[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: A Tor Web Service For Verifying Correct Browser Configuration



* Robert Hogan schrieb am 2008-03-16 um 21:25 Uhr:
>   3. Tor Connectivity Test Image
> 
>   <IMG src="http://torproject.org/[uniquesessionid]-torlogo.jpg"; alt="If you

I woould suggest using HTTPS here. Assuming Alice has a misconfigured
Tor-Software and mallory wants to trick her. He can set up a DNS
wildcard and redirect the traffic from point 1 to his servers. They send
the appropriate image. He redirects
http://www.torproject.org/[uniquesessionid].jpg to the appropriate image
and does this also with the above image. So Alice sees a website which
basically tells her that everything is fine.

When the last point uses HTTPS, Mallory can use some MITM, but normally
Alices browser should tell her that something isn't going well here.

Besten Gruß

-- 
Jens Kubieziel                                   http://www.kubieziel.de
FdI#212: Qualifizierter Support
Ein Schuldiger kann benannt werden. (Martin Schmitt)

Attachment: signature.asc
Description: Digital signature