[tor-talk] 1) Torproject certificate, 2) SSL authentication compromised, 3) "Exit browser" idea, 4) I am working on something similar to Tor

Michael Wolf mikewolf53 at gmail.com
Thu Jan 9 11:14:49 UTC 2014


On 1/9/2014 4:30 AM, Max Jakob Maass wrote:

> An example would be "Certificate Patrol"
> (https://addons.mozilla.org/en-US/firefox/addon/certificate-patrol/)
> for Firefox. It implements Certificate Pinning and will notify you if
> certificates change (even with special warnings if they change way
> before they are due, and if the CA changes, both very handy features
> when dealing with a compromised / Government MITM CA).
> 
> It does not, however, implement a Cert Web-of-Trust that compares the
> certificate you are seeing to those other people are seeing. I am not
> aware of any addon or browser that does that, so I'd be curious to
> hear which ones implement that (as your message sounded like there are
> indeed some implementations of this). I am also unaware of any addon
> for Chrom{e,ium} or other browsers that does the job of certificate
> patrol... If anyone knows about any, please let me know.
> 
> Max
> 

I believe HTTPS-Everywhere is capable of checking certs against what
others are seeing, and it's actually already installed in TBB.
Unfortunately this feature is only available for the Firefox version of
HTTPS-Everywhere.  If you click on the HTTPS-Everywhere icon in the
top-right corner of TorBrowser, you'll see an option for "SSL
Observatory Preferences".  Just enable it, and you're set.  Here's some
more info:

https://www.eff.org/deeplinks/2012/02/https-everywhere-decentralized-ssl-observatory

https://www.eff.org/observatory

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 834 bytes
Desc: OpenPGP digital signature
URL: <http://lists.torproject.org/pipermail/tor-talk/attachments/20140109/d04394a6/attachment.sig>


More information about the tor-talk mailing list