Holy shit I caught 1
Arrakistor
arrakistor at gmail.com
Mon Aug 28 02:08:02 UTC 2006
Harry,
Just how do you expect the average windows user to know how to check ssl
certifications? That is now the level of the people using tor.
Regards,
Arrakistor
Sunday, August 27, 2006, 8:55:31 PM, you wrote:
> Hopefully the people using Tor would be "clued in" enough to check their
> certs. <shrug>
> Arrakistor wrote:
>> Amazing(ly bad). Perhaps we need some sort of monster programs
>> stalking through the system to check for things like this.
>>
>> What I would like to know is how long the router on the node has been
>> spoofing the certs. Did this only come after we discussed the
>> possibility? If not, how fast can we fix this? Further, what else
>> aren't we thinking about?
>>
>> Regards,
>> Arrakistor
>>
>> Sunday, August 27, 2006, 8:24:06 PM, you wrote:
>>
>>> I would have bet good money against this, but there actually IS a
>>> router on the tor network spoofing SSL certs. The router '1'
>>> (218.58.6.159 - $BB688E312A9F2AFFFC6A619F365BE372695CA626) is
>>> providing self-signed SSL certs for just about every SSL site you hit
>>> through it. Nice. Is there a wiki page with bad tor nodes anywhere?
>>
>>> Let's hear it for paranoia! Hip hip hooray.
>>
>>> Is anyone else scanning? My list of hits on for this zip is awefully
>>> small.. It appears we may actually need to scan, folks.
>>
>>> An assortment of SSL certs provided by this router is attached in a
>>> .zip file.
>>
>>> Go ahead and hit up https://addons.mozilla.org.1.exit with
>>> socks_remote_dns and only a socks proxy (privoxy breaks the .exit
>>> notation), and be prepared to shit yourself. Does anyone know if
>>> firefox verifies cert sigs when downloading extension updates?
>>
>>
>>
More information about the tor-talk
mailing list