Anonymous wrote:

>Andy Walker wrote:
>
>> Nomen Nescio wrote:
>>
>> >No, Tor doesn't change the fact that SSL has safeguards against MITM
>> >attacks built into it. You're misunderstanding something you've read,
>> >and you're spreading FUD as a result.
>>
>> Guess again skippy, we do it in-house to scan SSL sessions for data
>> leaks and malicious content.
>
>With the proxy running under the 5 versions outdated installation of PHP
>you're still using? ;-)
>
>Here's a clue: It doesn't work. Not without exerting physical control
>over client softwares and the certificates they accept it doesn't
>anyway. You conveniently left that part out, the part about you
>mandating security policies, or you're just flat out flinging lies
>hoping something will stick.
>
>If you own the client you can make it do anything you want just like
>inattentive users can. Accept any bogus certificate you offer, skip any
>and all security checks, etc. And it's trivial to proxy SSL connections
>themselves. You can even block connections you can't monitor so that
>you force your users to use your certificates even if they do figure
>out how to reset your broken security to defaults.
>
>Hell, for that matter, readers can use something as simple as stunnel to
>proxy SSL certificates locally and do the exact same thing as an
>experiment, using a certificate they created themselves and manually
>authorized in some client. Works just the same.
>
>Of course not one bit of any of that has anything at all to so with the
>subject at hand, so all you've really done here is yap about nothing of
>any import. We're not talking about local network administrators
>auditing and controlling installed software. Now are we? Hmmmmm??

You really don't get it, do you? If I load a certificate for ANY site
on a proxy and you connect to it, I can make it look like you are
connecting to the site you intended to connect to. True, I can't
change the original information on the originating CA, but then your
client won't be looking for the real CA anyway because the cert is
signed by one of my bogus authorities. Better still, if I control
your DNS I can make your client think I've got a honest to dog EV Cert
with the green address bar and the feel good "verified by" bull****.
Does this mean that someone with enough of a clue couldn't detect it?
No, but then there are so many clueless people out there it would
probably fool 99.9% of them.