On 5/22/11, [email protected] <[email protected]> wrote: > On 22/05/2011 09:00, grarpamp wrote: > >>> And a follow-up question if I may - how do you verify that the ssl >>> connection is to the site you want & not something else? eg: >>> http://www.wired.com/threatlevel/2010/03/packet-forensics/ >>> What's the defense against that type of attack? >> >> Well if CA's are giving intermediate CA's to adversaries, and those >> adversaries are issuing certs MITM on the fly in hardware... then >> yeah, you've got major problems. > > I use a Firefox addon called Certificate Patrol. It keeps a record of > certificates that https websites serve. It then alerts you if they > change. It displays information about the old certificate next to the > new certificate so you can tell if the issuer has changed, and if the > old cert was due to expire anyway. > > Should come in handy if you come across a Tor Exit node that is somehow > generating "valid" certificates for a domain and MITM'ing you.
yes - that looks helpful. Which version of Firefox are you using? I tried it with FF 4.0.1 and no matter what the settings, javascript enabled/disabled, noscript addon enabled/disabled I couldn't get a popup for a newly accepted cert :( Lee > > -- > Mike Cardwell https://grepular.com/ https://twitter.com/mickeyc > Professional http://cardwellit.com/ http://linkedin.com/in/mikecardwell > PGP.mit.edu 0018461F/35BC AF1D 3AA2 1F84 3DC3 B0CF 70A5 F512 0018 461F > > _______________________________________________ tor-talk mailing list [email protected] https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
