[tor-bugs] #13410 [Tor Browser]: Disable self-signed certificate warnings when visiting .onion sites
Tor Bug Tracker & Wiki
blackhole at torproject.org
Mon May 18 12:00:31 UTC 2015
#13410: Disable self-signed certificate warnings when visiting .onion sites
-----------------------------+----------------------
Reporter: tom | Owner: tbb-team
Type: defect | Status: new
Priority: normal | Milestone:
Component: Tor Browser | Version:
Resolution: | Keywords:
Actual Points: | Parent ID:
Points: |
-----------------------------+----------------------
Comment (by yawning):
> CAs do not (yet?) issue certificates for .onion domains, so there are no
valid certificates.
They do now. As much as I have deep seated hatred for the CA mafia,
closely matched by my burning hatred for spacebook and bitcoin (which IIRC
are the 2 places that do have CA certs for .onions currently), something
like this seems dangerous because without careful design it would allow me
to throw an obnoxious amount of CUDA at getting "facebookcorewwii.onion",
creating a self-signed cert, and mounting a fishing attack on user
credentials.
(Yes, I am aware that I shouldn't click on the bad, and if I pay the CA
people enough I can probably get a CA cert for my site of evil anyway, but
implementing this lowers the bar for entry considerably).
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/13410#comment:2>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list