Posted on 03/13/2009 2:14:56 PM PDT by xtinct
When using a medium such as Tor, do you have a clear man-in-the-middle issue, meaning your encrypted names and passwords are taken from you? This is the issue.
Read the articles. You have no freaking idea who is spoofing your encrypted session with Tor. And I would bet it is someone with bad intentions.
I already responded to that article.
The users were tricked into sending their username/password credentials to a fake website setup to look like the real one. That’s called phishing. Tor doesn’t claim to protect users against phishing.
Two-fold Technique
SSLstrip manages to fool the user into believing he has an encrypted connection with the intended website through several clever slights on hand. First, the tool uses a proxy on the local area network that contains a valid SSL certificate, causing the browser to display an “https” in the address bar.
Second, it uses homographic techniques to create a long URL that includes a series of fake slash marks in the address. (To prevent browsers from converting the characters to punycode, he had to obtain a domain-validated SSL wildcard cert for *.ijjk.cn).
“The diabolical thing is it looks like https://gmail.com,"; Marlinspike told The Register. “The problem is this bridge between http and https and that is a fundamental part of how SSL is deployed on the web. Changing that is not gong to be easy.”
Marlinspike has successfully used the ruse on people using both the Firefox and Safari browsers. While he hasn't tested it on Internet Explorer, he assumes the technique works there too. And even if it doesn't, he says there's plenty of reason to believe even security-cautious users don't take the time to ensure their sessions are encrypted.
To prove his point, he ran SSLstrip on a server hosting a Tor anonymous browsing network. During a 24-hour period, he harvested 254 passwords from users visiting sites including Yahoo, Gmail, Ticketmaster, PayPal, and LinkedIn. The users were fooled even though SSLstrip wasn't using the proxy feature that tricks them into believing they were at a secure site. Sadly, the Tor users entered passwords even though the addresses in their address bars didn't display the crucial “https.” (Marlinspike said he later disposed of all personally identifiable information).
There was no fake website for anything. There was only a fake URL and a real (but illegit SSL certificate) given, but the real website was passed through.
No fake websites, so no “spoofing a website” as you claim.
Read the article. I’m losing my patience.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.