[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: Holy shit I caught 1



On Wed, Aug 30, 2006 at 01:55:10PM +0200, Fabian Keil wrote:
> "Marco A. Calamari" <marcoc1@xxxxxxx> wrote:
> 
> > On Wed, 2006-08-30 at 03:59 -0400, Roger Dingledine wrote:
> > > On Wed, Aug 30, 2006 at 02:52:53AM -0500, Shatadal wrote:
> > > > So does that mean that if I am trying to access an SSL enabled account
> > > > (say gmail or yahoo e-mail), the certificate is a spoofed one being
> > > > provided by the rogue tor node and therefore my login name and password
> > > > are therefore being provided in cleartext to the node operator?
> > > 
> > > Yes, but only if you click "accept" when your Firefox tells you that
> > > somebody is spoofing the site.
> > > 

All the points raised above and subsequently about self-signed and
other dubious/bogus certificates that I have cut for space are well
taken.

But the real threat, or perhaps I should say another significant
threat, is that the certificate may not be self-signed or bogus.  If
the URL takes one to an attacker web site, the attacker may have
obtained a perfectly valid Verisign or other recognized authority
certificate.  Some phishing attacks work this way. So one must be sure
of the address one is attempting to reach, be aware of unicade
attacks, probably only type URLs in yourself rather than follow
hyperlinks when it's important and risky etc. Avoiding phishing in
general is way beyond the scope of this message, but the point is that
a valid certificate obtained from a recognized authority through due
process may not be giving you the security guarantees you
expect---which is why such attacks are  effective.

-Paul
-- 
Paul Syverson                              ()  ascii ribbon campaign  
Contact info at http://www.syverson.org/   /\  against html e-mail