"Marco A. Calamari" <marcoc1@xxxxxxx> wrote: > On Wed, 2006-08-30 at 03:59 -0400, Roger Dingledine wrote: > > On Wed, Aug 30, 2006 at 02:52:53AM -0500, Shatadal wrote: > > > So does that mean that if I am trying to access an SSL enabled account > > > (say gmail or yahoo e-mail), the certificate is a spoofed one being > > > provided by the rogue tor node and therefore my login name and password > > > are therefore being provided in cleartext to the node operator? > > > > Yes, but only if you click "accept" when your Firefox tells you that > > somebody is spoofing the site. > > > > I often click accept when a site gives me a bogus certificate, because > > I want to see the page anyway -- but if I do I know that I shouldn't > > expect any security from the site anymore. > > > > (And if you're using a browser that doesn't give you warnings for > > bogus certificates... you should switch. :) > > Just a couple of notes trying to clarify this often over-simplified > world of "bogus" or "valid" certificates. > "bugus" certificates give the impression that are fake > certificates; they are self-signed certificates, so are > "valid" by definition. Often there is confusion about > the "validity" of certificates. > An authentic certificate by a commercial site is > normally signed by a commercial certification > authority. > > Ending this boring explaination; when the > browser open a window about certificates, > read it with great attention and triple > check the origin if it is self-signed. How do you triple check a self-signed certificate? You can check that it is self-signed, but you don't know if it is self-singed by the website you want to visit, or self-signed by the man in the middle. What do you gain, if you know that the traffic between you and the man in the middle is secured? > Not all self-signed certificates, or certificate > signed by a unknow certification authority are fake. You are better off not trusting them anyway, especially as a Tor user. > This is often the case of poor organizations > (as, for example, the Winston Smith Project...) If they can't afford a trustworthy certificate they should at least make the ssl access optional or make their stuff accessible through a hidden service as well. Generic http to https redirects with self-signed certificates are a sure way to loose me as a possible visitor. If I don't know what kind of information the website offers, I don't know if it's worth punching a hole in my Privoxy configuration or to configure another stunnel. More often then not I just assume that it isn't. Fabian -- http://www.fabiankeil.de/
Attachment:
signature.asc
Description: PGP signature