[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
[tor-talk] CA cert MITM vulnerability in Tor? (Was: hidden service on same location as public service)
>> also wondering if the use of hidden service like this will help fix problem
>> of man-in-middle attacks on SSL like here:
>> actually, does Tor's encryption fall victim to this? if not, is HTTPS
>> hidden service redundant?
> While SSL root CA's have been compromised at least twice in past (Comodo,
> DigiNotar), Tor's .onion have never been impersonated by breaking the
> encryption. Some argue .onion domains are to short (weak hash) and the
> encryption keys are to weak as well.
well I think that vulnerability is about using forged CA certs, no need to break the encryption. there's also the null-byte trick in CA certificates that was discovered to forge CA certs to look legit.
so I wonder if Tor is susceptable to this or if Tor is a SOLUTION to this problem???
(if not accessing hidden service, traffic at the exit is still vulnerable but if access to hidden service, maybe a complete solution to this problem as long as Tor cant be hacked by this MITM trick?)
tor-talk mailing list