| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <200302182003.27259.ka@khidr.net> From: ka at khidr.net (Ka) Subject: anonymizer.com doesn't use ssl on target website -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The member service of anonymizer.com may encrypt traffic between the client-browser and anonymizer.com-proxy using SSL, but whenever you click on a SSL-link (say <a href="https://target.com">) anonymizer translates that into a non-ssl link of the same address (say http://target.com). This results in unencrypted, spoofable traffic between the anonymizer- proxy and the target website. As the contact with an ssl-encrypted target-website does certainly contain sensitive information (why should it be SSL-encrypted otherwise?), it's probably not a good idea to use the member services of anonymizer.com IMO - at least not on SSL-target-sites. Vendor-support was contacted, but first ignored the impact of that programming error "That's fine... our service keeps your connection secure." and then did not answer to the second email within five days. That might be an indication that anonymizer.com is not very security-oriented in other aspects also. (?) Greetingz Ka - -- Want hear Ancient Music In The Pines? Must find remote. Must change channel. http://www.khidr.net/users/ka/pgpkey.asc -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE+UoN872vu22ltWBERAjzvAJ9oTllhK6X2m6oX0v1Z7gUsleMk6wCeJpYd JC9QQZ85HQ7q4aEmNG8moLY= =Hy3t -----END PGP SIGNATURE-----
Powered by blists - more mailing lists