[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
Re: [tor-talk] Dutch CA issues fake *.torproject.org cert (among many others)
On 9/3/2011 3:51 PM, Lee wrote:
Lee, you bring up an interesting point about certificate warnings &
Sometimes I get from Firefox 5, 6 - the warnings, "We can't verify the
authenticity of the certificate." It may give a reason - like it's
expired. Quite often these are bank / investment / insurance sites.
Sometimes, the warning comes from Kaspersky IS. Either way, it
sometimes turns out - if I call CS, they "are aware of the problem" -
like expired certificate. I guess they don't really keep up w/ it.
On 9/3/11, Joe Btfsplk<joebtfsplk@xxxxxxx> wrote:
No. I understand Tor Project's main concern is Tor / TBB. I fail to
understand why the issue / problem being discussed is in any way limited
to Tor or a few softwares.
My understanding is that the issue is common to all 'secured' web
sites. HTTP is trivially subverted; HTTPS needs a valid cert or the
user clicking past a "No, I don't care about my security; go there
anyway" warning before it can be subverted.
But, it could just as easily be someone faking it. AFAIK, an avg user
has no way to tell if it's a fake or if a site let certificate expire,
except call CS. My guess is most "avg" users think, "I know I typed the
correct address, & it says "HTTPS" at the top, so I'm safe." Wrong.
From the very beginning of HTTPS & certificates, I wondered what will
prevent people from eventually faking some part or another of the
"system." I guess it's statistically safer than plain HTTP, but not
foolproof by any stretch. Yet, sites promote it as being totally safe.
I can't even convince several financial sites to allow more than 10 PW
chars, & to allow special characters.
It doesn't happen every wk, but often enough to be a PITA. It also
seems to happen when I really need to transact business - Murphy's law.
For these warnings (esp. about expired certs) - I don't know if there's
a way for users to verify / resolve questions, except talking to IT dept
of the company - if avail.
tor-talk mailing list