[tor-talk] Dutch CA issues fake *.torproject.org cert (among many others)

Wed Sep 7 18:40:33 UTC 2011

On 9/3/2011 3:51 PM, Lee wrote:
> On 9/3/11, Joe Btfsplk<joebtfsplk at gmx.com>  wrote:
>
>> No.  I understand Tor Project's main concern is Tor / TBB.  I fail to
>> understand why the issue / problem being discussed is in any way limited
>> to Tor or a few softwares.
> My understanding is that the issue is common to all 'secured' web
> sites.   HTTP is trivially subverted; HTTPS needs a valid cert or the
> user clicking past a "No, I don't care about my security; go there
> anyway" warning before it can be subverted.
Lee, you bring up an interesting point about certificate warnings & 
ignoring them.
Sometimes I get from Firefox 5, 6 - the warnings, "We can't verify the 
authenticity of the certificate."  It may give a reason - like it's 
expired.  Quite often these are bank / investment / insurance sites.
Sometimes, the warning comes from Kaspersky IS.  Either way, it 
sometimes turns out - if I call CS, they "are aware of the problem" - 
like expired certificate.  I guess they don't really keep up w/ it.

But, it could just as easily be someone faking it.  AFAIK, an avg user 
has no way to tell if it's a fake or if a site let certificate expire, 
except call CS.  My guess is most "avg" users think, "I know I typed the 
correct address, & it says "HTTPS" at the top, so I'm safe."  Wrong.  
 From the very beginning of HTTPS & certificates, I wondered what will 
prevent people from eventually faking some part or another of the 
"system."  I guess it's statistically safer than plain HTTP, but not 
foolproof by any stretch.  Yet, sites promote it as being totally safe.  
I can't even convince several financial sites to allow more than 10 PW 
chars, & to allow special characters.

It doesn't happen every wk, but often enough to be a PITA.  It also 
seems to happen when I really need to transact business - Murphy's law.
For these warnings (esp. about expired certs) - I don't know if there's 
a way for users to verify / resolve questions, except talking to IT dept 
of the company - if avail.