[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: Holy shit I caught 1

Hash: SHA1

Mike Perry wrote:
> Thus spake Roger Dingledine (arma@xxxxxxx):
>> On Wed, Aug 30, 2006 at 02:52:53AM -0500, Shatadal wrote:
>>> So does that mean that if I am trying to access an SSL enabled account
>>> (say gmail or yahoo e-mail), the certificate is a spoofed one being
>>> provided by the rogue tor node and therefore my login name and password
>>> are therefore being provided in cleartext to the node operator?
>> Yes, but only if you click "accept" when your Firefox tells you that
>> somebody is spoofing the site.
>> I often click accept when a site gives me a bogus certificate, because
>> I want to see the page anyway -- but if I do I know that I shouldn't
>> expect any security from the site anymore.
>> (And if you're using a browser that doesn't give you warnings for
>> bogus certificates... you should switch. :)
> There is another subtle problem with this.. For sites that provide the
> login form via plain http and then submit via https, a MITM can
> rewrite the POST form to submit anywhere they have a "valid" CA-signed
> CERT (which as we've established costs the attacker $25 and a pay
> phone #). Since this submission can go to ANY domain, it's much easier
> to spoof a valid cert this way without a browser warning.
> It's scary just how many banks, email providers (yahoo), and other
> sites try to make things "easier" by providing the login on their
> front (non-https) page. Trial by fire...
> You should only use login forms on https pages. Especially via Tor.
But the page could be on https and submit through http, even worse. And
you won't know until you hit submit or try to read the source. Moral:
Never trust a web designer to do a cryptographer's job.

- --
They who would give up an essential liberty for temporary security,
 deserve neither liberty or security
- --Benjamin Franklin
Version: GnuPG v1.4.3 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org