-----BEGIN PGP SIGNED MESSAGE-----
Flawed CA System leaves Tor Browser users vulnerable to remote hacking and
passive spying in bulk
Lesson 1: The CA system, and https (due to CA root certs, export grade crypto
dowgrade attacks, openssl, cloudflare MITM) is and has always been flawed.
Leson 2: You should always assume you are hacked the moment you use a
webbrowser, this is why you should always use a disposable sandbox for your web
Solution 1: Remove all root certs from your system because the CA system is
complete rubbish anyways and false sense of security. Only trust connections
and network routing protocols that are based on cryptographic proof (i.e.
.onion or .b32.i2p addresses) rather than based on trust (as in CA system). And
always assume that most clearnet addresses are unecnrypted connections, if this
bothers you then dont use clearnet addressees, and perhaps businesses should
use modern network protocols instead of legacy insecure networks (plain ipv4,
Solution 2: Always run browser in disposable sandbox. And create new instance
whenever logging into an account through web browser.
These problems are not issues that are presented by using Tor, this is an issue
with any browser. I propose tor browser updates to run inside of disposable
sandbox, and throws up a warning whenever users try to access clearnet sites
along the lines of
"WARNING: you are leaving the Tor network to access a the legacy clearnet
internet which is vulnerable to various attacks (this is an issue with any
browser accessing the legacy clearnet, not just Tor Browser). Proceed with no
expectation of security or privacy, and it is recommended to use the .onion
address equivalent of destination you are trying to reach if available.
If no .onion address is available for this destination, tell the site admin to
upgrade their website to a modern routing protocol
<output whois info here>"
You may call me crazy if you want, or even paranoid, but I am correct.
Oh yeah... and if you think the latest update to Tor Browser will fix any of
these issues, you are mistaken.
-----BEGIN PGP SIGNATURE-----
-----END PGP SIGNATURE-----
PGP Fingerprint: 2BB5 15CD 66E7 4E28 45DC 6494 A5A2 2879 3F06 E832
Bitmessage Address: BM-2cVaTbC8fJ5UDDaBBs4jPQoFNp1PfNhxqU
NOTICE: ALL EMAIL CORRESPONDENCE NOT SIGNED/ENCRYPTED WITH PGP SHOULD BE
CONSIDERED POTENTIALLY FORGED, AND NOT PRIVATE.
If this matters to you, use PGP or bitmessage.
tor-talk mailing list - firstname.lastname@example.org
To unsubscribe or change other settings go to