[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: Avoiding HTTPS pitfalls [was: Re: Moxie Marlinspike]



coderman wrote:
i always recommend two things when using HTTPS over Tor:
- install the petname toolbar.  this will also notify you if some
rogue CA is suddenly signing the google.com certs, for example, not
just that encryption isn't used.

In http://www.mozdev.org/pipermail/petname/2009-February/000019.html, Tyler Close, the author of the Petname add-on for Firefox says that Petname no longer binds the chosen petname to the SSL certificate but to the origin (URL scheme, hostname, port number). He references Collin Jackson's research on origin granularity in browsers at http://crypto.stanford.edu/websec/origins/ as justification for this change.

This is ok, but I'd also like to be alerted when the certificate changes for a site that I regularly visit. If I visit https://sometime.com/ and an attacker steals or cache-poisons that domain name using a valid SSL certificate (but not the one from the real owner of the site), then Petname can't help me.
--
Fran