[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: Holy shit I caught 1



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Mike Perry wrote:
> Thus spake Roger Dingledine (arma@xxxxxxx):
> 
>> On Wed, Aug 30, 2006 at 02:52:53AM -0500, Shatadal wrote:
>>> So does that mean that if I am trying to access an SSL enabled account
>>> (say gmail or yahoo e-mail), the certificate is a spoofed one being
>>> provided by the rogue tor node and therefore my login name and password
>>> are therefore being provided in cleartext to the node operator?
>> Yes, but only if you click "accept" when your Firefox tells you that
>> somebody is spoofing the site.
>>
>> I often click accept when a site gives me a bogus certificate, because
>> I want to see the page anyway -- but if I do I know that I shouldn't
>> expect any security from the site anymore.
>>
>> (And if you're using a browser that doesn't give you warnings for
>> bogus certificates... you should switch. :)
> 
> There is another subtle problem with this.. For sites that provide the
> login form via plain http and then submit via https, a MITM can
> rewrite the POST form to submit anywhere they have a "valid" CA-signed
> CERT (which as we've established costs the attacker $25 and a pay
> phone #). Since this submission can go to ANY domain, it's much easier
> to spoof a valid cert this way without a browser warning.
> 
> It's scary just how many banks, email providers (yahoo), and other
> sites try to make things "easier" by providing the login on their
> front (non-https) page. Trial by fire...
> 
> You should only use login forms on https pages. Especially via Tor.
> 
> 
But the page could be on https and submit through http, even worse. And
you won't know until you hit submit or try to read the source. Moral:
Never trust a web designer to do a cryptographer's job.

- --
They who would give up an essential liberty for temporary security,
 deserve neither liberty or security
- --Benjamin Franklin
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFE+hlXGV+aWVfIlEMRAvHaAKCSnYSS/tZMv6D6qFzlZFUuQ01TfwCfcqCd
QIVABYnDhTdBodkCcLtcf7c=
=QUTp
-----END PGP SIGNATURE-----