[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] Using passwords with TOR

On 22/05/2011 09:00, grarpamp wrote:

>> And a follow-up question if I may - how do you verify that the ssl
>> connection is to the site you want & not something else?   eg:
>> http://www.wired.com/threatlevel/2010/03/packet-forensics/
>> What's the defense against that type of attack?
> Well if CA's are giving intermediate CA's to adversaries, and those
> adversaries are issuing certs MITM on the fly in hardware... then
> yeah, you've got major problems.

I use a Firefox addon called Certificate Patrol. It keeps a record of
certificates that https websites serve. It then alerts you if they
change. It displays information about the old certificate next to the
new certificate so you can tell if the issuer has changed, and if the
old cert was due to expire anyway.

Should come in handy if you come across a Tor Exit node that is somehow
generating "valid" certificates for a domain and MITM'ing you.

Mike Cardwell https://grepular.com/  https://twitter.com/mickeyc
Professional  http://cardwellit.com/ http://linkedin.com/in/mikecardwell
PGP.mit.edu   0018461F/35BC AF1D 3AA2 1F84 3DC3 B0CF 70A5 F512 0018 461F

Attachment: signature.asc
Description: OpenPGP digital signature

tor-talk mailing list