Skip to content
GitLab
Closed (moved) (moved)
Created by Roger Dingledine@arma

Different TLS certs for incoming vs outgoing

We should learn to present different TLS certs for incoming connections vs outgoing connections.

The motivating example is bridges. They want to show the same identity to people who connect, yet behave like clients when they connect to other relays (e.g. change keys when they change IP addresses).

(Of course, this change would provide a new way to test for bridges: if a Tor connects to you, connect back and see if the cert is different. But at least that's an active test that requires the bridge to connect to you first. But then, the attack I describe above only kicks in when the bridge connects to you. Hm.)

[Automatically added by flyspray2trac: Operating System: All]

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information