[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: Moxie Marlinspike

To: Erilenz <erilenz@xxxxxxxxx>, or-talk@xxxxxxxxxxxxx
Subject: Re: Moxie Marlinspike
From: Scott Bennett <bennett@xxxxxxxxxx>
Date: Thu, 19 Feb 2009 06:15:47 -0600 (CST)
Delivered-to: archiver@xxxxxxxx
Delivered-to: or-talk-outgoing@xxxxxxxx
Delivered-to: or-talk@xxxxxxxx
Delivery-date: Thu, 19 Feb 2009 07:16:48 -0500
Reply-to: or-talk@xxxxxxxxxxxxx
Sender: owner-or-talk@xxxxxxxxxxxxx

     On Thu, 19 Feb 2009 07:17:04 -0500 Erilenz <erilenz@xxxxxxxxx> wrote:
>http://blog.internetnews.com/skerner/2009/02/black-hat-hacking-ssl-with-ssl.html
>
>There's nothing in there that we didn't already know was possible, and I realise
>it's not a Tor specific flaw. I just read this paragraph and thought I'd pass it
>on here:
>
>"Marlinspike also claimed that in a limited 24 hour test case running on the
>anonymous TOR network (and without actually keeping any personally identifiable
>information) he intercepted 114 yahoo logins Ã¢ 50 gmail logins, 9 paypal, 9 
>inkedin and 3 facebook. So apparently the tool works - and works well."

     Thank you very much for pointing out yet another unscrupulous exit
operator.  I've just added

ExcludeExitNodes thoughtcrime,$1E6882D9AB86DA56C48BDE96698B8F8AF81FD707

to my torrc file.
>
>Lots of people simply don't know how to use Tor safely.

     Very true, but then, lots of people simply don't know how to use the
Internet safely.  Lots of people don't bother to buy and use a paper shredder
to dispose of sensitive USnail safely.
>
>I wonder if something could/should be built into TorButton to force a list of
>commonly used services to go entirely over https? Eg any request for
>^http://mail\.google\.com/.*$
>
>Also, how feasible would it be to add a popup which says something along the
>lines of:
>
>"You are about to post unencrypted data over the Tor network. Are you sure you
>wish to proceed?"

     It's looks like a good idea, but what about pop-up blockers?  Maybe it
should be built into browsers, perhaps enabled as a configurable option turned
on by default.


                                  Scott Bennett, Comm. ASMELG, CFIAG
**********************************************************************
* Internet:       bennett at cs.niu.edu                              *
*--------------------------------------------------------------------*
* "A well regulated and disciplined militia, is at all times a good  *
* objection to the introduction of that bane of all free governments *
* -- a standing army."                                               *
*    -- Gov. John Hancock, New York Journal, 28 January 1790         *
**********************************************************************

Follow-Ups:
- Re: Moxie Marlinspike
  - From: Praedor Atrebates

Prev by Author: Re: Bittorrent
Next by Author: Re: Switching Tor relay speed
Previous by thread: Moxie Marlinspike
Next by thread: Re: Moxie Marlinspike
Index(es):
- Author
- Thread