<p dir="ltr">Sorta on this topic, Andrew Case's recent guide is excellent for browser config issues: <a href="https://gist.github.com/atcuno/3425484ac5cce5298932">https://gist.github.com/atcuno/3425484ac5cce5298932</a></p>
<div class="gmail_quote">On Jul 25, 2015 10:55 PM, "Brian Kroll" <<a href="mailto:brian@fiberoverethernet.com">brian@fiberoverethernet.com</a>> wrote:<br type="attribution"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">-----BEGIN PGP SIGNED MESSAGE-----<br>
Hash: SHA512<br>
<br>
As we all know the Tor Browser has been hardened compared to plain<br>
vanilla Firefox. Hardening includes more stringent checks on SSL/TLS<br>
certificates, and the interaction with sites that use those<br>
certificates. The site has a shit certificate and a shit set-up on their<br>
web server, and the Tor Browser will have none of that!<br>
<br>
Makes me question how secure that site really is. Especially as a former<br>
user of it.<br>
<br>
//Brian<br>
<br>
eviljoel:<br>
> Hey Brian,<br>
><br>
> But why does the certificate come up fine in Firefox? (Certificate<br>
> Pinning?) Was the cert you looked at from Firefox or the Tor Browser?<br>
><br>
> Thanks,<br>
> eviljoel<br>
><br>
> On 07/21/2015 09:46 PM, Brian Kroll wrote:<br>
>> They totally botched the certificate set-up in IIS by not installing the<br>
>> certificate in IIs 6.0 correctly (there is a wizard to do it), and also<br>
>> they are using a wild-card cert with no authority chain. >_<<br>
>><br>
>> //Brian<br>
>><br>
>><br>
>> eviljoel:<br>
>>> Hey All,<br>
>><br>
>>> So I was looking into attending B-Sides Las Vegas which is at the<br>
>>> Tuscany hotel. I tried accessing the following URL over Tor to inquire<br>
>>> about room availability:<br>
>><br>
>>> <a href="https://www2.tuscanylasvegas.com/smsworld/wc.dll?smsWorld~Availbox~&wsi=port" rel="noreferrer" target="_blank">https://www2.tuscanylasvegas.com/smsworld/wc.dll?smsWorld~Availbox~&wsi=port</a><br>
>><br>
>>> I get a certificate error: sec_error_unknown_issuer<br>
>><br>
>>> I tried accessing the site using several different Tor circuits and got<br>
>>> the same thing.<br>
>><br>
>>> However, I tried the same URL outside of Tor and get a certificate<br>
>>> signed by GoDaddy.com. Is this a man-in-the-middle attack or is there<br>
>>> some legitimate reason for this?<br>
>><br>
>>> Thanks,<br>
>>> eviljoel<br>
>><br>
>><br>
>><br>
>>> _______________________________________________<br>
>>> cryptoparty-chi mailing list<br>
>>> <a href="mailto:cryptoparty-chi@groups.sshchicago.org">cryptoparty-chi@groups.sshchicago.org</a><br>
>>> <a href="http://groups.sshchicago.org/listinfo/cryptoparty-chi" rel="noreferrer" target="_blank">http://groups.sshchicago.org/listinfo/cryptoparty-chi</a><br>
>><br>
>> _______________________________________________<br>
>> cryptoparty-chi mailing list<br>
>> <a href="mailto:cryptoparty-chi@groups.sshchicago.org">cryptoparty-chi@groups.sshchicago.org</a><br>
>> <a href="http://groups.sshchicago.org/listinfo/cryptoparty-chi" rel="noreferrer" target="_blank">http://groups.sshchicago.org/listinfo/cryptoparty-chi</a><br>
>><br>
><br>
><br>
><br>
> _______________________________________________<br>
> cryptoparty-chi mailing list<br>
> <a href="mailto:cryptoparty-chi@groups.sshchicago.org">cryptoparty-chi@groups.sshchicago.org</a><br>
> <a href="http://groups.sshchicago.org/listinfo/cryptoparty-chi" rel="noreferrer" target="_blank">http://groups.sshchicago.org/listinfo/cryptoparty-chi</a><br>
><br>
-----BEGIN PGP SIGNATURE-----<br>
<br>
iQIcBAEBCgAGBQJVtFlmAAoJEFjBjkteF9VaNKYQANm8a9tKUk0dNBAEPm2TgykY<br>
/SWTjUANXviIl2QtI1J6VPH3nPx5er0mTJ53umPsPZ4OQdQ98SXswt4MfnrSgT8T<br>
3lJ9qoOKwRnYoFDGrD3FijLysOgBBANbcZ1xTkF4WgUWG/cuDB0qjpOVoF+CqzHH<br>
rPADL4yYGxC0OPYM6XfyC7/SfmNVJSeZlaT5ta5zN7uWMzHUuj6bOFatpBKGCiBd<br>
tY5gyfTLA3/u8Lcqv+U48QkxjDKQDCevDf0+MXPqyU04mzTAUMxgkuy3Ph/Ne8q7<br>
dPH1pyj/L6GS3DkcHRy8wncLYHzvJdTvgSM6DnChlCGNw066CPOdkqqzG6ROdQ4R<br>
WxpA28MUbdy2ML9Fs+62vmENWt/syTD96k8sb6HfXSvNF1liAkOLBoLhlgicRjGv<br>
3Sr3JzsvvQZ9dC3rzpGTWX3By5a9yUawXR+EomeJH2yqQttLVDqdc6Suonltctyy<br>
FOXpe/6gjrvTzaI/D/5w7SD9zos0qRyElU+YYxorgIrifirYHX6RJSN24/qz/od2<br>
2VPAJEWy/NnqSs7kjDKAH8ttSjHLGvMo8GtFwwtIYZ0jm/eXjn8CMcEEh4Q+ZoLz<br>
ZZoM89hiG0lLvGPC3g0RX4MXn+miwU1In2hNiZAo7rKp+Xn7gu/XZ20+IXBk3u7M<br>
PEbXvXrmJB9kkay4gfKR<br>
=GWLk<br>
-----END PGP SIGNATURE-----<br>
_______________________________________________<br>
cryptoparty-chi mailing list<br>
<a href="mailto:cryptoparty-chi@groups.sshchicago.org">cryptoparty-chi@groups.sshchicago.org</a><br>
<a href="http://groups.sshchicago.org/listinfo/cryptoparty-chi" rel="noreferrer" target="_blank">http://groups.sshchicago.org/listinfo/cryptoparty-chi</a><br>
</blockquote></div>