[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] How to pin the SSL certificate for torproject.org?

<grarpamp@xxxxxxxxx> wrote:
> >> >> Fetchmail, msmtp, etc can all connect to a host,
> >> >> take that cert fingerprint, compare it to the one you've
> >> >> configured, and drop the connection if they differ.
> >> >
> >> > That may work against some adversaries but not against very
> clever adversaries.
> >> He can let the first connection alone and tamper with the other
> one.
> >>
> >> It is first assumed one securely obtains and verifies certs
> >> so you don't have this problem.
> >
> > I am not talking about the bootstrap problem getting the fingerprint
> for the first time.
> >
> > The adversary can let fetchmail, msmtp, etc through, return the correct
> fingerprint.
> >
> > Afterwards the adversary recognizes the the second connection, which
> might be wget and use a compromised root CA certificate.
> I am not talking about wget or trusting CA's.
> I'm talking about pinning hosts down to whatever
> fingerprint I've chosen to accept before completing
> the connection to them. Fetchmail etc, by example,
> can do this. Simple, infallible [1].
> Why bother trying to do all these ways to hack CSR's,
> be your own CA, when you could take the example of
> fetchmail, configure a fingerprint, and be done.
> Not saying that FF can do this yet.
> [...]
> And what about FF's 'are you sure want to connect
> to this strange cert'... 'accept one time' or 'add and accept
> forever' option? So why not dump the cert in the forever file?
> But if that's not checking _at least_ the fingerprint, and hopefully
> the cert chain, then it's useless for security.

That sounds reasonable in theory for further programmers but is no solution I could use right now.

> Too bad, I checked elinks, lynx, curl, wget, fetch...
> none do fingerprints. So yes, someone somewhere
> should add fp checking to them. And while you're at it,
> add the ability for them to speak to SOCKS5. Seems
> like a small GSOC project :)

I posted a feature request against wget.

But I doubt anyone is interested to add such a feature.

> Also go here:
> https://mxr.mozilla.org/mozilla/source/security/nss/lib/ckfw/builtins/certdata.txt?raw=1
> https://github.com/agl/extract-nss-root-certs.git

I don't understand how that could help with my original question.

powered by Secure-Mail.biz - anonymous and secure e-mail accounts.

tor-talk mailing list