defeating the purpose of Tor?

Is TLS-renegotiation, where the client connects anonymously to the
server, validates the server certificate, sets up the secured connection
and only then offers to send the client certificate, sufficient to make
client certificates safe to use over Tor?

Or are there more pitfalls to expect with client certificates and Tor?

With regards,
Guido Witmond.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 897 bytes
Desc: OpenPGP digital signature
URL: <http://lists.randombit.net/pipermail/cryptography/attachments/20140314/6662e04e/attachment.asc>

More information about the cryptography mailing list