[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

[tor-talk] CA cert MITM vulnerability in Tor? (Was: hidden service on same location as public service)

>> also wondering if the use of hidden service like this will help fix problem
>> of man-in-middle attacks on SSL like here:
>> http://www.wired.com/threatlevel/2010/03/packet-forensics/
>> actually, does Tor's encryption fall victim to this?  if not, is HTTPS 
>> over
>> hidden service redundant?
> While SSL root CA's have been compromised at least twice in past (Comodo, 
> DigiNotar), Tor's .onion have never been impersonated by breaking the 
> encryption. Some argue .onion domains are to short (weak hash) and the 
> encryption keys are to weak as well.

well I think that vulnerability is about using forged CA certs, no need to break the encryption.  there's also the null-byte trick in CA certificates that was discovered to forge CA certs to look legit.

so I wonder if Tor is susceptable to this or if Tor is a SOLUTION to this problem???

(if not accessing hidden service, traffic at the exit is still vulnerable but if access to hidden service, maybe a complete solution to this problem as long as Tor cant be hacked by this MITM trick?)
tor-talk mailing list