Holy shit I caught 1

Fabian Keil freebsd-listen at fabiankeil.de
Wed Aug 30 11:55:10 UTC 2006


"Marco A. Calamari" <marcoc1 at dada.it> wrote:

> On Wed, 2006-08-30 at 03:59 -0400, Roger Dingledine wrote:
> > On Wed, Aug 30, 2006 at 02:52:53AM -0500, Shatadal wrote:
> > > So does that mean that if I am trying to access an SSL enabled account
> > > (say gmail or yahoo e-mail), the certificate is a spoofed one being
> > > provided by the rogue tor node and therefore my login name and password
> > > are therefore being provided in cleartext to the node operator?
> > 
> > Yes, but only if you click "accept" when your Firefox tells you that
> > somebody is spoofing the site.
> > 
> > I often click accept when a site gives me a bogus certificate, because
> > I want to see the page anyway -- but if I do I know that I shouldn't
> > expect any security from the site anymore.
> > 
> > (And if you're using a browser that doesn't give you warnings for
> > bogus certificates... you should switch. :)
> 
> Just a couple of notes trying to clarify this often over-simplified
>  world of "bogus" or "valid" certificates.

> "bugus" certificates give the impression that are fake
>  certificates; they are self-signed certificates, so are
>  "valid" by definition. Often there is confusion about
>  the "validity" of certificates.
 
> An authentic certificate by a commercial site is
>  normally signed by a commercial certification
>  authority.
> 
> Ending this boring explaination; when the
>  browser open a window about certificates,
>  read it with great attention and triple
>  check the origin if it is self-signed.

How do you triple check a self-signed certificate?
You can check that it is self-signed, but you
don't know if it is self-singed by the website
you want to visit, or self-signed by the man
in the middle.

What do you gain, if you know that the traffic
between you and the man in the middle is secured? 

> Not all self-signed certificates, or certificate
>  signed by a unknow certification authority are fake.

You are better off not trusting them anyway,
especially as a Tor user.

> This is often the case of poor organizations
>  (as, for example, the Winston Smith Project...)

If they can't afford a trustworthy certificate
they should at least make the ssl access optional
or make their stuff accessible through a hidden
service as well.

Generic http to https redirects with self-signed
certificates are a sure way to loose me as a possible
visitor.

If I don't know what kind of information the website
offers, I don't know if it's worth punching a hole
in my Privoxy configuration or to configure another
stunnel. More often then not I just assume that
it isn't.

Fabian
-- 
http://www.fabiankeil.de/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
URL: <http://lists.torproject.org/pipermail/tor-talk/attachments/20060830/5c42a1b3/attachment.pgp>


More information about the tor-talk mailing list