[tor-dev] Of CA-signed certs and .onion URIs

grarpamp grarpamp at gmail.com
Mon Nov 17 22:48:26 UTC 2014


On Fri, Nov 14, 2014 at 12:08 PM, Tom Ritter <tom at ritter.vg> wrote:
> a) Eliminate self-signed certificate errors when browsing https:// on
> an onion site

No, please don't. Browsers throw cert errors for good reasons.
If you don't want to deal with it, just click accept or otherwise
pin them out in your trust store. Blind acceptance of certs just
because the TLD says .onion is just as dumb as trusting .com.
And if Joe and Jane's cluster of services wishes to publish a CA or
any other form of trustweb you're going to break that too. Don't do that.
If you don't think trust has the similar uses in anon networks as
on clearnet, or will never appear there, you need to open your eyes.


More information about the tor-dev mailing list