On 22/05/2011 09:00, grarpamp wrote: >> And a follow-up question if I may - how do you verify that the ssl >> connection is to the site you want & not something else? eg: >> http://www.wired.com/threatlevel/2010/03/packet-forensics/ >> What's the defense against that type of attack? > > Well if CA's are giving intermediate CA's to adversaries, and those > adversaries are issuing certs MITM on the fly in hardware... then > yeah, you've got major problems. I use a Firefox addon called Certificate Patrol. It keeps a record of certificates that https websites serve. It then alerts you if they change. It displays information about the old certificate next to the new certificate so you can tell if the issuer has changed, and if the old cert was due to expire anyway. Should come in handy if you come across a Tor Exit node that is somehow generating "valid" certificates for a domain and MITM'ing you. -- Mike Cardwell https://grepular.com/ https://twitter.com/mickeyc Professional http://cardwellit.com/ http://linkedin.com/in/mikecardwell PGP.mit.edu 0018461F/35BC AF1D 3AA2 1F84 3DC3 B0CF 70A5 F512 0018 461F
Attachment:
signature.asc
Description: OpenPGP digital signature
_______________________________________________ tor-talk mailing list tor-talk@xxxxxxxxxxxxxxxxxxxx https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk