[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] How to pin the SSL certificate for torproject.org?

To: tor-talk@xxxxxxxxxxxxxxxxxxxx
Subject: Re: [tor-talk] How to pin the SSL certificate for torproject.org?
From: <proper@xxxxxxxxxxxxxxx>
Date: Sat, 07 Jul 2012 22:25:56 +0200
Delivered-to: archiver@xxxxxxxx
Delivery-date: Sat, 07 Jul 2012 16:25:31 -0400
Dkim-signature: v=1; a=rsa-sha256; c=simple/simple; d=secure-mail.biz; s=default; t=1341692757; bh=wSTLKEKpZFpWFDwxOpt9sYbst/CeYfy4Ifxwt6pUimA=; l=903; h=Date:MIME-Version:Message-ID:From:Subject:Reply-To:To:In-Reply-To: References:Content-Type:Content-Transfer-Encoding; b=jO+osVYvmo19kRr2970Wk2ymOPRS3FaGoMYl79qCKv4dxOCLVSZBf82Fgm+vQLRvi 3dVnvy4VFIIQUZ/mPG+OxMxuqjcPGJ9FzLBD+GoUS4/VmM86p7Hyq6Ys//5VvrNOnl qvv45emXRZkyVdQ585QpygtN00sL1WiwUjeK6BOU=
In-reply-to: <CAD2Ti285PM-ROJykS7wuGKMesmF2vT7P55VxxCAhwTxJdAjg9Q@xxxxxxxxxxxxxx>
List-archive: <http://lists.torproject.org/pipermail/tor-talk>
List-help: <mailto:tor-talk-request@lists.torproject.org?subject=help>
List-id: "all discussion about theory, design, and development of Onion Routing" <tor-talk.lists.torproject.org>
List-post: <mailto:tor-talk@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk>, <mailto:tor-talk-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-talk>, <mailto:tor-talk-request@lists.torproject.org?subject=unsubscribe>
References: <336e29021550244dbe7fb60b1a23cf60@xxxxxxxxxxxxxxxxxxxx> <97e8925c07ece62c1a591a1c4997a28e@xxxxxxxxxxxxxxxxxxxx> <CAD2Ti2-BnH0YU_yOF_znebzUw76ieGuxEdNzk1531ineCVrhzA@xxxxxxxxxxxxxx> <b6e67770b8a215be6238c330595c4ab6@xxxxxxxxxxxxxxxxxxxx> <CAD2Ti285PM-ROJykS7wuGKMesmF2vT7P55VxxCAhwTxJdAjg9Q@xxxxxxxxxxxxxx>
Reply-to: tor-talk@xxxxxxxxxxxxxxxxxxxx
Sender: tor-talk-bounces@xxxxxxxxxxxxxxxxxxxx

<grarpamp@xxxxxxxxx> wrote:
> >> Fetchmail, msmtp, etc can all connect to a host,
> >> take that cert fingerprint, compare it to the one you've
> >> configured, and drop the connection if they differ.
> >
> > That may work against some adversaries but not against very clever adversaries.
> He can let the first connection alone and tamper with the other one.
>
> It is first assumed one securely obtains and verifies certs
> so you don't have this problem.

I am not talking about the bootstrap problem getting the fingerprint for the first time.

The adversary can let fetchmail, msmtp, etc through, return the correct fingerprint.

Afterwards the adversary recognizes the the second connection, which might be wget and use a compromised root CA certificate.

______________________________________________________
powered by Secure-Mail.biz - anonymous and secure e-mail accounts.

_______________________________________________
tor-talk mailing list
tor-talk@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Follow-Ups:
- Re: [tor-talk] How to pin the SSL certificate for torproject.org?
  - From: grarpamp

References:
- [tor-talk] How to pin the SSL certificate for torproject.org?
  - From: proper
- Re: [tor-talk] How to pin the SSL certificate for torproject.org?
  - From: proper
- Re: [tor-talk] How to pin the SSL certificate for torproject.org?
  - From: grarpamp
- Re: [tor-talk] How to pin the SSL certificate for torproject.org?
  - From: proper
- Re: [tor-talk] How to pin the SSL certificate for torproject.org?
  - From: grarpamp

Prev by Author: Re: [tor-talk] TorBirdy 0.0.9 released - testing and feedback requested!
Next by Author: Re: [tor-talk] How to pin the SSL certificate for torproject.org?
Previous by thread: Re: [tor-talk] How to pin the SSL certificate for torproject.org?
Next by thread: Re: [tor-talk] How to pin the SSL certificate for torproject.org?
Index(es):
- Author
- Thread