[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Avoiding HTTPS pitfalls [was: Re: Moxie Marlinspike]

On Thu, Feb 19, 2009 at 4:17 AM, Erilenz <erilenz@xxxxxxxxx> wrote:
> ...
> Lots of people simply don't know how to use Tor safely.

agreed. i always recommend two things when using HTTPS over Tor:
- install the petname toolbar.  this will also notify you if some
rogue CA is suddenly signing the google.com certs, for example, not
just that encryption isn't used.
- save bookmarks to sites that support HTTPS only (secure cookies)
with the https:// secure URL. (no insecure transition).

> I wonder if something could/should be built into TorButton to force a list of
> commonly used services to go entirely over https? Eg any request for
> ^http://mail\.google\.com/.*$

a plugin to enforce secure cookies and https only operation for some
domains would be useful.  i don't know of any that do this kind of
thing yet...

best regards,