[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] Dutch CA issues fake *.torproject.org cert (among many others)

On 9/3/11, Joe Btfsplk <joebtfsplk@xxxxxxx> wrote:
  [.. snip stuff addressed to others ..]
> Lee:
>> These are all rhetorical questions - right?
> No.  I understand Tor Project's main concern is Tor / TBB.  I fail to
> understand why the issue / problem being discussed is in any way limited
> to Tor or a few softwares.

My understanding is that the issue is common to all 'secured' web
sites.   HTTP is trivially subverted; HTTPS needs a valid cert or the
user clicking past a "No, I don't care about my security; go there
anyway" warning before it can be subverted.

>  It seems like if it is, or could be a
> serious concern for Tor users, it could be for users of any software.

My solution is to not download software over tor and verify the
downloaded software.  Sometimes it isn't possible to verify the
software & sometimes I don't bother verifying.. depends on how I feel
at the moment.

> My contention was, few are going to go to the trouble to verify
> signatures, by the  process that currently exists  (if signatures for
> everything existed - & it appears they SHOULD - but don't).
> So, either it's a major concern

For it to be a major concern, an attacker would have to a) have a
valid certificate b) man-in-the-middle your traffic.

What are the chances of someone other than the site owner getting a
valid cert for the site?  In Google's case, apparently 100%

What are the chances of someone MITMing your traffic?  If you use TOR,
100%  So how highly do you rate the probability of a tor exit node
maliciously altering your traffic?

> & a LOT of people are going to get
> "infected" because they can't follow the procedures to verify signatures
> , or they won't take the time; OR it's not that big a risk for avg
> users.

Going back to the 1st msg in the thread:
> You should pay special attention if you're in an environment where your
> ISP (or your government!) might try a man-in-the-middle attack ...

It depends on what you think the chances of someone doing a MITM attack.

>  I might use the process, but a lot of people won't even
> understand the words, much less take the time.  Boiled down:  if it's a
> truly important step before installing any software, major developers
> need to make the verification process easier / more automated for avg users.

Microsoft & FF seem to have already done that.  Use the defaults and
neither asks if you want to upgrade/install patches.  (I could be
wrong there - I do my best to disable automatic updates on everything)

> If it's as serious & imminent a danger as the bloggers & some Tor
> developers indicated, either major software developers will find a way
> to protect avg users,

I think microsoft already has - looks like all their software is
digitally signed.

> or the internet could eventually become like
> walking the streets of El Paso & Juarez, alone at night.  For those not
> familiar, I've been told by people w/ family there or have visited, drug
> cartels have basically taken over & no "decent' folk are out after dark.
> Lee:
>>   	Only a small % of all developers offer these capabilities.
>> if you're concerned about it, ask the developers to offer the
>> capabilities.
> Should I be concerned?

That's a decision you have to make for yourself.

>  Are you?

Enough that I don't download software when using TOR.  Sometimes I
verify signatures, sometimes I don't bother.  I am very picky about
where I download software from tho.  But realize that isn't a
guarantee.. sourceforge got hacked not that long ago & that's one of
the sites I do get software from.

>  Is Tor or browsers the only software
> susceptible to fake certificates?

Any "secure" (https://) site certainly is; dunno if that's all though.

>  Mozilla / Google have taken
> corrective steps.  What about all the other apps?


>  I have no idea how
> concerned I should be, but snippy answers don't contribute to the
> discussion.

It would be nice if someone who actually knew all this stuff would
give a long answer.  I've been reading blogs, same as you, and come to
my own conclusions and made my own decisions regarding 'safe
behavior'.  Do I think I'm "safe"? No.  But in full-out paranoid mode
I can't think of anything that would make me safe, so I go with what I
consider reasonable precautions.

tor-talk mailing list