[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-bugs] #13410 [Tor Browser]: Disable self-signed certificate warnings when visiting .onion sites

Subject: Re: [tor-bugs] #13410 [Tor Browser]: Disable self-signed certificate warnings when visiting .onion sites
From: "Tor Bug Tracker & Wiki" <blackhole@xxxxxxxxxxxxxx>
Date: Mon, 18 May 2015 12:00:31 -0000
Auto-submitted: auto-generated
Delivered-to: archiver@xxxxxxxx
Delivery-date: Mon, 18 May 2015 08:00:43 -0400
In-reply-to: <043.59c16eed50781931c8558354916f09ba@xxxxxxxxxxxxxx>
List-archive: <http://lists.torproject.org/pipermail/tor-bugs/>
List-help: <mailto:tor-bugs-request@lists.torproject.org?subject=help>
List-id: "auto: Tor bug tracker status mails" <tor-bugs.lists.torproject.org>
List-post: <mailto:tor-bugs@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs>, <mailto:tor-bugs-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-bugs>, <mailto:tor-bugs-request@lists.torproject.org?subject=unsubscribe>
References: <043.59c16eed50781931c8558354916f09ba@xxxxxxxxxxxxxx>
Reply-to: tor-assistants@xxxxxxxxxxxxxx
Sender: "tor-bugs" <tor-bugs-bounces@xxxxxxxxxxxxxxxxxxxx>

#13410: Disable self-signed certificate warnings when visiting .onion sites
-----------------------------+----------------------
     Reporter:  tom          |      Owner:  tbb-team
         Type:  defect       |     Status:  new
     Priority:  normal       |  Milestone:
    Component:  Tor Browser  |    Version:
   Resolution:               |   Keywords:
Actual Points:               |  Parent ID:
       Points:               |
-----------------------------+----------------------

Comment (by yawning):

 > CAs do not (yet?) issue certificates for .onion domains, so there are no
 valid certificates.

 They do now.  As much as I have deep seated hatred for the CA mafia,
 closely matched by my burning hatred for spacebook and bitcoin (which IIRC
 are the 2 places that do have CA certs for .onions currently), something
 like this seems dangerous because without careful design it would allow me
 to throw an obnoxious amount of CUDA at getting "facebookcorewwii.onion",
 creating a self-signed cert, and mounting a fishing attack on user
 credentials.

 (Yes, I am aware that I shouldn't click on the bad, and if I pay the CA
 people enough I can probably get a CA cert for my site of evil anyway, but
 implementing this lowers the bar for entry considerably).

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/13410#comment:2>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Prev by Author: Re: [tor-bugs] #16062 [Tor]: Pseudonymous bidirectional user/caller authentication (true P2P)
Next by Author: Re: [tor-bugs] #16063 [- Select a component]: bugs
Previous by thread: Re: [tor-bugs] #13410 [Tor Browser]: Disable self-signed certificate warnings when visiting .onion sites
Next by thread: Re: [tor-bugs] #13410 [Tor Browser]: Disable self-signed certificate warnings when visiting .onion sites
Index(es):
- Author
- Thread