On 01/22/14 03:53, krishna e bera wrote: > On 14-01-21 07:32 PM, ramo@xxxxxxxxxxxxxxx wrote: >> http://arstechnica.com/security/2014/01/scientists-detect-spoiled-onions-trying-to-sabotage-tor-privacy-network/ > > thanks, added it to > https://trac.torproject.org/projects/tor/wiki/doc/badRelays > > > End-to-End encryption where both the server and the client certificate are signed with the same CA (that of the site) protects against this attack. Each site runs its own certificate signer for their own visitors. Clients are known only by a unique (or autogenerated) nickname. Not by their real identities. When a client connects to a site, it validates the server certificate and uses only client certificates signed by the same Certificate Signer to authenticate. If there is a MitM, it cannot create a valid server certificate that matches that of the site. Without DNSSEC, this is a TOFU (Trust on first use) validation. There is a chance that a user gets a rogue end point at the first connection. With DNSSEC, the site owner publishes their own Certificate Signer Root Certificate. I call it Eccentric Authentication. It is not meant for activists and criminals but for the normal internet user. I believe that before we can protect activists, we need to protect ourselves first. (It's the first rule of First Aid: protect yourself or you are the next victim). See: http://eccentric-authentication.org/eccentric-authentication/censorship_resistance.html Regards, Guido Witmond.
Attachment:
signature.asc
Description: OpenPGP digital signature
-- tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk