Avoiding HTTPS pitfalls [was: Re: Moxie Marlinspike]
Fran Litterio
flitterio at gmail.com
Mon Feb 23 20:04:27 UTC 2009
coderman wrote:
> i always recommend two things when using HTTPS over Tor:
> - install the petname toolbar. this will also notify you if some
> rogue CA is suddenly signing the google.com certs, for example, not
> just that encryption isn't used.
In http://www.mozdev.org/pipermail/petname/2009-February/000019.html, Tyler
Close, the author of the Petname add-on for Firefox says that Petname no
longer binds the chosen petname to the SSL certificate but to the origin
(URL scheme, hostname, port number). He references Collin Jackson's research
on origin granularity in browsers at
http://crypto.stanford.edu/websec/origins/ as justification for this change.
This is ok, but I'd also like to be alerted when the certificate changes for
a site that I regularly visit. If I visit https://sometime.com/ and an
attacker steals or cache-poisons that domain name using a valid SSL
certificate (but not the one from the real owner of the site), then Petname
can't help me.
--
Fran
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.torproject.org/pipermail/tor-talk/attachments/20090223/dd62a1c0/attachment.htm>
More information about the tor-talk
mailing list