[tor-talk] Using passwords with TOR
Lee
ler762 at gmail.com
Sun May 22 19:03:38 UTC 2011
On 5/22/11, tor at lists.grepular.com <tor at lists.grepular.com> wrote:
> On 22/05/2011 09:00, grarpamp wrote:
>
>>> And a follow-up question if I may - how do you verify that the ssl
>>> connection is to the site you want & not something else? eg:
>>> http://www.wired.com/threatlevel/2010/03/packet-forensics/
>>> What's the defense against that type of attack?
>>
>> Well if CA's are giving intermediate CA's to adversaries, and those
>> adversaries are issuing certs MITM on the fly in hardware... then
>> yeah, you've got major problems.
>
> I use a Firefox addon called Certificate Patrol. It keeps a record of
> certificates that https websites serve. It then alerts you if they
> change. It displays information about the old certificate next to the
> new certificate so you can tell if the issuer has changed, and if the
> old cert was due to expire anyway.
>
> Should come in handy if you come across a Tor Exit node that is somehow
> generating "valid" certificates for a domain and MITM'ing you.
yes - that looks helpful. Which version of Firefox are you using? I
tried it with FF 4.0.1 and no matter what the settings, javascript
enabled/disabled, noscript addon enabled/disabled I couldn't get a
popup for a newly accepted cert :(
Lee
>
> --
> Mike Cardwell https://grepular.com/ https://twitter.com/mickeyc
> Professional http://cardwellit.com/ http://linkedin.com/in/mikecardwell
> PGP.mit.edu 0018461F/35BC AF1D 3AA2 1F84 3DC3 B0CF 70A5 F512 0018 461F
>
>
More information about the tor-talk
mailing list