[tor-talk] How to pin the SSL certificate for torproject.org?
proper at secure-mail.biz
proper at secure-mail.biz
Sat Jul 7 20:25:56 UTC 2012
<grarpamp at gmail.com> wrote:
> >> Fetchmail, msmtp, etc can all connect to a host,
> >> take that cert fingerprint, compare it to the one you've
> >> configured, and drop the connection if they differ.
> >
> > That may work against some adversaries but not against very clever adversaries.
> He can let the first connection alone and tamper with the other one.
>
> It is first assumed one securely obtains and verifies certs
> so you don't have this problem.
I am not talking about the bootstrap problem getting the fingerprint for the first time.
The adversary can let fetchmail, msmtp, etc through, return the correct fingerprint.
Afterwards the adversary recognizes the the second connection, which might be wget and use a compromised root CA certificate.
______________________________________________________
powered by Secure-Mail.biz - anonymous and secure e-mail accounts.
More information about the tor-talk
mailing list