[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
Re: [tor-talk] How to pin the SSL certificate for torproject.org?
> >> >> Fetchmail, msmtp, etc can all connect to a host,
> >> >> take that cert fingerprint, compare it to the one you've
> >> >> configured, and drop the connection if they differ.
> >> >
> >> > That may work against some adversaries but not against very
> clever adversaries.
> >> He can let the first connection alone and tamper with the other
> >> It is first assumed one securely obtains and verifies certs
> >> so you don't have this problem.
> > I am not talking about the bootstrap problem getting the fingerprint
> for the first time.
> > The adversary can let fetchmail, msmtp, etc through, return the correct
> > Afterwards the adversary recognizes the the second connection, which
> might be wget and use a compromised root CA certificate.
> I am not talking about wget or trusting CA's.
> I'm talking about pinning hosts down to whatever
> fingerprint I've chosen to accept before completing
> the connection to them. Fetchmail etc, by example,
> can do this. Simple, infallible .
> Why bother trying to do all these ways to hack CSR's,
> be your own CA, when you could take the example of
> fetchmail, configure a fingerprint, and be done.
> Not saying that FF can do this yet.
> And what about FF's 'are you sure want to connect
> to this strange cert'... 'accept one time' or 'add and accept
> forever' option? So why not dump the cert in the forever file?
> But if that's not checking _at least_ the fingerprint, and hopefully
> the cert chain, then it's useless for security.
That sounds reasonable in theory for further programmers but is no solution I could use right now.
> Too bad, I checked elinks, lynx, curl, wget, fetch...
> none do fingerprints. So yes, someone somewhere
> should add fp checking to them. And while you're at it,
> add the ability for them to speak to SOCKS5. Seems
> like a small GSOC project :)
I posted a feature request against wget.
But I doubt anyone is interested to add such a feature.
> Also go here:
I don't understand how that could help with my original question.
powered by Secure-Mail.biz - anonymous and secure e-mail accounts.
tor-talk mailing list