Indeed! I also employ one additional measure, which, admittedly, may not be to everyone's taste - I have all my browser/system/email/everything-else-you-care-to-name root certificate store wiped out clean!IMO, only stupid idiot doesn't use https with gmail. That's why I think all talkings about gmail and beeing hacked is useless. Let him set "Use always https" in the gmail settings, then log out, log in, change password and secure q/answer and that's all. This should be about Tor and Tor close stuff... Game's over.
If I have to access a specific (https) site or access a new email account (by using secure pop/starttls, secure smtp or secure imap) I tend to get the site's certificate well in advance via other means (not through tor, obviously) and store it manually on my system for use by these programs. That way, I know that if the "certificate unrecognised" error pops up there is either 1) a new site I have never accessed before (most likely); or 2) someone is trying to use spoof certificates.
The latter doesn't occur very often, though I've had this on a number of (rare) occasions when a tor exit node for example (prior to being banned in my torrc file and banished forever) tries to pretend to be my email server and gets caught out with its pants down, quite literally... This measure also prevents the likes of hacked/rogue CA's out there leaking certificates to people/organisations who use them for various criminal/unsavoury purposes.
_______________________________________________ tor-talk mailing list tor-talk@xxxxxxxxxxxxxxxxxxxx https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk