[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

[tor-dev] Names for your Onions: Onion addresses in SSL certificates

To: tor-dev@xxxxxxxxxxxxxxxxxxxx
Subject: [tor-dev] Names for your Onions: Onion addresses in SSL certificates
From: heddha <heddha@unicorn.university>
Date: Wed, 6 Dec 2017 13:21:05 +0100
Delivered-to: archiver@xxxxxxxx
Delivery-date: Wed, 06 Dec 2017 07:22:09 -0500
List-archive: <http://lists.torproject.org/pipermail/tor-dev/>
List-help: <mailto:tor-dev-request@lists.torproject.org?subject=help>
List-id: discussion regarding Tor development <tor-dev.lists.torproject.org>
List-post: <mailto:tor-dev@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev>, <mailto:tor-dev-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-dev>, <mailto:tor-dev-request@lists.torproject.org?subject=unsubscribe>
Reply-to: tor-dev@xxxxxxxxxxxxxxxxxxxx
Sender: "tor-dev" <tor-dev-bounces@xxxxxxxxxxxxxxxxxxxx>
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.4.0

Dear list,

I wrote an addon as a PoC for idea 3 of the blogpost in [0]. The idea
was to extend the Tor Browser by a means of reading out the C/O/S/L
fields of the SSL certificate, and, if a website contains an onion
address in one of those fields, to automatically redirect users to it.

As the web-extensions API doesn't contain a means of reading out
certificate information [1], I implemented it as an add-on. You can find
it here: [2]. 

As stated in the blog post, all fields mentioned above could
theoretically be filled with an onion address. Unfortunately, I found a
large drawback:  A certificate from Letsencrypt doesn't contain the
C/S/O/L fields, as Letsencrypt performs a validation of required fields
only, and the subject field isn't required. All unvalidated fields are
by default not included in the certificate [3]. It is therefore not
possible to include an onion address in the proposed fields using
Letsencrypt; these are only filled when extended validation is performed
(during which the correctness of the entries seems to be validated as
well). Non-organisational suppliers of websites will therefore not be
able to include their onion addresses in their normal certificate, which
will most likely limit the amount of certificates containing onion
addresses to a few larger organisations (if any). 

To make this idea actually usable for a large amount of people, one
would have or to use another field, the content of which is neither
checked nor deleted from a certificate, or introduce a new field =)

Kind regards,

heddha


[0]: https://blog.torproject.org/cooking-onions-names-your-onions

[1]: https://bugzilla.mozilla.org/show_bug.cgi?id=1322748

[2]: https://github.com/heddha/sslOnions

[3]:
https://community.letsencrypt.org/t/maintain-subject-records-country-etc-in-certificate-from-csr/31185


_______________________________________________
tor-dev mailing list
tor-dev@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev

Prev by Author: [tor-dev] #tor-dev exitmap
Next by Author: Re: [tor-dev] New Fallback Directory File Format
Previous by thread: Re: [tor-dev] Rebooting work on proposal #247 (guard discovery)
Next by thread: Re: [tor-dev] Student project to work on IPv6 support (was: [tor-relays] About relay size)
Index(es):
- Author
- Thread