[tor-talk] CA cert MITM vulnerability in Tor? (Was: hidden service on same location as public service)
Juenca R
juenca at yahoo.com
Mon Jul 9 20:07:27 UTC 2012
>> also wondering if the use of hidden service like this will help fix problem
>> of man-in-middle attacks on SSL like here:
>>
>> http://www.wired.com/threatlevel/2010/03/packet-forensics/
>>
>> actually, does Tor's encryption fall victim to this? if not, is HTTPS
>> over
>> hidden service redundant?
>
> While SSL root CA's have been compromised at least twice in past (Comodo,
> DigiNotar), Tor's .onion have never been impersonated by breaking the
> encryption. Some argue .onion domains are to short (weak hash) and the
> encryption keys are to weak as well.
well I think that vulnerability is about using forged CA certs, no need to break the encryption. there's also the null-byte trick in CA certificates that was discovered to forge CA certs to look legit.
so I wonder if Tor is susceptable to this or if Tor is a SOLUTION to this problem???
(if not accessing hidden service, traffic at the exit is still vulnerable but if access to hidden service, maybe a complete solution to this problem as long as Tor cant be hacked by this MITM trick?)
More information about the tor-talk
mailing list