[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: Holy shit I caught 1

Roger Dingledine wrote:
> On Wed, Aug 30, 2006 at 02:52:53AM -0500, Shatadal wrote:
>> So does that mean that if I am trying to access an SSL enabled account
>> (say gmail or yahoo e-mail), the certificate is a spoofed one being
>> provided by the rogue tor node and therefore my login name and password
>> are therefore being provided in cleartext to the node operator?
> Yes, but only if you click "accept" when your Firefox tells you that
> somebody is spoofing the site.
> I often click accept when a site gives me a bogus certificate, because
> I want to see the page anyway -- but if I do I know that I shouldn't
> expect any security from the site anymore.
> (And if you're using a browser that doesn't give you warnings for
> bogus certificates... you should switch. :)
> --Roger

Thanks for the explanation Roger. So your advice is that I shouldn't be
too worried about this since Firefox (or a useful extension like
Spoofstick) would warn me about the spoof?

Does that mean also that the security issue found by Mike Perry can be
solved easily by just taking care that the SSL certificate is provided
by website you actually want to use?


avast! Antivirus: Outbound message clean.
Virus Database (VPS): 0635-1, 08/28/2006
Tested on: 8/30/2006 4:02:24 AM
avast! - copyright (c) 2000-2006 ALWIL Software.