Le 23/04/2015 06:08, Roger Dingledine a écrit :
>I know we could SSL sigaint.org, but if it is a state-actor they could just
>use one of their CAs and mill a key.
This is not great logic. You're running a website without SSL, even though
you know people are attacking you? Shouldn't your users be hassling you
to give them better options?:)
As you say, SSL is not perfect, but it does raise the bar a lot. That
seems like the obvious next step for making your website safer for
your users.
Yes, you should use SSL/TLS and you and/or your users run the very
excellent "interception detector" http://www.ianonym.com/intercept.html
Of course to be maximally efficient the tool should be installed on your
site and it should be modified not to change the proxy settings (and
then be compatible with the Tor browser, which unfortunately is
currently not the case), because if the mitm is not stupid it can see
that the destination IP in the socks message does not match your domain.
It can be tried with the secret "abcd" (abcd.sigaint.org)
--
Check the 10 M passwords list: http://peersm.com/findmyass
Anti-spies and private torrents, dynamic blocklist: http://torrent-live.org
Peersm : http://www.peersm.com
torrent-live: https://github.com/Ayms/torrent-live
node-Tor : https://www.github.com/Ayms/node-Tor
GitHub : https://www.github.com/Ayms
--
tor-talk mailing list - [email protected]
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
