<[email protected]> wrote: > >> >> Fetchmail, msmtp, etc can all connect to a host, > >> >> take that cert fingerprint, compare it to the one you've > > >> >> configured, and drop the connection if they differ. > >> > > >> > That may work against some adversaries but not against very > clever adversaries. > >> He can let the first connection alone and tamper with the other > one. > >> > >> It is first assumed one securely obtains and verifies certs > >> so you don't have this problem. > > > > I am not talking about the bootstrap problem getting the fingerprint > for the first time. > > > > The adversary can let fetchmail, msmtp, etc through, return the correct > fingerprint. > > > > Afterwards the adversary recognizes the the second connection, which > might be wget and use a compromised root CA certificate. > > I am not talking about wget or trusting CA's. > > I'm talking about pinning hosts down to whatever > fingerprint I've chosen to accept before completing > the connection to them. Fetchmail etc, by example, > can do this. Simple, infallible [1]. > > Why bother trying to do all these ways to hack CSR's, > be your own CA, when you could take the example of > fetchmail, configure a fingerprint, and be done. > Not saying that FF can do this yet. > [...] > And what about FF's 'are you sure want to connect > to this strange cert'... 'accept one time' or 'add and accept > forever' option? So why not dump the cert in the forever file? > But if that's not checking _at least_ the fingerprint, and hopefully > the cert chain, then it's useless for security.
That sounds reasonable in theory for further programmers but is no solution I could use right now. > Too bad, I checked elinks, lynx, curl, wget, fetch... > none do fingerprints. So yes, someone somewhere > should add fp checking to them. And while you're at it, > add the ability for them to speak to SOCKS5. Seems > like a small GSOC project :) I posted a feature request against wget. https://lists.gnu.org/archive/html/bug-wget/2012-07/msg00007.html But I doubt anyone is interested to add such a feature. > Also go here: > https://mxr.mozilla.org/mozilla/source/security/nss/lib/ckfw/builtins/certdata.txt?raw=1 > > https://github.com/agl/extract-nss-root-certs.git I don't understand how that could help with my original question. ______________________________________________________ powered by Secure-Mail.biz - anonymous and secure e-mail accounts. _______________________________________________ tor-talk mailing list [email protected] https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
