[tor-dev] Names for your Onions: Onion addresses in SSL certificates

heddha heddha at unicorn.university
Wed Dec 6 12:21:05 UTC 2017


Dear list,

I wrote an addon as a PoC for idea 3 of the blogpost in [0]. The idea
was to extend the Tor Browser by a means of reading out the C/O/S/L
fields of the SSL certificate, and, if a website contains an onion
address in one of those fields, to automatically redirect users to it.

As the web-extensions API doesn't contain a means of reading out
certificate information [1], I implemented it as an add-on. You can find
it here: [2]. 

As stated in the blog post, all fields mentioned above could
theoretically be filled with an onion address. Unfortunately, I found a
large drawback:  A certificate from Letsencrypt doesn't contain the
C/S/O/L fields, as Letsencrypt performs a validation of required fields
only, and the subject field isn't required. All unvalidated fields are
by default not included in the certificate [3]. It is therefore not
possible to include an onion address in the proposed fields using
Letsencrypt; these are only filled when extended validation is performed
(during which the correctness of the entries seems to be validated as
well). Non-organisational suppliers of websites will therefore not be
able to include their onion addresses in their normal certificate, which
will most likely limit the amount of certificates containing onion
addresses to a few larger organisations (if any). 

To make this idea actually usable for a large amount of people, one
would have or to use another field, the content of which is neither
checked nor deleted from a certificate, or introduce a new field =)

Kind regards,

heddha


[0]: https://blog.torproject.org/cooking-onions-names-your-onions

[1]: https://bugzilla.mozilla.org/show_bug.cgi?id=1322748

[2]: https://github.com/heddha/sslOnions

[3]:
https://community.letsencrypt.org/t/maintain-subject-records-country-etc-in-certificate-from-csr/31185




More information about the tor-dev mailing list