Moxie Marlinspike

[Erilenz]

http://blog.internetnews.com/skerner/2009/02/black-hat-hacking-ssl-with-ssl.html

There's nothing in there that we didn't already know was possible, and I realise
it's not a Tor specific flaw. I just read this paragraph and thought I'd pass it
on here:

"Marlinspike also claimed that in a limited 24 hour test case running on the
anonymous TOR network (and without actually keeping any personally identifiable
information) he intercepted 114 yahoo logins â 50 gmail logins, 9 paypal, 9 
inkedin and 3 facebook. So apparently the tool works - and works well."

Lots of people simply don't know how to use Tor safely.

I wonder if something could/should be built into TorButton to force a list of
commonly used services to go entirely over https? Eg any request for
^http://mail\.google\.com/.*$

Also, how feasible would it be to add a popup which says something along the
lines of:

"You are about to post unencrypted data over the Tor network. Are you sure you
wish to proceed?"

-- 
Erilenz