Tor: DigiNotar Debacle, and what you should do about it

Security researcher and Tor Project member Jake Appelbaum has been writing about the DigiNotar hack I blogged about yesterday. He's been on it for some time now, and has a couple of posts up on the Tor blog addressing how this affects the Tor anonymity/privacy proxy system. Here's a snip:

This incident doesn't affect the functionality of Tor clients or the Tor Network itself, since Tor doesn't use the flawed CA system. The Tor network uses a much simpler and flatter trust design that protects us from many of these CA issues. Further, Tor's distributed-trust design limits the damage from compromise of any given network component.

But the incident does affect users that are attempting to reach The Tor Project's infrastructure: with one of these bogus certificates, an attacker could convince your browser that you were talking to The Tor Project website, when really you were talking to the attacker.

We have taken direct action in an attempt to stop this kind of attack in the future with two major browser vendors and we hope to integrate a fix with all other willing browsers. Please contact us if you ship a browser and you'd like to help your users to be proactively secure when visiting our sites

Read the whole thing: "The DigiNotar Debacle, and what you should do about it." And, "DigiNotar Damage Disclosure."