[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: Holy shit I caught 1

To: or-talk@xxxxxxxxxxxxx
Subject: Re: Holy shit I caught 1
From: Roger Dingledine <arma@xxxxxxx>
Date: Wed, 30 Aug 2006 03:59:46 -0400
Delivered-to: archiver@seul.org
Delivered-to: or-talk-outgoing@seul.org
Delivered-to: or-talk@seul.org
Delivery-date: Wed, 30 Aug 2006 03:59:53 -0400
In-reply-to: <44F543D5.7080904@vfemail.net>
References: <20060828012406.GG23188@fscked.org> <44F543D5.7080904@vfemail.net>
Reply-to: or-talk@xxxxxxxxxxxxx
Sender: owner-or-talk@xxxxxxxxxxxxx
User-agent: Mutt/1.5.9i

On Wed, Aug 30, 2006 at 02:52:53AM -0500, Shatadal wrote:
> So does that mean that if I am trying to access an SSL enabled account
> (say gmail or yahoo e-mail), the certificate is a spoofed one being
> provided by the rogue tor node and therefore my login name and password
> are therefore being provided in cleartext to the node operator?

Yes, but only if you click "accept" when your Firefox tells you that
somebody is spoofing the site.

I often click accept when a site gives me a bogus certificate, because
I want to see the page anyway -- but if I do I know that I shouldn't
expect any security from the site anymore.

(And if you're using a browser that doesn't give you warnings for
bogus certificates... you should switch. :)

--Roger

Follow-Ups:
- Re: Holy shit I caught 1
  - From: Marco A. Calamari
- Re: Holy shit I caught 1
  - From: Shatadal

References:
- Holy shit I caught 1
  - From: Mike Perry
- Re: Holy shit I caught 1
  - From: Shatadal

Prev by Author: Tor 0.1.2.1-alpha is out
Next by Author: Re: What's the benefit of a permanent "EntryGuard"?
Previous by thread: Re: Holy shit I caught 1
Next by thread: Re: Holy shit I caught 1
Index(es):
- Author
- Thread