If I was staying in Dracula’s castle, and he offered free WiFi.
He might have a good computer geek to use the server to do --Exactly what?
I once had a pay for VPN, and the tech assured me that it was not possible for anyone to interrupt, or perform a “Man in the MIddle” attack.
On one forum a fellow said he was speaking with the guy who ran ISP Servers about the technique of saving IP Addresses, and putting that into the browser rather than using a name, and a DNS. ISP guy said. Whatever you enter for an IP address, I can program my servers to catch it, and send you where ever I choose. Implying of course, a site that looks exactly like the one I want to go to. Of course, you are going to say the Browser, or Tor Browser certificates would flag the webpage as bogus. Which a fellow here just pointed out when he said only depend on https sites, never http sites. Or was that an alternative attack?
IP addresses can change for legitimate reasons, and there are subnets. or is that the wrong term?
I have never really looked closely at the Certificate System. I had the impression if I took in one bad certificate, that it might be used to allow other bad certificates. In some cases, just one bad website.
I had thought one of the things Tor had started doing was to limit the First Hop onto Tor to a limited number of Nodes. Which Tor feels gives several advantages.
If one is concerned that one is being behind a government run Firewall, Obviously the government might not recognize that a particular person is using Tor, but not intervene as a Man in the MIddle, unless they could do some other trick. Tor 'Bridges’to allow people a first hop onto Tor, that hopefully the government would not know the user was getting onto Tor. Bridge being a unique IP which Draculas Firewall would not recognize.
I would guess that the one trick a government computer spy agency might try. Is to trick us into the version of Tor the agency has changed the Certificates on, then redirect us onto some look alike site they have created and run. Of course the government agency would have to intercept requests for updates to Browser and Tor, and provide their own versions.
I would think most of you have thought through all these things as well.
Back to Dracula’s Castle. If I was going to use a VPN, if I had already downloaded it, installed it, registered myself to it. That might be very difficult for the Igor, (borrowed from Frankenstein) to interrupt. Intercept, or play “Man in the MIddle” against one user.
When and where did one download Tor, and while I would verify it from the website. Well. Obviously that is not perfect. I am sure someone jumps in at this point and points out using PGP to verify my download. Good idea. PGP key verification can come from the PGP Key Servers. I recall reading someone has tricked some of those Key Servers once or twice. The one instance I believed was a fellow who was prominent in demonstrations in his country. Government agency realized he did not have a PGP Key, and created one for him. And directed others to send emails, if they had any, to a new email address, as the government had compromised the one some thought he had. Mostly he used on phone encryption (must be someone who used this site).
Anyone who sent email to his website, was advised to send an email to his site, with their own PGP key, and encourage others. If anything happened to his phone, he could still send messages.
Agency got a long list of demonstrators to round up in the middle of the night.
That is not really an encryption hack though. It is an example of the most likely way we could get hacked. Not through the well thought out protections provided by Tor, but something else we might allow. Like Java Script issues.
And if you are staying in Draculas Castle. In the middle of the night, no one will hear you scream. Or intervene.