[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
Re: Holy shit I caught 1
- To: or-talk@xxxxxxxxxxxxx
- Subject: Re: Holy shit I caught 1
- From: Watson Ladd <watsonbladd@xxxxxxxxx>
- Date: Sat, 02 Sep 2006 19:52:55 -0400
- Delivered-to: archiver@seul.org
- Delivered-to: or-talk-outgoing@seul.org
- Delivered-to: or-talk@seul.org
- Delivery-date: Sat, 02 Sep 2006 19:53:14 -0400
- Domainkey-signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:user-agent:mime-version:to:subject:references:in-reply-to:x-enigmail-version:openpgp:content-type:content-transfer-encoding; b=NE9bQc+f7H2WLfMJuNc7/k8FxYWPdC+0SrhQxRkLUJzyjHdTDvI6F7LrcU7kbWV8lEQVIas8B8D/jMYXHe5HFu727HCAWPyw1hV/2/U3H53pgkktNfIDyH/k9U/a0n4l6ZnVRbzE4mMdiHns3F5ulQZDAF/4mPHbtLY7Ku3H290=
- In-reply-to: <20060902222156.GI4323@fscked.org>
- Openpgp: url=http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x57C89443
- References: <20060828012406.GG23188@fscked.org> <44F543D5.7080904@vfemail.net> <20060830075946.GT3008@moria.seul.org> <20060902222156.GI4323@fscked.org>
- Reply-to: or-talk@xxxxxxxxxxxxx
- Sender: owner-or-talk@xxxxxxxxxxxxx
- User-agent: Thunderbird 1.5.0.5 (Macintosh/20060719)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Mike Perry wrote:
> Thus spake Roger Dingledine (arma@xxxxxxx):
>
>> On Wed, Aug 30, 2006 at 02:52:53AM -0500, Shatadal wrote:
>>> So does that mean that if I am trying to access an SSL enabled account
>>> (say gmail or yahoo e-mail), the certificate is a spoofed one being
>>> provided by the rogue tor node and therefore my login name and password
>>> are therefore being provided in cleartext to the node operator?
>> Yes, but only if you click "accept" when your Firefox tells you that
>> somebody is spoofing the site.
>>
>> I often click accept when a site gives me a bogus certificate, because
>> I want to see the page anyway -- but if I do I know that I shouldn't
>> expect any security from the site anymore.
>>
>> (And if you're using a browser that doesn't give you warnings for
>> bogus certificates... you should switch. :)
>
> There is another subtle problem with this.. For sites that provide the
> login form via plain http and then submit via https, a MITM can
> rewrite the POST form to submit anywhere they have a "valid" CA-signed
> CERT (which as we've established costs the attacker $25 and a pay
> phone #). Since this submission can go to ANY domain, it's much easier
> to spoof a valid cert this way without a browser warning.
>
> It's scary just how many banks, email providers (yahoo), and other
> sites try to make things "easier" by providing the login on their
> front (non-https) page. Trial by fire...
>
> You should only use login forms on https pages. Especially via Tor.
>
>
But the page could be on https and submit through http, even worse. And
you won't know until you hit submit or try to read the source. Moral:
Never trust a web designer to do a cryptographer's job.
- --
They who would give up an essential liberty for temporary security,
deserve neither liberty or security
- --Benjamin Franklin
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFE+hlXGV+aWVfIlEMRAvHaAKCSnYSS/tZMv6D6qFzlZFUuQ01TfwCfcqCd
QIVABYnDhTdBodkCcLtcf7c=
=QUTp
-----END PGP SIGNATURE-----