RightToPrivacy
commented
2 months ago You are absolutely right and I have covered that in videos / blog posts like the one on very suspicious links between cert authorities: https://youtu.be/TcYQCzhdEuc
And in other posts.
My point for anyone reading this (as I can tell you already well understand) in that video was moreso to "debunk" the common misconception that there is no encryption available at all, between exit node and destination.
I didn't want to completely confuse users in that video on the nuances of having potential malicious certs (potentially for any browser, on any OS). My concern was confusing users further in that particular video.
My motivation was helping others understand your encryption in Tor browser https, is equal to https of your normal firefox browser https (outside exit mitm attempt)
I find so many users choose VPN "for security and privacy", specifically for holding the impression that tor browser always means the exit node can always read the traffic in cleartext without any effort (which would only be the case in concert with malicious cert, whether forwarded, or in partnership w/).
I feel these kinds of rumors (true without https) scare users away from even trying Tor - and so that was part of my bringing up the https encrypting between dest/browser.
A goal is to try not to confuse new users, but always make sure to cover missed topics not mentioned on video (like malicious certs), in follow ups, for anyone following.
Thanks for reaching out! :)
In response to your comment, I created a pinned comment on my malicious cert video on that video to help ppl see that side of things.
righttoprivacy[at]i2pmail.org / righttoprivacy[at]tutanota.com
keybreak
Sorry for writing it here off-topic, but i don't have any other means to contact, so...
I've watched your great video, it's well made for those who are afraid onion networks and all that FUD around normies. https://youtu.be/nUh8GsWCfLQ
However i have one thing to add and possibly research on. I was very iffy on statement "doesn't matter as long as you use https", it's not really the case Many authoritarian countries already do that on state level, as well as some companies, unless you go out your way managing root CA on your system...correct me if i'm wrong, but that can be used to deanonymize Tor / i2p, unless you only visit hidden services and never go to clearnet.
P.S. Oh, and also to avoid many more real world attack on Tor Browser and making deanonymization much harder, it's great idea to recommend using Tor only inside Whonix - that's significant hardening :wink: