Re: Avoiding HTTPS pitfalls [was: Re: Moxie Marlinspike]
2009/2/24 coderman coder...@gmail.com: On Mon, Feb 23, 2009 at 12:04 PM, Fran Litterio flitte...@gmail.com wrote: ... This is ok, but I'd also like to be alerted when the certificate changes for a site that I regularly visit. yes. Tyler's suggestion is a good one. if you want the certs themselves authenticated you get to manage them yourself too. remove all CA's by nuking libnssckbi.so and only add back those you've authenticated and trust. sadly, this is beyond the skills of most people. the PKI cartel lives another day... :P Perspectives (http://www.cs.cmu.edu/~perspectives/) is another useful tool. You can change the quorum %, the length of time that quorum must be acheived, and conditions under which Perspectives checks. This isn't self-management, but does provide a additional certificate check. J
Re: Avoiding HTTPS pitfalls [was: Re: Moxie Marlinspike]
On Mon, February 23, 2009 21:40, coderman wrote: Noscript has some options (Options, Advanced, HTTPS) that may help. Disclaimer: I've not used these options and I don't know if it's secure. This feature works, I haven't dumped the traffic to prove it but I've found some (insecure) site with https login and http cookies which break down when adding them to the https only cookies list, so, at least, the feature does what it tells to do ;-) from https://www.torproject.org/torbutton/faq.html Which Firefox extensions should I avoid using? ... NoScript: using NoScript can actually disable protections that Torbutton itself provides via Javascript, yet still allow malicious exit nodes to compromise your anonymity via the default whitelist... this is true if you enable javascript on http sites while using tor, as a rogue exit node can inject the hell into your response. However, it has been a while since NoScript added the https only whitelist: when this option is on it will restrict your whitelist to secure connections only. See my older posts for more information on this stuff. as an aside, i found a plugin that could do everything above, but only if the sites themselves send you a ForceHTTPS cookie securely: https://crypto.stanford.edu/forcehttps/ the design paper does a good job of explaining why this is all more complicated than you might think... After pdp had the infamous incident with gmail, he wrote a similar firefox extension to send all cookies over https only (quite drastic). It should be on the gnucitizen site, so let's add it to the list of the extensions also ;-) -- Marco Bonetti BT3 EeePC enhancing module: http://sid77.slackware.it/bt3/ Slackintosh Linux Project Developer: http://workaround.ch/ Linux-live for powerpc: http://workaround.ch/pub/rsync/mb/linux-live/ My webstuff: http://sidbox.homelinux.org/ My GnuPG key id: 0x86A91047
Avoiding HTTPS pitfalls [was: Re: Moxie Marlinspike]
On Thu, Feb 19, 2009 at 4:17 AM, Erilenz eril...@gmail.com wrote: ... Lots of people simply don't know how to use Tor safely. agreed. i always recommend two things when using HTTPS over Tor: - install the petname toolbar. this will also notify you if some rogue CA is suddenly signing the google.com certs, for example, not just that encryption isn't used. - save bookmarks to sites that support HTTPS only (secure cookies) with the https:// secure URL. (no insecure transition). I wonder if something could/should be built into TorButton to force a list of commonly used services to go entirely over https? Eg any request for ^http://mail\.google\.com/.*$ a plugin to enforce secure cookies and https only operation for some domains would be useful. i don't know of any that do this kind of thing yet... best regards,
Re: Avoiding HTTPS pitfalls [was: Re: Moxie Marlinspike]
coderman wrote: i always recommend two things when using HTTPS over Tor: - install the petname toolbar. this will also notify you if some rogue CA is suddenly signing the google.com certs, for example, not just that encryption isn't used. In http://www.mozdev.org/pipermail/petname/2009-February/19.html, Tyler Close, the author of the Petname add-on for Firefox says that Petname no longer binds the chosen petname to the SSL certificate but to the origin (URL scheme, hostname, port number). He references Collin Jackson's research on origin granularity in browsers at http://crypto.stanford.edu/websec/origins/ as justification for this change. This is ok, but I'd also like to be alerted when the certificate changes for a site that I regularly visit. If I visit https://sometime.com/ and an attacker steals or cache-poisons that domain name using a valid SSL certificate (but not the one from the real owner of the site), then Petname can't help me. -- Fran
Re: Avoiding HTTPS pitfalls [was: Re: Moxie Marlinspike]
coderman wrote: On Thu, Feb 19, 2009 at 4:17 AM, Erilenz eril...@gmail.com wrote: ... [...] I wonder if something could/should be built into TorButton to force a list of commonly used services to go entirely over https? Eg any request for ^http://mail\.google\.com/.*$ a plugin to enforce secure cookies and https only operation for some domains would be useful. i don't know of any that do this kind of thing yet... Noscript has some options (Options, Advanced, HTTPS) that may help. Disclaimer: I've not used these options and I don't know if it's secure.
Re: Avoiding HTTPS pitfalls [was: Re: Moxie Marlinspike]
On Mon, Feb 23, 2009 at 12:29 PM, Arjan n6bc23cpc...@list.nospam.xutrox.com wrote: Noscript has some options (Options, Advanced, HTTPS) that may help. Disclaimer: I've not used these options and I don't know if it's secure. from https://www.torproject.org/torbutton/faq.html Which Firefox extensions should I avoid using? ... NoScript: using NoScript can actually disable protections that Torbutton itself provides via Javascript, yet still allow malicious exit nodes to compromise your anonymity via the default whitelist... as an aside, i found a plugin that could do everything above, but only if the sites themselves send you a ForceHTTPS cookie securely: https://crypto.stanford.edu/forcehttps/ the design paper does a good job of explaining why this is all more complicated than you might think... best regards,
Moxie Marlinspike
http://blog.internetnews.com/skerner/2009/02/black-hat-hacking-ssl-with-ssl.html There's nothing in there that we didn't already know was possible, and I realise it's not a Tor specific flaw. I just read this paragraph and thought I'd pass it on here: Marlinspike also claimed that in a limited 24 hour test case running on the anonymous TOR network (and without actually keeping any personally identifiable information) he intercepted 114 yahoo logins â 50 gmail logins, 9 paypal, 9 inkedin and 3 facebook. So apparently the tool works - and works well. Lots of people simply don't know how to use Tor safely. I wonder if something could/should be built into TorButton to force a list of commonly used services to go entirely over https? Eg any request for ^http://mail\.google\.com/.*$ Also, how feasible would it be to add a popup which says something along the lines of: You are about to post unencrypted data over the Tor network. Are you sure you wish to proceed? -- Erilenz
Re: Moxie Marlinspike
On Thu, 19 Feb 2009 07:17:04 -0500 Erilenz eril...@gmail.com wrote: http://blog.internetnews.com/skerner/2009/02/black-hat-hacking-ssl-with-ssl.html There's nothing in there that we didn't already know was possible, and I realise it's not a Tor specific flaw. I just read this paragraph and thought I'd pass it on here: Marlinspike also claimed that in a limited 24 hour test case running on the anonymous TOR network (and without actually keeping any personally identifiable information) he intercepted 114 yahoo logins â 50 gmail logins, 9 paypal, 9 inkedin and 3 facebook. So apparently the tool works - and works well. Thank you very much for pointing out yet another unscrupulous exit operator. I've just added ExcludeExitNodes thoughtcrime,$1E6882D9AB86DA56C48BDE96698B8F8AF81FD707 to my torrc file. Lots of people simply don't know how to use Tor safely. Very true, but then, lots of people simply don't know how to use the Internet safely. Lots of people don't bother to buy and use a paper shredder to dispose of sensitive USnail safely. I wonder if something could/should be built into TorButton to force a list of commonly used services to go entirely over https? Eg any request for ^http://mail\.google\.com/.*$ Also, how feasible would it be to add a popup which says something along the lines of: You are about to post unencrypted data over the Tor network. Are you sure you wish to proceed? It's looks like a good idea, but what about pop-up blockers? Maybe it should be built into browsers, perhaps enabled as a configurable option turned on by default. Scott Bennett, Comm. ASMELG, CFIAG ** * Internet: bennett at cs.niu.edu * ** * A well regulated and disciplined militia, is at all times a good * * objection to the introduction of that bane of all free governments * * -- a standing army. * *-- Gov. John Hancock, New York Journal, 28 January 1790 * **
Re: Moxie Marlinspike
Another good reason to keep ExcludeNodes. praedor On Thursday 19 February 2009 07:15:47 Scott Bennett wrote: On Thu, 19 Feb 2009 07:17:04 -0500 Erilenz eril...@gmail.com wrote: http://blog.internetnews.com/skerner/2009/02/black-hat-hacking-ssl-with-ssl.html There's nothing in there that we didn't already know was possible, and I realise it's not a Tor specific flaw. I just read this paragraph and thought I'd pass it on here: Marlinspike also claimed that in a limited 24 hour test case running on the anonymous TOR network (and without actually keeping any personally identifiable information) he intercepted 114 yahoo logins â 50 gmail logins, 9 paypal, 9 inkedin and 3 facebook. So apparently the tool works - and works well. Thank you very much for pointing out yet another unscrupulous exit operator. I've just added ExcludeExitNodes thoughtcrime,$1E6882D9AB86DA56C48BDE96698B8F8AF81FD707 to my torrc file. Lots of people simply don't know how to use Tor safely. Very true, but then, lots of people simply don't know how to use the Internet safely. Lots of people don't bother to buy and use a paper shredder to dispose of sensitive USnail safely. I wonder if something could/should be built into TorButton to force a list of commonly used services to go entirely over https? Eg any request for ^http://mail\.google\.com/.*$ Also, how feasible would it be to add a popup which says something along the lines of: You are about to post unencrypted data over the Tor network. Are you sure you wish to proceed? It's looks like a good idea, but what about pop-up blockers? Maybe it should be built into browsers, perhaps enabled as a configurable option turned on by default. Scott Bennett, Comm. ASMELG, CFIAG ** * Internet: bennett at cs.niu.edu * ** * A well regulated and disciplined militia, is at all times a good * * objection to the introduction of that bane of all free governments * * -- a standing army. * *-- Gov. John Hancock, New York Journal, 28 January 1790 * ** X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on lapdog.ravenhome.net X-Spam-Level: ** X-Spam-Status: No, score=6.7 required=8.0 tests=EMPTY_MESSAGE,MISSING_DATE, MISSING_HEADERS,MISSING_MID,MISSING_SUBJECT,NO_HEADERS_MESSAGE,NO_RECEIVED, NO_RELAYS,TVD_SPACE_RATIO autolearn=no version=3.2.5 Learned tokens from 1 message(s) (1 message(s) examined) X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on lapdog.ravenhome.net X-Spam-Level: ** X-Spam-Status: No, score=6.7 required=8.0 tests=EMPTY_MESSAGE,MISSING_DATE, MISSING_HEADERS,MISSING_MID,MISSING_SUBJECT,NO_HEADERS_MESSAGE,NO_RECEIVED, NO_RELAYS,TVD_SPACE_RATIO autolearn=no version=3.2.5 Learned tokens from 1 message(s) (1 message(s) examined) -- An imbalance between rich and poor is the oldest and most fatal ailment of all republics. --Plutarch signature.asc Description: This is a digitally signed message part.