[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re[2]: Holy shit I caught 1


Just how do you expect the average windows user to know how to check ssl
certifications? That is now the level of the people using tor.


Sunday, August 27, 2006, 8:55:31 PM, you wrote:

> Hopefully the people using Tor would be "clued in" enough to check their
> certs. <shrug>

> Arrakistor wrote:
>> Amazing(ly bad). Perhaps we need some sort of monster programs
>> stalking through the system to check for things like this.
>> What I would like to know is how long the router on the node has been
>> spoofing the certs. Did this only come after we discussed the
>> possibility? If not, how fast can we fix this? Further, what else
>> aren't we thinking about?
>> Regards,
>>  Arrakistor
>> Sunday, August 27, 2006, 8:24:06 PM, you wrote:
>>> I would have bet good money against this, but there actually IS a
>>> router on the tor network spoofing SSL certs. The router '1'
>>> ( - $BB688E312A9F2AFFFC6A619F365BE372695CA626) is
>>> providing self-signed SSL certs for just about every SSL site you hit
>>> through it. Nice. Is there a wiki page with bad tor nodes anywhere?
>>> Let's hear it for paranoia! Hip hip hooray.
>>> Is anyone else scanning? My list of hits on for this zip is awefully
>>> small.. It appears we may actually need to scan, folks. 
>>> An assortment of SSL certs provided by this router is attached in a
>>> .zip file.
>>> Go ahead and hit up https://addons.mozilla.org.1.exit with
>>> socks_remote_dns and only a socks proxy (privoxy breaks the .exit
>>> notation), and be prepared to shit yourself. Does anyone know if
>>> firefox verifies cert sigs when downloading extension updates?