Moxie Marlinspike
Erilenz
erilenz at gmail.com
Thu Feb 19 12:17:04 UTC 2009
http://blog.internetnews.com/skerner/2009/02/black-hat-hacking-ssl-with-ssl.html
There's nothing in there that we didn't already know was possible, and I realise
it's not a Tor specific flaw. I just read this paragraph and thought I'd pass it
on here:
"Marlinspike also claimed that in a limited 24 hour test case running on the
anonymous TOR network (and without actually keeping any personally identifiable
information) he intercepted 114 yahoo logins â 50 gmail logins, 9 paypal, 9
inkedin and 3 facebook. So apparently the tool works - and works well."
Lots of people simply don't know how to use Tor safely.
I wonder if something could/should be built into TorButton to force a list of
commonly used services to go entirely over https? Eg any request for
^http://mail\.google\.com/.*$
Also, how feasible would it be to add a popup which says something along the
lines of:
"You are about to post unencrypted data over the Tor network. Are you sure you
wish to proceed?"
--
Erilenz
More information about the tor-talk
mailing list