[tor-talk] 1) Torproject certificate, 2) SSL authentication compromised, 3) "Exit browser" idea, 4) I am working on something similar to Tor

Max Jakob Maass max at velcommuta.de
Thu Jan 9 09:30:18 UTC 2014


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

>> All it would take is for them to put really fast servers (and we
>> know they are doing this with QUANTUM servers) at key high
>> traffic junctions on the internet, and in secret at every ISP
>> using a sub CA root certificate to transparently access *ALL* SSL
>> streams passing through that point.
> 
> If this were done to all connections, it would be noticed very
> quickly. The browser sees the presented certificate and can log it
> and perform other analysis.  The default behavior of most browsers
> is not to warn the user, provided the cert appears valid.  But
> there are some users who are using browsers and clients that have
> other behaviors and will, for example,
> 
> - compare the cert to the certs seen by other users, or -
> automatically log the cert, or - automatically send a copy of the
> cert to third parties, or - notify the user if the cert is
> different from the previously observed cert for this server, or -
> notify the user if the cert is different from values this server 
> told the client to expect, or - notify the user if the cert is
> different from values that the client was told to expect by the
> original software developer
An example would be "Certificate Patrol"
(https://addons.mozilla.org/en-US/firefox/addon/certificate-patrol/)
for Firefox. It implements Certificate Pinning and will notify you if
certificates change (even with special warnings if they change way
before they are due, and if the CA changes, both very handy features
when dealing with a compromised / Government MITM CA).

It does not, however, implement a Cert Web-of-Trust that compares the
certificate you are seeing to those other people are seeing. I am not
aware of any addon or browser that does that, so I'd be curious to
hear which ones implement that (as your message sounded like there are
indeed some implementations of this). I am also unaware of any addon
for Chrom{e,ium} or other browsers that does the job of certificate
patrol... If anyone knows about any, please let me know.

Max
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQJ8BAEBCgBmBQJSzmwoXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ4NEM0ODA5N0EzQUY3RDU1MTg5QTc3QUMx
NjlGOTYyNDM0MDg4MjVFAAoJEBafliQ0CIJeedEQAMcn73PQD4rLtKXBSDrkD+H0
pKfQuQ7NCYKFqnXkGpXV5SmVOv3KyQnt2jKCahZu4AjDCmiFD+sPxd5oZwe6kbLu
+YoIu7eG0yzGL2UDsywp9upB5do8g9sXWfxHM4Mgx+o/Ek/MUE8HpwSpUa3xgEVl
AHZBPhu6Vip8lvnqgn7+aTIaOn5Is3w0lm11M4oBwMK/3HGlb+/J8LB6QKAyOsaj
k3D0s08+wbtWZ7vOWW2VfpET7HqRAUBxIYjbM+B3cMc2OM8CLwj+c0TGtlwJrByR
wjkNhMzXHpe+8haL9/WpnDi7KAiLE1TNEwSpSvCGsRD916VKBkTVMdYTlz7ZtJbC
ehfvPXZZBglioC4X1hVokLOXNVnNK8hujZBeA0CBZ8UWMSTTwq7WqSR6QR7U6zik
5Z0K8r+O65LxRa8/I+BBrVPwNPcshFt7CXoA624TAwKsXWtG2giClr3XtLOTSRQr
1UZe8PPpPBznMtpPfBSJnpdtBfnwRlDrWmAmKF32gUk9y/O/UOycNr8jocV5JFHb
aoKGl6X98jA88Fsl/GhcjYUpOJ7MekHW8rDh2291U8veAIc4tGEOUIaH1KtPAQIw
trrxuCtVifXaRAtCnDIsGtql85ePIwQndFJQZvByMBiMKDfu3G3v7XNWB3Ukr+ag
RPAfj0Jon0DnU5LKaLon
=s0fz
-----END PGP SIGNATURE-----


More information about the tor-talk mailing list