Holy shit I caught 1
Roger Dingledine
arma at mit.edu
Wed Aug 30 07:59:46 UTC 2006
On Wed, Aug 30, 2006 at 02:52:53AM -0500, Shatadal wrote:
> So does that mean that if I am trying to access an SSL enabled account
> (say gmail or yahoo e-mail), the certificate is a spoofed one being
> provided by the rogue tor node and therefore my login name and password
> are therefore being provided in cleartext to the node operator?
Yes, but only if you click "accept" when your Firefox tells you that
somebody is spoofing the site.
I often click accept when a site gives me a bogus certificate, because
I want to see the page anyway -- but if I do I know that I shouldn't
expect any security from the site anymore.
(And if you're using a browser that doesn't give you warnings for
bogus certificates... you should switch. :)
--Roger
More information about the tor-talk
mailing list