-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 >> Someone running this (SSLObservatorySubmission) in a non-public network >> (i.e. an internal corporate network) with Internet access will probably >> disclose internal hostnames including IP addresses, if that is the case >> I would identify this as an issue. What do you think about it? > > We're going to try really hard to avoid this by default. See the first > two options in the client UI section under "advanced options": > https://trac.torproject.org/projects/tor/wiki/HTTPSEverywhere/SSLObservatorySubmission#ClientUIandconfigurationVariables
These two options will prevent disclosure in many scenarios but I don't think it will avoid the problem in a common scenario (internal hosts use a valid FQDN and a valid cert). IP address and hostname (and cert.) of intranet-server1.example.com using a valid certificate *.example.com will be published even if the first two options in the "advanced options" are enabled. Is that correct? In such scenarios I'm not worried about the certificate being submitted but the hostname and IP address (domain and server_ip arguments). I'm not sure if I understand "private DNS domains" correct. "[x] Do not check/submit certificates for private DNS domains" Are private DNS domains just non-existing TLDs? Something like "foobar.localnet"? thanks, tagnaq -----BEGIN PGP SIGNATURE----- iF4EAREKAAYFAk3qCtoACgkQyM26BSNOM7bktQD/U/GuTCz8AAu8zfexN6FcVB5x 702U2AnIaoj/nL5BYyYA/jQ6ZLfpVXRqoeYJGcSW4v8ysgej5duMO4I2L2fn/1Ae =719C -----END PGP SIGNATURE----- _______________________________________________ tor-talk mailing list [email protected] https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
