Does anyone know if TunnelBroker.net recently changed its SSL cert? I'm seeing a different cert here, and before I update my scripts, I'd like to make sure no one is twiddling my bits.
Perhaps this sort of thing could be avoided by not using a self-signed cert? I know "real" certs aren't necessarily cheap, but StartSSL.com does have free SSL certs, and is recognized by many browsers.
Thanks!
You might be interested in the Perspectives project, which provides a way to verify the SSL certificate you are receiving has not been tampered with and matches the one received by other hosts ("notary servers") on the Internet: https://www.networknotary.org/
(http://img696.imageshack.us/img696/6784/tunnelbrokerperspective.png)
It shows the SSL certificate has recently changed but it should be fine since the change was recorded by the notary servers as well.
There's a Perspectives extension for Firefox and (an experimental one) for Chrome.
That's very interesting. I've seen other ideas for SSL web-of-trust that are more secure, but are also more labor-intensive. This seems to be a nice balance between an additional layer of security and too much work for all but the most dedicated users to manage. The only real concern I'd have is first-time access to a site with a self-signed cert.
In general, I find self-signed certs to get too much of a bad reputation. The real challenge isn't the self-signed cert, but the bootstrapping problem: how do I know on my first access if this cert is correct? This Perspectives tool can help, but it has its own bootstrapping problem. It also, I assume, has the same problem as other SSL trust tools, in that major sites with multiple certs on the many load-balanced servers can confuse it.
Tangent aside, I'd like very much to hear from one of the TunnelBroker admins that they did, in fact, recently change their cert.
TunnelBroker created their own self-signed certificate. They did it on April 22, 2011; which is the same day you first noticed the error:
(http://i52.tinypic.com/2mmfe4p.jpg)
Considering it's been broken for months, i assume there is no intention of fixing it.
You can add it to your certificate store; but i wouldn't do it until someone from HE can confirm the certificate's thumbprint:
(http://i56.tinypic.com/24xndr5.jpg)
9e b4 4f 27 6b ce 5e f6 5d 9d 38 cc a9 25 22 76 43 18 07 5c
For all i know there's a transparent proxy in between me an HE that is trying to steal my passwords.
We always use a self-signed, and yes that is ours from April 22nd, 2011