[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Moxie Marlinspike

To: or-talk@xxxxxxxxxxxxx
Subject: Moxie Marlinspike
From: Erilenz <erilenz@xxxxxxxxx>
Date: Thu, 19 Feb 2009 07:17:04 -0500
Delivered-to: archiver@xxxxxxxx
Delivered-to: or-talk-outgoing@xxxxxxxx
Delivered-to: or-talk@xxxxxxxx
Delivery-date: Thu, 19 Feb 2009 06:45:51 -0500
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to :subject:mime-version:content-type:content-disposition :content-transfer-encoding; bh=iMF7bEHRkPhfNzHRWM2zy9IxmaAAGWh192kSu7b7p5U=; b=L/d8zLiPcJkjTpr2M90N2uq6CnofvQLba6EhnGnHtoOpBMlItetuglvscOVpvhL8t4 5iJ5IB9cgnccx7JhSJv5dOT/ITA4WOvY7zMQgp07UUoEwA0nghKyPPy56hT/0YUZCAOL P8rlbTyj2IoH9giVfjpzRGRInmuSpanugFt/Q=
Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:mime-version:content-type :content-disposition:content-transfer-encoding; b=fqHLZezf4HxyEtKJxNmC4u8YyVFyQU+h1lMh3Qo2sN3jHb6pF1HLVs+oDsTI4dTv3T 1OuWWEA0uozWQkeAXkBD3EaqT+aDBJXXvmrSBbUDjD6tEM0zmlDx1Q6K9DFjqT9dF6wN wo7kIGHBOrlw77ziQDI0M7cU5jvFE+VQYXuTc=
Reply-to: or-talk@xxxxxxxxxxxxx
Sender: owner-or-talk@xxxxxxxxxxxxx

http://blog.internetnews.com/skerner/2009/02/black-hat-hacking-ssl-with-ssl.html

There's nothing in there that we didn't already know was possible, and I realise
it's not a Tor specific flaw. I just read this paragraph and thought I'd pass it
on here:

"Marlinspike also claimed that in a limited 24 hour test case running on the
anonymous TOR network (and without actually keeping any personally identifiable
information) he intercepted 114 yahoo logins Ã¢ 50 gmail logins, 9 paypal, 9 
inkedin and 3 facebook. So apparently the tool works - and works well."

Lots of people simply don't know how to use Tor safely.

I wonder if something could/should be built into TorButton to force a list of
commonly used services to go entirely over https? Eg any request for
^http://mail\.google\.com/.*$

Also, how feasible would it be to add a popup which says something along the
lines of:

"You are about to post unencrypted data over the Tor network. Are you sure you
wish to proceed?"

-- 
Erilenz

Prev by Author: Re: Firefox 3 Portable and Tor
Next by Author: Re: failed to choose an exit server
Previous by thread: Re: Suspended..
Next by thread: Re: Moxie Marlinspike
Index(es):
- Author
- Thread