[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
Re: OSI 1-3 attack on Tor? in it.wikipedia
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Well, that's all good and valid.
But as an ISP controls all internet-access
of the client, it can with little effort fake
the tor-web+svn-server and some sites
where tor-packages for distributions are hosted.
(Unless they are signed like proper debian-packets
but then again, users often have missing keys and
thus ignore the warning. )
Thus he can change the initially distributed keys.
The ISP can also reroute the authorative directory
servers then and take over the client.
> In the italian wikipedia article, the author is wrongly assuming that
> public keys for directory authorities will be exchanged through
> Internet, so they can be easily spoofed, while they're already safe
> inside your client.
Well, where did you get the client from?
May that be "from the internet"?
A.Y.
On 2/13/08, Marco Bonetti <marco.bonetti@xxxxxxxxxxxx> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Steve Southam wrote:
> > Can you fake out the onion keys of the routers the client thinks it's
> using?
> thank god no!
> that's the whole point of encrypting the communications and sharing the
> public keys fingerprints inside tor sources.
> a man in the middle can reroute traffic through his nodes but it will be
> useless (except for sending your connections to /dev/null) as it can't
> fake the private keys of each node.
>
> In the italian wikipedia article, the author is wrongly assuming that
> public keys for directory authorities will be exchanged through
> Internet, so they can be easily spoofed, while they're already safe
> inside your client.
>
> ciao
>
> - --
> Marco Bonetti
> Slackintosh Linux Project Developer: http://workaround.ch/
> Linux-live for powerpc: http://workaround.ch/pub/rsync/mb/linux-live/
> My webstuff: http://sidbox.homelinux.org/
>
> My GnuPG key id: 0x86A91047
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.6 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>
> iD8DBQFHs0syE3eWALCzdGwRAg96AJ9HvuOd5U4ZHkNcV8eEr8WfNLUnggCfTwII
> WNQoSSh62Tp0g1CJZHv5beA=
> =2FgM
> -----END PGP SIGNATURE-----
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: http://firegpg.tuxfamily.org
iD8DBQFHs/BgLAZ+Vq4hPgARAk5yAKCknmqqG5YQY3Ioo6QxnS94abFIqgCdEvVL
LTd5n0o2AFDMr+bxYVfOCu4=
=ECgO
-----END PGP SIGNATURE-----