Holy shit I caught 1
Mike Perry
mikepery at fscked.org
Sat Sep 2 22:21:56 UTC 2006
Thus spake Roger Dingledine (arma at mit.edu):
> On Wed, Aug 30, 2006 at 02:52:53AM -0500, Shatadal wrote:
> > So does that mean that if I am trying to access an SSL enabled account
> > (say gmail or yahoo e-mail), the certificate is a spoofed one being
> > provided by the rogue tor node and therefore my login name and password
> > are therefore being provided in cleartext to the node operator?
>
> Yes, but only if you click "accept" when your Firefox tells you that
> somebody is spoofing the site.
>
> I often click accept when a site gives me a bogus certificate, because
> I want to see the page anyway -- but if I do I know that I shouldn't
> expect any security from the site anymore.
>
> (And if you're using a browser that doesn't give you warnings for
> bogus certificates... you should switch. :)
There is another subtle problem with this.. For sites that provide the
login form via plain http and then submit via https, a MITM can
rewrite the POST form to submit anywhere they have a "valid" CA-signed
CERT (which as we've established costs the attacker $25 and a pay
phone #). Since this submission can go to ANY domain, it's much easier
to spoof a valid cert this way without a browser warning.
It's scary just how many banks, email providers (yahoo), and other
sites try to make things "easier" by providing the login on their
front (non-https) page. Trial by fire...
You should only use login forms on https pages. Especially via Tor.
--
Mike Perry
Mad Computer Scientist
fscked.org evil labs
More information about the tor-talk
mailing list