-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Mike Perry wrote: > Thus spake Roger Dingledine ([EMAIL PROTECTED]): > >> On Wed, Aug 30, 2006 at 02:52:53AM -0500, Shatadal wrote: >>> So does that mean that if I am trying to access an SSL enabled account >>> (say gmail or yahoo e-mail), the certificate is a spoofed one being >>> provided by the rogue tor node and therefore my login name and password >>> are therefore being provided in cleartext to the node operator? >> Yes, but only if you click "accept" when your Firefox tells you that >> somebody is spoofing the site. >> >> I often click accept when a site gives me a bogus certificate, because >> I want to see the page anyway -- but if I do I know that I shouldn't >> expect any security from the site anymore. >> >> (And if you're using a browser that doesn't give you warnings for >> bogus certificates... you should switch. :) > > There is another subtle problem with this.. For sites that provide the > login form via plain http and then submit via https, a MITM can > rewrite the POST form to submit anywhere they have a "valid" CA-signed > CERT (which as we've established costs the attacker $25 and a pay > phone #). Since this submission can go to ANY domain, it's much easier > to spoof a valid cert this way without a browser warning. > > It's scary just how many banks, email providers (yahoo), and other > sites try to make things "easier" by providing the login on their > front (non-https) page. Trial by fire... > > You should only use login forms on https pages. Especially via Tor. > > But the page could be on https and submit through http, even worse. And you won't know until you hit submit or try to read the source. Moral: Never trust a web designer to do a cryptographer's job.
- -- They who would give up an essential liberty for temporary security, deserve neither liberty or security - --Benjamin Franklin -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.3 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFE+hlXGV+aWVfIlEMRAvHaAKCSnYSS/tZMv6D6qFzlZFUuQ01TfwCfcqCd QIVABYnDhTdBodkCcLtcf7c= =QUTp -----END PGP SIGNATURE-----