[tor-talk] How evil is TLS cert collection?
Robert Ransom
rransom.8774 at gmail.com
Mon Mar 21 17:00:53 UTC 2011
On Mon, 21 Mar 2011 09:05:30 -0400
Joseph Lorenzo Hall <joehall at gmail.com> wrote:
> It strikes me that I'd want notice (or the option to get notice)
> before submitting rare certs to the database... say a dialog like:
> "We're about to submit the certificate for the following site, [x] ok,
> [ ] no, do not submit this certificate. ([ ] remember this preference
> for this certificate)." My reasoning is that I should usually have a
> good idea when I'm expecting a rare/self-signed cert, and if I'm not
> expecting it, I'd probably want to submit it. Does that make sense?
> best, Joe
No.
1. The extension cannot determine whether you have a ‘rare’ certificate
without querying the database.
2. If users do not report self-signed certificates that they expect to
see, the database cannot be used to detect man-in-the-middle attacks
on sites that use self-signed certificates.
Robert Ransom
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 490 bytes
Desc: not available
URL: <http://lists.torproject.org/pipermail/tor-talk/attachments/20110321/45ce994c/attachment.pgp>
More information about the tor-talk
mailing list