[tor-talk] Torproject ssl certificate

TheMindwareGroup themindwaregroup at gmail.com
Wed Jan 15 16:47:54 UTC 2014


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

1) I notice from UK on vodafone or sainsburys mobile torproject.org
ssl certificate comes up faulty and chrome blocks it. But on the Tor
network the site works fine (I downloaded CetfificatePatrol and it
says the proper certificate is digicert), obvioulsly SSL observatory
wont pick this up cos its the Chrome browser not Firefox.

After the talk we had about fake certificates and the unlikelyhood of
them using fake certs on everyone, but it would still be worth
concentrating there efforts only on people who use the tor website so
could this be such an attack? only it appears google chromes browser
is capable of detecting and stopping it (others might not be so lucky
or just click through it). People would assume theres something wrong
with the site or write it off as the site being blocked and ignore it.
They could correlate people that accessed the Tor site on the clear
web against Tor client users, get there IPs so they know who to watch
or at least they know you are using a Tor client and at worst if the
user clicked through could get contaminated updates. Sadly probably
nothing that can be done about this, except maybe using stronger
browsers, and better setups like the the Firefox Tor bundle that
bypass it.

2) Regulating open source browsers, like thats ever gonna work, people
will just download and compile old versions, and anyone can write a
http client anyway. Still maybe worth talking to them tho, thanks for
the heads up.

3) a Tor2web proxy (and versions of) probably arnt a good idea, the
reason darknets/F2F networks work is because you only share with
trusted friends not everyone, its the lack of the global view that
makes it hard for the enermy to attack the system (in this case they
would attack your proxy), i know adding anonymity to the equation and
being a conduit rather that a host changes the situation a bit, but I
still doubt google would like bad content being accessible *even* if
you arnt the one hosting it, I could be wrong.

~TheMindwareGroup
TheMindwareGroup at gmail.com PGP: 0xf4b6586f
-----BEGIN PGP SIGNATURE-----

iQEcBAEBCgAGBQJS1ru6AAoJEKcLVST0tlhvsdkH/1HVzPOeC0NOyBxSzXWtzeqz
4ldB3Lj/t2qnNe0lOGkQv3tSLwW2LipNJ06I7APO24CQNbIFuw3k6vkzKJRe02p5
M+omng6nOVAZtxk/zMVFVRy/FZSli5hkqFpZtCSr56i9L9/kI3GAAdSkVXuUr552
m6skiKPoomdncnkDiRuzk+4NEx12vYXUO3LEMn3KDqe3W/HmYnFqTli2A/mKNYPD
UBywPqaZiEMmnXfLbDUgvbcKjCflZ/3Q9FkN3DK21oCgbULk5q0UmPVf9rx4lKbC
kG/sEecb4VHPXogy2e9IFlIE+M0jfF7gKls+oPnWj70PScu/7l+7cphOsL1C5Mc=
=OMQD
-----END PGP SIGNATURE-----


More information about the tor-talk mailing list