end-to-end encryption? SSL? GnuPG?

Lasse Øverlier tor at zone.no
Sat Oct 21 16:11:43 UTC 2006


xiando wrote:
>> The problem is people are extensively using webmail. They can use
>> "mobile" Tor (TorPark), but the problem is the content of the webmail is
>> not encrypted. So they can get anonymity, but not end-to-end encryption
>> (so anonymity is also downgraded).
> 
> I've heard a rumor about this amazing new end-to-end encryption solution for 
> web called SSL. Apparently, it requires the web-server to be configured to 
> support it and if it is then end-to-end encryption can be archived by going 
> to a URL which begins with https://
> 
> https:// requires paying a Tax to a evil corporation to avoid getting a 
> message complaining about "not trusted" cert,  but that only means the root 
> cert is not buildt into the browser; you can easily make your own cert too; 
> but this requires the users to verify that the cert used matches the 
> fingerprint announced on the website.
> 

Making your own certs don't fix this unless you distribute them to all
users offline! (Remember that the HTML-written fingerprint of the self
signed cert on the web site may as easily be replaced...)

 - Lasse



More information about the tor-talk mailing list