[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] Dutch CA issues fake *.torproject.org cert (among many others)

On 9/3/2011 3:51 PM, Lee wrote:
On 9/3/11, Joe Btfsplk<joebtfsplk@xxxxxxx>  wrote:

No.  I understand Tor Project's main concern is Tor / TBB.  I fail to
understand why the issue / problem being discussed is in any way limited
to Tor or a few softwares.
My understanding is that the issue is common to all 'secured' web
sites.   HTTP is trivially subverted; HTTPS needs a valid cert or the
user clicking past a "No, I don't care about my security; go there
anyway" warning before it can be subverted.
Lee, you bring up an interesting point about certificate warnings & ignoring them. Sometimes I get from Firefox 5, 6 - the warnings, "We can't verify the authenticity of the certificate." It may give a reason - like it's expired. Quite often these are bank / investment / insurance sites. Sometimes, the warning comes from Kaspersky IS. Either way, it sometimes turns out - if I call CS, they "are aware of the problem" - like expired certificate. I guess they don't really keep up w/ it.

But, it could just as easily be someone faking it. AFAIK, an avg user has no way to tell if it's a fake or if a site let certificate expire, except call CS. My guess is most "avg" users think, "I know I typed the correct address, & it says "HTTPS" at the top, so I'm safe." Wrong. From the very beginning of HTTPS & certificates, I wondered what will prevent people from eventually faking some part or another of the "system." I guess it's statistically safer than plain HTTP, but not foolproof by any stretch. Yet, sites promote it as being totally safe. I can't even convince several financial sites to allow more than 10 PW chars, & to allow special characters.

It doesn't happen every wk, but often enough to be a PITA. It also seems to happen when I really need to transact business - Murphy's law. For these warnings (esp. about expired certs) - I don't know if there's a way for users to verify / resolve questions, except talking to IT dept of the company - if avail.

tor-talk mailing list