>> also wondering if the use of hidden service like this will help fix problem >> of man-in-middle attacks on SSL like here: >> >> http://www.wired.com/threatlevel/2010/03/packet-forensics/ >> >> actually, does Tor's encryption fall victim to this? if not, is HTTPS >> over >> hidden service redundant? > > While SSL root CA's have been compromised at least twice in past (Comodo, > DigiNotar), Tor's .onion have never been impersonated by breaking the > encryption. Some argue .onion domains are to short (weak hash) and the > encryption keys are to weak as well.
well I think that vulnerability is about using forged CA certs, no need to break the encryption. there's also the null-byte trick in CA certificates that was discovered to forge CA certs to look legit. so I wonder if Tor is susceptable to this or if Tor is a SOLUTION to this problem??? (if not accessing hidden service, traffic at the exit is still vulnerable but if access to hidden service, maybe a complete solution to this problem as long as Tor cant be hacked by this MITM trick?) _______________________________________________ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
