[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
Re: [tor-bugs] #13410 [Applications/Tor Browser]: Disable self-signed certificate warnings when visiting .onion sites
#13410: Disable self-signed certificate warnings when visiting .onion sites
--------------------------------------+--------------------------
Reporter: tom | Owner: tbb-team
Type: defect | Status: reopened
Priority: Very High | Milestone:
Component: Applications/Tor Browser | Version:
Severity: Normal | Resolution:
Keywords: ux-team | Actual Points:
Parent ID: | Points:
Reviewer: | Sponsor:
--------------------------------------+--------------------------
Comment (by pastly):
If people want certificates for their onion services, they should go
through the process of getting a valid one. Hopefully someday there will
be an easy way to do so like Let's Encrypt. Until then, by removing the
warning we're appeasing the users in this ticket but potentially hurting
many more.
Assumption: effectively no one checks the certificates they are served,
even if they are self-signed.
Scenario 1: the connection is MiTM'ed somehow (there's a bad guy between
the user and his Tor process or there's a bad guy between the web server
and the webmaster's Tor process). The bad guy can replace the cert without
detection because either (1) the onion service was using a self-signed
cert and no one checks that they continue to get the **same** self-signed
cert, or (2) because the browser has disabled cert errors. **BAD**.
Scenario 2: the onion service has a valid cert, but the connection is
MiTM'ed somehow. Again, the bad guy can replace the cert without
detection. **BAD**. With current behavior, there's at least a chance that
the user will realize something is wrong and do something about it.
Replying to [comment:1 vynX]
> Don't let legacy crap impede us from fully enjoying end-to-end TLS
(which is relevant when your Tor router isn't the same machine as your Tor
browser).
No, let's keep the legacy ~~crap~~ security assumptions so that users know
their transport layer has been confirmed secure by a chain of trust. Tor
secures between Tor processes. TLS secures between browser and web server.
Let's not lie to users about the latter.
Yes: boooooo CAs suck. Down with the system. Etc. Etc. But this is silly.
What is more intelligent is encouraging users and onion service operators
to run Tor as close as possible to the end software (AKA "just use Tor
Browser" to users and "run Tor on the same machine as the webserver in
most cases, or on a very secure access-controlled network if you're a big
corporate machine" to onion service operators).
Replying to [ticket:13410 tom]
> I suspect it's fairly common (or at least, we hope it's common) for
users to type https:// instead of http://.
I suspect users don't type either one.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/13410#comment:20>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs