<div class="gmail_quote">coderman <span dir="ltr"></span>wrote:<br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">i always recommend two things when using HTTPS over Tor:<br>
- install the petname toolbar. this will also notify you if some<br>
rogue CA is suddenly signing the <a href="http://google.com" target="_blank">google.com</a> certs, for example, not<br>
just that encryption isn't used.</blockquote><div><br>In <a href="http://www.mozdev.org/pipermail/petname/2009-February/000019.html">http://www.mozdev.org/pipermail/petname/2009-February/000019.html</a>, Tyler Close, the author of the Petname add-on for Firefox says that Petname no longer binds the chosen petname to the SSL certificate but to the origin (URL scheme, hostname, port number). He references Collin Jackson's research on origin granularity in browsers at <a href="http://crypto.stanford.edu/websec/origins/">http://crypto.stanford.edu/websec/origins/</a> as justification for this change.<br>
<br>This is ok, but I'd also like to be alerted when the certificate changes for a site that I regularly visit. If I visit <a href="https://sometime.com/">https://sometime.com/</a> and an attacker steals or cache-poisons that domain name using a valid SSL certificate (but not the one from the real owner of the site), then Petname can't help me.<br>
--<br>Fran<br><br></div></div>