[tor-talk] Flawed CA System leaves Tor Browser users vulnerable to remote hacking and passive spying in bulk

Thu Sep 22 15:44:20 UTC 2016

Lesson 1: The CA system, and https (due to CA root certs, export grade crypto dowgrade attacks, openssl, cloudflare MITM) is and has always been flawed.

Leson 2: You should always assume you are hacked the moment you use a webbrowser, this is why you should always use a disposable sandbox for your web browser.

Solution 1: Remove all root certs from your system because the CA system is complete rubbish anyways and false sense of security. Only trust connections and network routing protocols that are based on cryptographic proof (i.e. .onion or .b32.i2p addresses) rather than based on trust (as in CA system). And always assume that most clearnet addresses are unecnrypted connections, if this bothers you then dont use clearnet addressees, and perhaps businesses should use modern network protocols instead of legacy insecure networks (plain ipv4, clearnet)

Solution 2: Always run browser in disposable sandbox. And create new instance whenever logging into an account through web browser.

These problems are not issues that are presented by using Tor, this is an issue with any browser. I propose tor browser updates to run inside of disposable sandbox, and throws up a warning whenever users try to access clearnet sites along the lines of 

"WARNING: you are leaving the Tor network to access a the legacy clearnet internet which is vulnerable to various attacks (this is an issue with any browser accessing the legacy clearnet, not just Tor Browser). Proceed with no expectation of security or privacy, and it is recommended to use the .onion address equivalent of destination you are trying to reach if available.
If no .onion address is available for this destination, tell the site admin to upgrade their website to a modern routing protocol
<output whois info here>"

You may call me crazy if you want, or even paranoid, but I am correct.

Oh yeah... and if you think the latest update to Tor Browser will fix any of these issues, you are mistaken.
-----BEGIN PGP SIGNATURE-----

iQIcBAEBCgAGBQJX4/u1AAoJEAYDai9lH2mwowwQAMyNL5zdCMh52fpX1zTPtUgj
CJ3ENEjzJ7U6dJJFmAR0O02Ml7q6TIB0J1a7h+Znhlfm9sFXxpwiAB3T62FdBfhy
H3WbkTRGVvyyrgHDWFV7Ib1Mqc3HJ2b/MSzeDYD1OR+p7EDgVdKQnVxOPVUjopJq
8hphJ7tjU6rzEjpfZE44ox0E+vrfS4ISAWfipg403NL1tktGFOKgxp8vutBQTAuC
7iZ2hFlTjytH+oGESDz0/WeIpxwePJj/9n2vJhcU9fgU4V8Ql2B8pfLNdPQ3mMGF
n7Ucb6bR94sOnOBAmT1UVn/PWeSoLDbUS+4e50ZH0GBoTQ449cRL3QyxoCwvCkJQ
+hTzvQceVYVLkiO5q9GkfvipnhLFW1pDw3Plprex4DZA4P74QITehZAkg4bxabh+
hOYoHcOU/C/i4wC/FURKJdalDP8Q6vrpw/WN0IdG/iJkN0syl3750RPOw5Y9PXKp
MJbFB9QztP4moFQ4Rrul4fag//DUbxld2S6WmWXtKoepFlfF4dfdy4TMJ+F1hfz4
M65aD3hodN9iSPL0z0H63O/cugr/pbq8RtBRcU8mBut3y/N3C/ZAaauWQT5JxX+X
5RTKUpoh/YVP0iHpQFK8rU4HCehifcYbZR3wJ8N+rTxykcMGCVIBphDlKKOaT/as
B5EAh0q6v1DrZ5cbJzwO
=KLzH
-----END PGP SIGNATURE-----

-- 

Cannon
PGP Fingerprint: 2BB5 15CD 66E7 4E28 45DC 6494 A5A2 2879 3F06 E832 
Email: cannon at cannon-ciota.info
Bitmessage Address: BM-2cVaTbC8fJ5UDDaBBs4jPQoFNp1PfNhxqU 
Ricochet-IM: ricochet:hfddt2csxnsb2mdq 

NOTICE: ALL EMAIL CORRESPONDENCE NOT SIGNED/ENCRYPTED WITH PGP SHOULD BE CONSIDERED POTENTIALLY FORGED, AND NOT PRIVATE.
If this matters to you, use PGP or bitmessage.