[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] facebookcorewwwi on brief hiatus



carlo von lynX:
> On Fri, Dec 13, 2019 at 11:29:34AM +0000, Alec Muffett wrote:
>> tldr: new TLS certificate is stuck in the pipeline for a few days, because
>> onion certificates are special and weird:
> 
> Onion certificates are an oxymoron. The onion address
> is self-validating. It is a bug that web browsers apply
> the logic of X.509 to Tor addresses - they shouldn't
> check certificates at all, or at best pin down the
> public key contained in the certificate.

This is not necessarily the case.  There exist threat models (e.g.
Whonix-style situations) where the Tor daemon and the application are in
separate trust domains, and in those threat models, there is an
advantage to using TLS combined with onion (compared to only onion),
because TLS is terminated in the application rather than the Tor daemon.

Cheers,
-- 
-Jeremy Rand
Lead Application Engineer at Namecoin
Mobile email: jeremyrandmobile@xxxxxxxxxx
Mobile OpenPGP: 2158 0643 C13B B40F B0FD 5854 B007 A32D AB44 3D9C
Send non-security-critical things to my Mobile with OpenPGP.
Please don't send me unencrypted messages.
My business email jeremy@xxxxxxxxxxx is having technical issues at the
moment.

Attachment: signature.asc
Description: OpenPGP digital signature

-- 
tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk