[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
Re: [tor-bugs] #24192 [Applications/Tor Browser]: When I visit a V3 onion that supplies a invalid certificate, torbrowser will lookup the onion when the get certifice button is clicked
#24192: When I visit a V3 onion that supplies a invalid certificate, torbrowser
will lookup the onion when the get certifice button is clicked
--------------------------------------+--------------------------
Reporter: Dbryrtfbcbhgf | Owner: tbb-team
Type: defect | Status: new
Priority: High | Milestone:
Component: Applications/Tor Browser | Version:
Severity: Major | Resolution:
Keywords: | Actual Points:
Parent ID: | Points:
Reviewer: | Sponsor:
--------------------------------------+--------------------------
Comment (by asn):
Replying to [comment:2 cypherpunks]:
> You guys need to add an exception to all FQDN which ends with ".onion".
>
> \.onion$
>
> That's because if you code "V2 and V3 only .onion", you might need to
update the code again when Tor-V4, TorDNS starts in the future.
But that means that onions won't be able to revoke SSL certs anymore.
Since we consider SSL certs something that onions might need (and in the
case of your onion, it's even trying to use it), we should probably also
support its various functionalities, including revocation?
Alternatively, we could add a scary message saying that the onion will get
leaked, but I doubt most users understand the trade offs here...
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/24192#comment:4>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs