When you say wikipedia has a "valid" cert, what makes it valid? That
some global CA signed it? Why do you trust the global CA? Or, did
wikipedia self sign and you've chosen to trust their cert? How do you
normally handle self-signed certs? Not saying you haven't properly
configured trust/privacy on your machines, but pointing out that many
people don't question certs when signed by the CA that are included
with their browser by default.
Scott
On Tue, Feb 14, 2012 at 01:21, Christopher Howard
<christopher.howard@frigidcode.com> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 02/14/2012 12:35 AM, R Denison wrote:
>
>>
>> Truth be told I don't run tor much these days, mostly due to
>> inconvenience. =C2=A0And if I understand correctly there's the potential
>> =C2=A0that, unless you're getting SSL connection to your destination
>> server, it's subject to MITM modification at the exit node(s).
>>
>
> I use enforced HTTPS, so Firefox literally won't visit any URLs with
> simple HTTP protocol. The trade-off to this self-imposed security
> requirement is that I have lost access to about half the Internet. At
> least a quarter of that, I'd guess, are sites that make a secure port
> available but have not configured it correctly. I've seen expired
> certificates, self-signed certificates, non-matching certificates, and
> even hosts trying to offer unsecured HTTP out of the HTTPS port.
> Between that, and all the sites using partial encryption, it's a
> pretty nasty mess out there.
>
> To my very much good fortune, though, Wikipedia is fully encrypted
> with a top-grade cipher and a valid cert. :)
>
> BTW, even during normal browsing an unsecured HTTP connection is
> subject to a MITM modification or even complete takeover. At every
> point along the route from source to destination. Any attacker at any
> node could insert malicious code or misrepresent the connection,
> without raising flags on your end, if he knew what he was doing. Whew!
> It's a good thing we don't live in one of those countries where shady
> government officials have surveillance access to any of our ISP lines
> through special monitoring stations mandated by law. Err, oops... I
> guess we do...
>
> - --
> frigidcode.com
> theologia.indicium.us
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2.0.17 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>
> iQEcBAEBAgAGBQJPOjWrAAoJEI2DxlFxTtgdEBAH/1rxAli6HSsArfTUeZg6MNsp
> uK06G5ZSyCaJVI+VdkwNhmb6bTGWXaWOxcliwhcFACEaClDjacT+ZeJiyT0Dbg0R
> lY4GwROYNT2v6aW7FSq8f0/1Wje8T9fHoP3GlCxzWmLbgKm4laFcStTh2anp2kSN
> M6KNKtrNpVVe6eEyktilbutou3ERazQqS8JSNGrixm8bZ0WrswnNNjAhqNI0oH46
> WUvus59jQ7iLEwoIvfWrW7b+hPhPF0jw0Du3EcMt2NmFWEuvEu20kdj8WTQ3ZgT+
> 9Hfq/1eAahhArayN3xfqD/dWJ61vsFO4PdIXKYQ9S7GanAiuJlxKlqAEOfw7mxU=3D
> =3D3oxx
> -----END PGP SIGNATURE-----
> ---------
> To unsubscribe, send email to <aklug-request@aklug.org>
> with 'unsubscribe' in the message body.
>
--=20
Scott A. Johnson
scott.a.johnson@gmail.com
---------
To unsubscribe, send email to <aklug-request@aklug.org>
with 'unsubscribe' in the message body.
Received on Tue Feb 14 13:17:00 2012
This archive was generated by hypermail 2.1.8 : Tue Feb 14 2012 - 13:17:00 AKST