[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: Holy shit I caught 1

On Wed, Aug 30, 2006 at 02:52:53AM -0500, Shatadal wrote:
> So does that mean that if I am trying to access an SSL enabled account
> (say gmail or yahoo e-mail), the certificate is a spoofed one being
> provided by the rogue tor node and therefore my login name and password
> are therefore being provided in cleartext to the node operator?

Yes, but only if you click "accept" when your Firefox tells you that
somebody is spoofing the site.

I often click accept when a site gives me a bogus certificate, because
I want to see the page anyway -- but if I do I know that I shouldn't
expect any security from the site anymore.

(And if you're using a browser that doesn't give you warnings for
bogus certificates... you should switch. :)