carlo von lynX: > On Fri, Dec 13, 2019 at 11:29:34AM +0000, Alec Muffett wrote: >> tldr: new TLS certificate is stuck in the pipeline for a few days, because >> onion certificates are special and weird: > > Onion certificates are an oxymoron. The onion address > is self-validating. It is a bug that web browsers apply > the logic of X.509 to Tor addresses - they shouldn't > check certificates at all, or at best pin down the > public key contained in the certificate. This is not necessarily the case. There exist threat models (e.g. Whonix-style situations) where the Tor daemon and the application are in separate trust domains, and in those threat models, there is an advantage to using TLS combined with onion (compared to only onion), because TLS is terminated in the application rather than the Tor daemon. Cheers, -- -Jeremy Rand Lead Application Engineer at Namecoin Mobile email: jeremyrandmobile@xxxxxxxxxx Mobile OpenPGP: 2158 0643 C13B B40F B0FD 5854 B007 A32D AB44 3D9C Send non-security-critical things to my Mobile with OpenPGP. Please don't send me unencrypted messages. My business email jeremy@xxxxxxxxxxx is having technical issues at the moment.
Attachment:
signature.asc
Description: OpenPGP digital signature
-- tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk