[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-bugs] #13410 [Tor Browser]: Disable self-signed certificate warnings when visiting .onion sites



#13410: Disable self-signed certificate warnings when visiting .onion sites
-----------------------------+----------------------
     Reporter:  tom          |      Owner:  tbb-team
         Type:  defect       |     Status:  new
     Priority:  normal       |  Milestone:
    Component:  Tor Browser  |    Version:
   Resolution:               |   Keywords:
Actual Points:               |  Parent ID:
       Points:               |
-----------------------------+----------------------

Comment (by yawning):

 > CAs do not (yet?) issue certificates for .onion domains, so there are no
 valid certificates.

 They do now.  As much as I have deep seated hatred for the CA mafia,
 closely matched by my burning hatred for spacebook and bitcoin (which IIRC
 are the 2 places that do have CA certs for .onions currently), something
 like this seems dangerous because without careful design it would allow me
 to throw an obnoxious amount of CUDA at getting "facebookcorewwii.onion",
 creating a self-signed cert, and mounting a fishing attack on user
 credentials.

 (Yes, I am aware that I shouldn't click on the bad, and if I pay the CA
 people enough I can probably get a CA cert for my site of evil anyway, but
 implementing this lowers the bar for entry considerably).

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/13410#comment:2>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs