[cryptography] Client certificates, Tor-exit nodes and renegotiation

Tom Ritter tom at ritter.vg
Fri Mar 14 12:48:11 EDT 2014


On 14 March 2014 08:40, Guido Witmond <guido at witmond.nl> wrote:
> Dear all,
>
> I have a question regarding TLS, client certificates and Tor Exit nodes.
>
> Am I correct in my assumption that when a client connects to a
> TLS-server, both the server and client certificate are passed in
> clear-text (clear enough) to the other end before the certificates are
> validated and the secured connection gets established?
>
> If so, does it mean that using client certificates over Tor allows every
> exit node and system on-route to the server to learn both the
> client-certificate and the end-point, defeating the purpose of Tor?
>
> Is TLS-renegotiation, where the client connects anonymously to the
> server, validates the server certificate, sets up the secured connection
> and only then offers to send the client certificate, sufficient to make
> client certificates safe to use over Tor?
>
> Or are there more pitfalls to expect with client certificates and Tor?



This might be more appropriate for tor-users or tor-dev, but I'll give
it a shot.

Yes - sending client certificates over Tor will de-anonymize in the
same way that sending your real name or username over HTTP over Tor
will de-anonymize you.  Personally I consider this a flaw of TLS, not
Tor, which does not protect the client certificate from either a
passive or active adversary.  There were some proposals to move client
certificates further into the handshake, and protect them against a
passive and/or active adversary (depending on proposal) - but they did
not have much traction and then Snowden happened and everyone is
focused on TLS 1.3.

A nit: when you say every "system on-route to the server", I assume
you mean between the exit node and the HTTPS endpoint, in which case
yes. If you mean every Tor intermediate node, then no.

Using TLS-renegotiation to send the client certificate inside an
already-server-authenticated channel seems like it would work to me -
I have not tried doing it with any library.

-tom


More information about the cryptography mailing list