[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: Avoiding HTTPS pitfalls [was: Re: Moxie Marlinspike]

To: or-talk@xxxxxxxxxxxxx
Subject: Re: Avoiding HTTPS pitfalls [was: Re: Moxie Marlinspike]
From: coderman <coderman@xxxxxxxxx>
Date: Mon, 23 Feb 2009 12:40:54 -0800
Delivered-to: archiver@xxxxxxxx
Delivered-to: or-talk-outgoing@xxxxxxxx
Delivered-to: or-talk@xxxxxxxx
Delivery-date: Mon, 23 Feb 2009 15:40:57 -0500
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :date:message-id:subject:from:to:content-type :content-transfer-encoding; bh=0XKmI/lvsPzuA3V8KgwdBDIXP4+ULW6RJXMTf1/XGPU=; b=JCxT3wKnOEj25l/tqLLd6PNDMYmVk36P0/9egv1rkaIY3GFFK085CAQdpvqbJpxNuh Rxsyi614gGs3e5VgU+tD5gEMY+tAII0J4FCvm0FWWN+HnFH/LsEVG1KXhI7e6NDA4eWZ a1GWnjhZyMGTBf2q3B5SabVoyvMFt4EJ+CUKA=
Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type:content-transfer-encoding; b=qmTCmDrf7u5DGnO5QuM7Hy4NwqiwWH/idxp3yswC+LBU271REb5sj/UwYNDtqelb+M zOQ7wF6E1KINtIHj2RBDRiQSjFrEKYt2hmsZYYBvTGtEUAIWfGExOOc/rxDysqSeRCLe SnwB3fP0W6iqiQ01YcVo9L17b4IkGepNHB8hI=
In-reply-to: <49A3072D.1070504@xxxxxxxxxxxxxxxxxxxxxx>
References: <4ef5fec60902231119s2cccd1bcwdfb3313046b2a988@xxxxxxxxxxxxxx> <49A3072D.1070504@xxxxxxxxxxxxxxxxxxxxxx>
Reply-to: or-talk@xxxxxxxxxxxxx
Sender: owner-or-talk@xxxxxxxxxxxxx

On Mon, Feb 23, 2009 at 12:29 PM, Arjan
<n6bc23cpcduw@xxxxxxxxxxxxxxxxxxxxxx> wrote:
>
> Noscript has some options (Options, Advanced, HTTPS) that may help.
> Disclaimer: I've not used these options and I don't know if it's secure.

from https://www.torproject.org/torbutton/faq.html
"Which Firefox extensions should I avoid using? ... NoScript: using
NoScript can actually disable protections that Torbutton itself
provides via Javascript, yet still allow malicious exit nodes to
compromise your anonymity via the default whitelist..."

as an aside, i found a plugin that could do everything above, but only
if the sites themselves send you a ForceHTTPS cookie securely:
https://crypto.stanford.edu/forcehttps/
the design paper does a good job of explaining why this is all more
complicated than you might think...

best regards,

Follow-Ups:
- Re: Avoiding HTTPS pitfalls [was: Re: Moxie Marlinspike]
  - From: Marco Bonetti

References:
- Avoiding HTTPS pitfalls [was: Re: Moxie Marlinspike]
  - From: coderman
- Re: Avoiding HTTPS pitfalls [was: Re: Moxie Marlinspike]
  - From: Arjan

Prev by Author: Re: aes performance
Next by Author: Re: Time Warner bad / VPS recommendations
Previous by thread: Re: Avoiding HTTPS pitfalls [was: Re: Moxie Marlinspike]
Next by thread: Re: Avoiding HTTPS pitfalls [was: Re: Moxie Marlinspike]
Index(es):
- Author
- Thread