[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: Holy shit I caught 1

To: or-talk@xxxxxxxxxxxxx
Subject: Re: Holy shit I caught 1
From: "Marco A. Calamari" <marcoc1@xxxxxxx>
Date: Wed, 30 Aug 2006 11:05:29 +0200
Delivered-to: archiver@seul.org
Delivered-to: or-talk-outgoing@seul.org
Delivered-to: or-talk@seul.org
Delivery-date: Wed, 30 Aug 2006 05:05:35 -0400
In-reply-to: <20060830075946.GT3008@moria.seul.org>
References: <20060828012406.GG23188@fscked.org> <44F543D5.7080904@vfemail.net> <20060830075946.GT3008@moria.seul.org>
Reply-to: or-talk@xxxxxxxxxxxxx
Sender: owner-or-talk@xxxxxxxxxxxxx

On Wed, 2006-08-30 at 03:59 -0400, Roger Dingledine wrote:
> On Wed, Aug 30, 2006 at 02:52:53AM -0500, Shatadal wrote:
> > So does that mean that if I am trying to access an SSL enabled account
> > (say gmail or yahoo e-mail), the certificate is a spoofed one being
> > provided by the rogue tor node and therefore my login name and password
> > are therefore being provided in cleartext to the node operator?
> 
> Yes, but only if you click "accept" when your Firefox tells you that
> somebody is spoofing the site.
> 
> I often click accept when a site gives me a bogus certificate, because
> I want to see the page anyway -- but if I do I know that I shouldn't
> expect any security from the site anymore.
> 
> (And if you're using a browser that doesn't give you warnings for
> bogus certificates... you should switch. :)

Just a couple of notes trying to clarify this often over-simplified
 world of "bogus" or "valid" certificates.

I don't know of browser that accept troublesome certificates
 without warning; the warning that must be issued by the browser
 are always matter of local setup of browser, maybe of default
 setup of it if user has no changed it.

"bugus" certificates give the impression that are fake
 certificates; they are self-signed certificates, so are
 "valid" by definition. Often there is confusion about
 the "validity" of certificates.

The self-signed certificates that the rogue router show
 are valid but fake; as a fake banknotes they contain textual
 information that indicates not the real but a different issuer.

An authentic certificate by a commercial site is
 normally signed by a commercial certification
 authority.

Ending this boring explaination; when the
 browser open a window about certificates,
 read it with great attention and triple
 check the origin if it is self-signed.

Not all self-signed certificates, or certificate
 signed by a unknow certification authority are fake.

This is often the case of poor organizations
 (as, for example, the Winston Smith Project...)

As always, keep the brain attached.... ;)

JM2C.   Marco

-- 

+--------------- http://www.winstonsmith.info ---------------+
| il Progetto Winston Smith: scolleghiamo il Grande Fratello |
| the Winston Smith Project: unplug the Big Brother          |
| Marco A. Calamari marcoc@xxxxxxxxx  http://www.marcoc.it   |
| DSS/DH:  8F3E 5BAE 906F B416 9242 1C10 8661 24A9 BFCE 822B |
+ PGP RSA: ED84 3839 6C4D 3FFE 389F 209E 3128 5698 ----------+

Attachment: signature.asc
Description: This is a digitally signed message part

Follow-Ups:
- Re: Holy shit I caught 1
  - From: Fabian Keil

References:
- Holy shit I caught 1
  - From: Mike Perry
- Re: Holy shit I caught 1
  - From: Shatadal
- Re: Holy shit I caught 1
  - From: Roger Dingledine

Prev by Author: Re: How interesting
Next by Author: Re: Can governments block tor?
Previous by thread: Re: Holy shit I caught 1
Next by thread: Re: Holy shit I caught 1
Index(es):
- Author
- Thread