http://blog.internetnews.com/skerner/2009/02/black-hat-hacking-ssl-with-ssl.html
There's nothing in there that we didn't already know was possible, and I realise it's not a Tor specific flaw. I just read this paragraph and thought I'd pass it on here: "Marlinspike also claimed that in a limited 24 hour test case running on the anonymous TOR network (and without actually keeping any personally identifiable information) he intercepted 114 yahoo logins â 50 gmail logins, 9 paypal, 9 inkedin and 3 facebook. So apparently the tool works - and works well." Lots of people simply don't know how to use Tor safely. I wonder if something could/should be built into TorButton to force a list of commonly used services to go entirely over https? Eg any request for ^http://mail\.google\.com/.*$ Also, how feasible would it be to add a popup which says something along the lines of: "You are about to post unencrypted data over the Tor network. Are you sure you wish to proceed?" -- Erilenz

