[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: Holy shit I caught 1

To: or-talk@xxxxxxxxxxxxx
Subject: Re: Holy shit I caught 1
From: Watson Ladd <watsonbladd@xxxxxxxxx>
Date: Wed, 30 Aug 2006 07:17:47 -0400
Delivered-to: archiver@seul.org
Delivered-to: or-talk-outgoing@seul.org
Delivered-to: or-talk@seul.org
Delivery-date: Wed, 30 Aug 2006 07:17:56 -0400
Domainkey-signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:user-agent:mime-version:to:subject:references:in-reply-to:content-type:content-transfer-encoding; b=uUjyhS6bRgxMdo/ae8Q+jRQFxTTUO0faQGabQkYIUNZUb+zBWCWNn+uUgsPG9hOnzJkVgs2h61UYzjTtdHwD54EbvDvLp3f7y46hmkWlEApzeyrz6SfsqDuQZe7M1Ix8gdpOtkuySvnIcbV1r4uX1Phw4Y6yvi7CQtY57mNcfdA=
In-reply-to: <44F543D5.7080904@vfemail.net>
References: <20060828012406.GG23188@fscked.org> <44F543D5.7080904@vfemail.net>
Reply-to: or-talk@xxxxxxxxxxxxx
Sender: owner-or-talk@xxxxxxxxxxxxx
User-agent: Thunderbird 1.5.0.5 (Macintosh/20060719)

Shatadal wrote:

Mike Perry wrote:

I would have bet good money against this, but there actually IS a
router on the tor network spoofing SSL certs. The router '1'
(218.58.6.159 - $BB688E312A9F2AFFFC6A619F365BE372695CA626) is
providing self-signed SSL certs for just about every SSL site you hit
through it. Nice. Is there a wiki page with bad tor nodes anywhere?

Let's hear it for paranoia! Hip hip hooray.

Is anyone else scanning? My list of hits on for this zip is awefully small.. It appears we may actually need to scan, folks.

An assortment of SSL certs provided by this router is attached in a
.zip file.

Go ahead and hit up https://addons.mozilla.org.1.exit with
socks_remote_dns and only a socks proxy (privoxy breaks the .exit
notation), and be prepared to shit yourself. Does anyone know if
firefox verifies cert sigs when downloading extension updates?


So does that mean that if I am trying to access an SSL enabled account
(say gmail or yahoo e-mail), the certificate is a spoofed one being
provided by the rogue tor node and therefore my login name and password
are therefore being provided in cleartext to the node operator?

Thanks.


---
avast! Antivirus: Outbound message clean.
Virus Database (VPS): 0635-1, 08/28/2006
Tested on: 8/30/2006 2:53:28 AM
avast! - copyright (c) 2000-2006 ALWIL Software.
http://www.avast.com

Not unless you ignore the warning. The certificate hasn't been signed by anyone, and so triggers a warning box. Note that some sites use self-signed certificates, and so you could be MITM'd without any way to check. But if the site normally doesn't have a self-signed certificate, don't trust it.

--
They who would give up an essential liberty for temporary security,
deserve neither liberty or security
--Benjamin Franklin

References:
- Holy shit I caught 1
  - From: Mike Perry
- Re: Holy shit I caught 1
  - From: Shatadal

Prev by Author: Better Authentication/Key Negotiations
Next by Author: Re: Tor 0.1.2.1-alpha is out
Previous by thread: Re: Holy shit I caught 1
Next by thread: "TorSignal for Windows": App for easy use of Tor signals...new Wiki entry
Index(es):
- Author
- Thread