Le 23/04/2015 06:08, Roger Dingledine a écrit :
Yes, you should use SSL/TLS and you and/or your users run the very excellent "interception detector" http://www.ianonym.com/intercept.html>I know we could SSL sigaint.org, but if it is a state-actor they could just >use one of their CAs and mill a key.This is not great logic. You're running a website without SSL, even though you know people are attacking you? Shouldn't your users be hassling you to give them better options?:) As you say, SSL is not perfect, but it does raise the bar a lot. That seems like the obvious next step for making your website safer for your users.
Of course to be maximally efficient the tool should be installed on your site and it should be modified not to change the proxy settings (and then be compatible with the Tor browser, which unfortunately is currently not the case), because if the mitm is not stupid it can see that the destination IP in the socks message does not match your domain.
It can be tried with the secret "abcd" (abcd.sigaint.org) -- Check the 10 M passwords list: http://peersm.com/findmyass Anti-spies and private torrents, dynamic blocklist: http://torrent-live.org Peersm : http://www.peersm.com torrent-live: https://github.com/Ayms/torrent-live node-Tor : https://www.github.com/Ayms/node-Tor GitHub : https://www.github.com/Ayms -- tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk