[tor-talk] Using passwords with TOR

tor at lists.grepular.com tor at lists.grepular.com
Sun May 22 12:28:29 UTC 2011


On 22/05/2011 09:00, grarpamp wrote:

>> And a follow-up question if I may - how do you verify that the ssl
>> connection is to the site you want & not something else?   eg:
>> http://www.wired.com/threatlevel/2010/03/packet-forensics/
>> What's the defense against that type of attack?
> 
> Well if CA's are giving intermediate CA's to adversaries, and those
> adversaries are issuing certs MITM on the fly in hardware... then
> yeah, you've got major problems.

I use a Firefox addon called Certificate Patrol. It keeps a record of
certificates that https websites serve. It then alerts you if they
change. It displays information about the old certificate next to the
new certificate so you can tell if the issuer has changed, and if the
old cert was due to expire anyway.

Should come in handy if you come across a Tor Exit node that is somehow
generating "valid" certificates for a domain and MITM'ing you.

-- 
Mike Cardwell https://grepular.com/  https://twitter.com/mickeyc
Professional  http://cardwellit.com/ http://linkedin.com/in/mikecardwell
PGP.mit.edu   0018461F/35BC AF1D 3AA2 1F84 3DC3 B0CF 70A5 F512 0018 461F

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 841 bytes
Desc: OpenPGP digital signature
URL: <http://lists.torproject.org/pipermail/tor-talk/attachments/20110522/201786ab/attachment.pgp>


More information about the tor-talk mailing list