On Wed 2015-06-10 15:07:17 -0400, bancfc wrote:
> The Hidden Service descriptor proposal didn't make sense so we query
> Hidden services directly and extract timestamps from their HTTP headers.
Which hidden service operators do you query? what counts as a
"reputable Onion Site" ? Do those operators know that you're relying on
their HTTP headers?
> At the moment in Whonix, we use reputable Onion Sites exclusively for
> time syncing purposes. The reason we stayed away from clearnet + HTTPS
> is because its almost certain NSA and friends have burrowed their way
> into CAs trusted by browsers. These guys bribe their way into companies
> and deploy field gents to sabotage and steal keys. Its a given that they
> go after CAs. With clearnet SSL being useless, they can manipulate
> system time, or worse, exploit the system if there’s a bug in
> sdwdate/htpdate.
Far be it from me to defend the CA system (i agree that it is broken,
though i'm not convinced that it's broken in the ways you're
describing), but i'm not sure that the solution you're advocating as an
alternative is a significant improvement, given the state of hidden
services and the risk of correlation attacks against their users. Have
you read:
https://conference.hitb.org/hitbsecconf2015ams/sessions/non-hidden-hidden-services-considered-harmful-attacks-and-detection/
If your concern is about malicious CA certifications, why not instead
restrict your https-based date updates to https sites that use HPKP to
protect against attacks from non-pinned CAs? If your concern is attacks
from the pinned CAs, you could add an increased dependence on
certificate-transparency as well, though that would likely take more
engineering effort.
Regards,
--dkg
