The dh small subgroup confinement attack and Tor
Freemor
freemor at gmail.com
Sun Aug 9 13:02:42 UTC 2009
On Sun, 9 Aug 2009 04:53:15 -0700 (PDT)
Curious Kid <letsshareinformation at yahoo.com> wrote:
>
> Maybe not a good week.
>
> Browser flaws expose users to man-in-the-middle attacks
> http://blogs.zdnet.com/security/?p=3950
>
> Pretty-Bad-Proxy: An Overlooked Adversary in Browsers’ HTTPS
> Deployments
> http://research.microsoft.com/pubs/79323/pbp-final-with-update.pdf
>
>
>
>
Interesting paper thanks for posting the link to it. I've given it a
quick once over and from what I can see all variations of this attack
require scripting of one sort or another. Since the recommended way to
run a Browser on Tor is with ALL scripting disabled, this shouldn't
effect people that are configured correctly. Of greater concern for me
is if NoScript which I use for my non Tor browsing would catch this or
not. Does anyone know if NoScript relies on the browser for the context
of a frame or does it check the origin it self?
--
freemor at gmail.com
This e-mail has been digitally signed with GnuPG - ( http://gnupg.org/ )
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 197 bytes
Desc: not available
URL: <http://lists.torproject.org/pipermail/tor-talk/attachments/20090809/6a9901cf/attachment.pgp>
More information about the tor-talk
mailing list