Randomize gateway HTTPS certificate constants

StreisandEffect / streisand

Streisand sets up a new server running your choice of WireGuard, OpenConnect, OpenSSH, OpenVPN, Shadowsocks, sslh, Stunnel, or a Tor bridge. It also generates custom instructions for all of these services. At the end of the run you are given an HTML file with instructions that can be shared with friends, family members, and fellow activists.

https://twitter.com/streisandvpn

Other

23.2k stars 1.99k forks source link

Randomize gateway HTTPS certificate constants #45

Open psifertex opened 10 years ago

psifertex commented 10 years ago

Since the goal is to enable evasion of blocking firewalls, it would be nice if it weren't so easy to fingerprint Streisand on the network by inspecting the SSL certificates.

If there was a semi-intelligent randomization of the strings (and even maybe some of the values?) in the SSL certificates used for OpenVPN as well as nginx it would make this much harder.

ShenZhouHong commented 10 years ago

Yes, this would be very important. Some countries already use heuristical approaches to internet censorship, and it wouldn't be difficult to monitor for a common pattern in Streisand SSL certificates.

jlund commented 10 years ago

Good idea. We should be able to use the same approach as the generated passwords that are used for the Gateway and elsewhere, i.e., pulling random words from the dictionary.

confider commented 8 years ago

https://www.censys.io/certificates?q=Streisand

nopdotcom commented 6 years ago

When the no-DNS SSL cert stuff gets merged, we'll have a pretty good basis for this.