[tbb-bugs] #24192 [Applications/Tor Browser]: When I visit a V3 onion that supplies a invalid certificate, torbrowser will lookup the onion when the get certifice button is clicked
Tor Bug Tracker & Wiki
blackhole at torproject.org
Tue Nov 14 11:54:09 UTC 2017
#24192: When I visit a V3 onion that supplies a invalid certificate, torbrowser
will lookup the onion when the get certifice button is clicked
--------------------------------------+--------------------------
Reporter: Dbryrtfbcbhgf | Owner: tbb-team
Type: defect | Status: new
Priority: High | Milestone:
Component: Applications/Tor Browser | Version:
Severity: Major | Resolution:
Keywords: | Actual Points:
Parent ID: | Points:
Reviewer: | Sponsor:
--------------------------------------+--------------------------
Comment (by asn):
Replying to [comment:2 cypherpunks]:
> You guys need to add an exception to all FQDN which ends with ".onion".
>
> \.onion$
>
> That's because if you code "V2 and V3 only .onion", you might need to
update the code again when Tor-V4, TorDNS starts in the future.
But that means that onions won't be able to revoke SSL certs anymore.
Since we consider SSL certs something that onions might need (and in the
case of your onion, it's even trying to use it), we should probably also
support its various functionalities, including revocation?
Alternatively, we could add a scary message saying that the onion will get
leaked, but I doubt most users understand the trade offs here...
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/24192#comment:4>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tbb-bugs
mailing list