[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

[tor-bugs] #13410 [Tor Browser]: Disable self-signed certificate warnings when visiting .onion sites

Subject: [tor-bugs] #13410 [Tor Browser]: Disable self-signed certificate warnings when visiting .onion sites
From: "Tor Bug Tracker & Wiki" <blackhole@xxxxxxxxxxxxxx>
Date: Tue, 14 Oct 2014 18:40:20 -0000
Auto-submitted: auto-generated
Delivered-to: archiver@xxxxxxxx
Delivery-date: Tue, 14 Oct 2014 14:40:34 -0400
List-archive: <http://lists.torproject.org/pipermail/tor-bugs/>
List-help: <mailto:tor-bugs-request@lists.torproject.org?subject=help>
List-id: "auto: Tor bug tracker status mails" <tor-bugs.lists.torproject.org>
List-post: <mailto:tor-bugs@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs>, <mailto:tor-bugs-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-bugs>, <mailto:tor-bugs-request@lists.torproject.org?subject=unsubscribe>
Reply-to: tor-assistants@xxxxxxxxxxxxxx
Sender: "tor-bugs" <tor-bugs-bounces@xxxxxxxxxxxxxxxxxxxx>

#13410: Disable self-signed certificate warnings when visiting .onion sites
-------------------------+--------------------------
 Reporter:  tom          |          Owner:  tbb-team
     Type:  defect       |         Status:  new
 Priority:  normal       |      Milestone:
Component:  Tor Browser  |        Version:
 Keywords:               |  Actual Points:
Parent ID:               |         Points:
-------------------------+--------------------------
 I suspect it's fairly common (or at least, we hope it's common) for users
 to type https:// instead of http://.

 If an onion site doesn't support HTTPS, the user gets an error page
 because it can't connect. If it does, the user gets an invalid certificate
 or mismatched certificate warning.  CAs do not (yet?) issue certificates
 for .onion domains, so there are no valid certificates.

 But the security of the .onion URL ensures we're talking to the valid so,
 so ignoring SSL mis-configurations _should_ be safe, as we already have
 authenticity, integrity, and confidentiality.  Right?  Or am I missing
 something?

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/13410>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Prev by Author: Re: [tor-bugs] #1776 [Tor]: Allow regular relays (if they have a dirport open) to be used as bridges
Next by Author: Re: [tor-bugs] #1776 [Tor]: Allow regular relays (if they have a dirport open) to be used as bridges
Previous by thread: Re: [tor-bugs] #1776 [Tor]: Allow regular relays (if they have a dirport open) to be used as bridges
Next by thread: Re: [tor-bugs] #12671 [meek]: Does meek's network-facing browser run javascript?
Index(es):
- Author
- Thread