Holy shit I caught 1

Roger Dingledine arma at mit.edu
Wed Aug 30 07:59:46 UTC 2006


On Wed, Aug 30, 2006 at 02:52:53AM -0500, Shatadal wrote:
> So does that mean that if I am trying to access an SSL enabled account
> (say gmail or yahoo e-mail), the certificate is a spoofed one being
> provided by the rogue tor node and therefore my login name and password
> are therefore being provided in cleartext to the node operator?

Yes, but only if you click "accept" when your Firefox tells you that
somebody is spoofing the site.

I often click accept when a site gives me a bogus certificate, because
I want to see the page anyway -- but if I do I know that I shouldn't
expect any security from the site anymore.

(And if you're using a browser that doesn't give you warnings for
bogus certificates... you should switch. :)

--Roger



More information about the tor-talk mailing list