[tor-bugs] #33568 [Applications/Tor Browser]: Namecoin for TLS certificate validation
Tor Bug Tracker & Wiki
blackhole at torproject.org
Mon Mar 9 08:22:05 UTC 2020
#33568: Namecoin for TLS certificate validation
-------------------------+------------------------------------------
Reporter: JeremyRand | Owner: tbb-team
Type: enhancement | Status: new
Priority: Medium | Component: Applications/Tor Browser
Version: | Severity: Normal
Keywords: namecoin | Actual Points:
Parent ID: | Points:
Reviewer: | Sponsor:
-------------------------+------------------------------------------
Namecoin can provide DANE-style functionality for TLS certificate
validation. This would enable validating trust of TLS certificates for
onion services that have a Namecoin domain (relevant for Whonix-style
trust models) without relying on public CA's, and would also make it
harder for MITM attacks against exit traffic to be performed (if Namecoin
support for exit traffic were added to Tor Browser).
Firefox does not natively support DANE, but we (the Namecoin devs) have
identified a way to get DANE-like functionality in Firefox with no code
patches to Firefox (we're using the PKCS11 "FindObjects" API to achieve
this). Some small code patches to Firefox would make the code cleaner,
but this wouldn't be required.
I assume this is a lower priority than the existing Namecoin support for
onion services that's currently in Tor Browser Nightly, but Matt asked me
to file a ticket for it anyway since it came up in one of the Tor Browser
IRC meetings.
(As a side note, Namecoin's approach for getting DANE-like functionality
in Firefox would probably be equally workable for the .onion TLD, so this
might also allow things like putting a TLSA record in an onion service
descriptor, without relying on Namecoin itself at all.)
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/33568>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list