[tor-talk] Dutch CA issues fake *.torproject.org cert (among many others)

andrew at torproject.org andrew at torproject.org
Sun Sep 4 04:34:24 UTC 2011


On Sat, Sep 03, 2011 at 04:51:49PM -0400, ler762 at gmail.com wrote 4.3K bytes in 111 lines about:
: My understanding is that the issue is common to all 'secured' web
: sites.   HTTP is trivially subverted; HTTPS needs a valid cert or the
: user clicking past a "No, I don't care about my security; go there
: anyway" warning before it can be subverted.

Just a fine point here, treat SSL as encryption between you and
something on the other end, not as authentication of the other end (nor
you if have client certs installed).

-- 
Andrew
pgp key: 0x74ED336B


More information about the tor-talk mailing list