[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
Re: Holy shit I caught 1
- To: or-talk@xxxxxxxxxxxxx
- Subject: Re: Holy shit I caught 1
- From: Mike Perry <mikepery@xxxxxxxxxx>
- Date: Sat, 2 Sep 2006 17:21:56 -0500
- Delivered-to: email@example.com
- Delivered-to: firstname.lastname@example.org
- Delivered-to: email@example.com
- Delivery-date: Sat, 02 Sep 2006 18:22:29 -0400
- In-reply-to: <20060830075946.GT3008@moria.seul.org>
- References: <20060828012406.GG23188@fscked.org> <44F543D5.firstname.lastname@example.org> <20060830075946.GT3008@moria.seul.org>
- Reply-to: or-talk@xxxxxxxxxxxxx
- Sender: owner-or-talk@xxxxxxxxxxxxx
- User-agent: Mutt/1.4.1i
Thus spake Roger Dingledine (arma@xxxxxxx):
> On Wed, Aug 30, 2006 at 02:52:53AM -0500, Shatadal wrote:
> > So does that mean that if I am trying to access an SSL enabled account
> > (say gmail or yahoo e-mail), the certificate is a spoofed one being
> > provided by the rogue tor node and therefore my login name and password
> > are therefore being provided in cleartext to the node operator?
> Yes, but only if you click "accept" when your Firefox tells you that
> somebody is spoofing the site.
> I often click accept when a site gives me a bogus certificate, because
> I want to see the page anyway -- but if I do I know that I shouldn't
> expect any security from the site anymore.
> (And if you're using a browser that doesn't give you warnings for
> bogus certificates... you should switch. :)
There is another subtle problem with this.. For sites that provide the
login form via plain http and then submit via https, a MITM can
rewrite the POST form to submit anywhere they have a "valid" CA-signed
CERT (which as we've established costs the attacker $25 and a pay
phone #). Since this submission can go to ANY domain, it's much easier
to spoof a valid cert this way without a browser warning.
It's scary just how many banks, email providers (yahoo), and other
sites try to make things "easier" by providing the login on their
front (non-https) page. Trial by fire...
You should only use login forms on https pages. Especially via Tor.
Mad Computer Scientist
fscked.org evil labs