Opened 3 years ago

Closed 3 years ago

Last modified 3 years ago

#18940 closed defect (invalid)

Danger : verifying digital certificate and fake response !

Reported by: safeless Owned by:
Priority: Medium Milestone:
Component: - Select a component Version:
Severity: Normal Keywords:
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

when I try to do Integrity check (verify torbrowser-install-5.5.5.exe Digital signatures )
explorer.exe connects to " 93.184.220.29:80 tcp " (connections on port number 80 is not encrypted ) I think explorer.exe tries to ask a trusted server about the file's digital certificate ; but

Iran cyber Army can generate a fake response for this! (connections on port number 80 is not encrypted )
*
it should be Encrypted

Child Tickets

Change History (2)

comment:1 Changed 3 years ago by yawning

Resolution: invalid
Status: newclosed

Iran cyber Army can generate a fake response for this! (connections on port number 80 is not encrypted )

a) "All definitive response messages SHALL be digitally signed." (https://tools.ietf.org/html/rfc6960)
b) It's Microsoft's signature scheme, mechanism and implementation. Go complain to them.

comment:2 Changed 3 years ago by cypherpunks

Don't use Windows.

Note: See TracTickets for help on using tickets.