[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
[tor-talk] Flawed CA System leaves Tor Browser users vulnerable to remote hacking and passive spying in bulk
-----BEGIN PGP SIGNED MESSAGE-----
Flawed CA System leaves Tor Browser users vulnerable to remote hacking and passive spying in bulk
Lesson 1: The CA system, and https (due to CA root certs, export grade crypto dowgrade attacks, openssl, cloudflare MITM) is and has always been flawed.
Leson 2: You should always assume you are hacked the moment you use a webbrowser, this is why you should always use a disposable sandbox for your web browser.
Solution 1: Remove all root certs from your system because the CA system is complete rubbish anyways and false sense of security. Only trust connections and network routing protocols that are based on cryptographic proof (i.e. .onion or .b32.i2p addresses) rather than based on trust (as in CA system). And always assume that most clearnet addresses are unecnrypted connections, if this bothers you then dont use clearnet addressees, and perhaps businesses should use modern network protocols instead of legacy insecure networks (plain ipv4, clearnet)
Solution 2: Always run browser in disposable sandbox. And create new instance whenever logging into an account through web browser.
These problems are not issues that are presented by using Tor, this is an issue with any browser. I propose tor browser updates to run inside of disposable sandbox, and throws up a warning whenever users try to access clearnet sites along the lines of
"WARNING: you are leaving the Tor network to access a the legacy clearnet internet which is vulnerable to various attacks (this is an issue with any browser accessing the legacy clearnet, not just Tor Browser). Proceed with no expectation of security or privacy, and it is recommended to use the .onion address equivalent of destination you are trying to reach if available.
If no .onion address is available for this destination, tell the site admin to upgrade their website to a modern routing protocol
<output whois info here>"
You may call me crazy if you want, or even paranoid, but I am correct.
Oh yeah... and if you think the latest update to Tor Browser will fix any of these issues, you are mistaken.
-----BEGIN PGP SIGNATURE-----
-----END PGP SIGNATURE-----
PGP Fingerprint: 2BB5 15CD 66E7 4E28 45DC 6494 A5A2 2879 3F06 E832
Bitmessage Address: BM-2cVaTbC8fJ5UDDaBBs4jPQoFNp1PfNhxqU
NOTICE: ALL EMAIL CORRESPONDENCE NOT SIGNED/ENCRYPTED WITH PGP SHOULD BE CONSIDERED POTENTIALLY FORGED, AND NOT PRIVATE.
If this matters to you, use PGP or bitmessage.
tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsubscribe or change other settings go to