Avoiding HTTPS pitfalls [was: Re: Moxie Marlinspike]
coderman
coderman at gmail.com
Mon Feb 23 19:19:42 UTC 2009
On Thu, Feb 19, 2009 at 4:17 AM, Erilenz <erilenz at gmail.com> wrote:
> ...
> Lots of people simply don't know how to use Tor safely.
agreed. i always recommend two things when using HTTPS over Tor:
- install the petname toolbar. this will also notify you if some
rogue CA is suddenly signing the google.com certs, for example, not
just that encryption isn't used.
- save bookmarks to sites that support HTTPS only (secure cookies)
with the https:// secure URL. (no insecure transition).
> I wonder if something could/should be built into TorButton to force a list of
> commonly used services to go entirely over https? Eg any request for
> ^http://mail\.google\.com/.*$
a plugin to enforce secure cookies and https only operation for some
domains would be useful. i don't know of any that do this kind of
thing yet...
best regards,
More information about the tor-talk
mailing list