VanguardLH wrote:

> "Aaron" <aaronnewsgroup@gmail.com> wrote in message
> news:Xns99D5DA9491B1Faaronnewsgroup@85.214.62.108. ..
> > "VanguardLH" <VanguardLH@mail.invalid> wrote in
> > news:KMOdnVZ0LvcpO7zanZ2dnUVZ_vCknZ2d@comcast.com:
> >
> >> "Joan Battaglia" wrote in message
> >> news:4weUi.17176$JD.3743@newssvr21.news.prodigy.ne t...
> >
> >>> Is my password still secure when logging into an http account with
> >>> Tor/Privoxy running?
> >>
> >>
> >> Since you are now using a proxy, and because the proxy can pretend
> >> to
> >> be the target site, and because the proxy could establish the SSL
> >> connect with you and then an SSL connect to the target site (so
> >> both
> >> use SSL but not directly to each other), now you have to trust the
> >> proxy doesn't intercept your SSL request and won't pretend to be
> >> the
> >> target site.
> >
> > Eh. That doesn't work. If it "pretends to be the target site", the
> > certificate won't match up. Right?
> >
>
>
> The interceptor gives you THEIR certificate,

<snip>

That's the whole point. That's WHY the certs don't match up and WHY Tor
nodes (or anyone else) trying to launch MITM attacks fail. Signatures
and CA's are meaningless at that point. Unless you cripple your own
software you get big honking errors.

Why do you think SSL exists in the first place for God's sake?