Re: Perfect MITM attack with valid SSL Certs

To: or-talk@xxxxxxxxxxxxx

Subject: Re: Perfect MITM attack with valid SSL Certs

From: "John Brooks" <special@xxxxxxxxxxxxxxxx>

Date: Tue, 23 Dec 2008 09:56:59 -0700

Delivered-to: archiver@xxxxxxxx

Delivered-to: or-talk-outgoing@xxxxxxxx

Delivered-to: or-talk@xxxxxxxx

Delivery-date: Tue, 23 Dec 2008 11:57:03 -0500

Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:sender :to:subject:in-reply-to:mime-version:content-type:references :x-google-sender-auth; bh=nonNNHandJyCkSTf2xYjg+qDh3j1aCQzvVncM/3vRsw=; b=FLWfZArkzCdy1f3laCjXQrfGbeuI4WIFUu0SF3EZQQyCxDAdrcfmcKDMJ3mLKZHTA6 NkMJCz6/1CnfJcR+6cKQEwo8T1mfuzxoTHvRddylKYVxOf0LCkmFTo5kjMMOEi+a073C 2hMgARLCtIehIOAxpq8xhkP6ovZYhfEPLyjEk=

Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:sender:to:subject:in-reply-to:mime-version :content-type:references:x-google-sender-auth; b=LQZbjpJfnb+j6o8NmxgHrXQK2uw0SALXJ2gNl1VaaX1j+9nP6Ka9dIHcA2pTBT/KQo ya5JlH+qTaC7mWPKMECU/jbQw/K+l769hjAbWtts/G+kpylSdpWo/RqayY5jF73HDUXN H/xB4a/9joxEUVXMz0sj3mQzVigwIBbn75oZQ=

In-reply-to: <50e60b790812230847i15680e20iba5175c2a7dc064e@xxxxxxxxxxxxxx>

References: <50e60b790812230847i15680e20iba5175c2a7dc064e@xxxxxxxxxxxxxx>

Reply-to: or-talk@xxxxxxxxxxxxx

Sender: owner-or-talk@xxxxxxxxxxxxx

I'm not certain which way you meant this, but just in the interest of clarification:

This sort of attack, or any PKI attacks, *do not* affect the way that tor nodes authenticate or communicate with eachother - that is all based on the directories, signatures, and certificate fingerprints. Those can't be faked without breaking the math involved.

Where this does come into play, however, is communicating with external services - smart use of this attack could allow an exit node to snoop on or modify your SSL-encrypted communications. Tor is more susceptible to that than most because anybody can be your exit node. In this instance, the exit node would have to be prepared with certificates for various sites - it couldn't pick any site at random and instantly impersonate that.

I think that may have been what you were saying, but I just wanted to state it clearly to avoid misinterpretation.

On Tue, Dec 23, 2008 at 9:47 AM, Roc Admin <onionroutor@xxxxxxxxx> wrote:

http://blog.startcom.org/?p=145

Slashdot and others are reporting on this story about how it was possible for a person to receive a completely valid certificate for a random domain of his choosing without any questions or verification. In this case he generated a certificate for mozilla.com from a reseller of the Comodo certificate authority. I'm hoping this is just a single instance but it makes you remember that the browser pre-trusted certificate authorities really needs to be cleaned up.

If it's not obvious enough, this is not good for Tor users due to the fact that we try to rely on SSL certificates to make sure that traffic isn't sniffed while using Tor.

-Roc Tor Admin