Dear list,
I wrote an addon as a PoC for idea 3 of the blogpost in [0]. The idea was to extend the Tor Browser by a means of reading out the C/O/S/L fields of the SSL certificate, and, if a website contains an onion address in one of those fields, to automatically redirect users to it.
As the web-extensions API doesn't contain a means of reading out certificate information [1], I implemented it as an add-on. You can find it here: [2].
As stated in the blog post, all fields mentioned above could theoretically be filled with an onion address. Unfortunately, I found a large drawback: A certificate from Letsencrypt doesn't contain the C/S/O/L fields, as Letsencrypt performs a validation of required fields only, and the subject field isn't required. All unvalidated fields are by default not included in the certificate [3]. It is therefore not possible to include an onion address in the proposed fields using Letsencrypt; these are only filled when extended validation is performed (during which the correctness of the entries seems to be validated as well). Non-organisational suppliers of websites will therefore not be able to include their onion addresses in their normal certificate, which will most likely limit the amount of certificates containing onion addresses to a few larger organisations (if any).
To make this idea actually usable for a large amount of people, one would have or to use another field, the content of which is neither checked nor deleted from a certificate, or introduce a new field =)
Kind regards,
heddha
[0]: https://blog.torproject.org/cooking-onions-names-your-onions
[1]: https://bugzilla.mozilla.org/show_bug.cgi?id=1322748
[2]: https://github.com/heddha/sslOnions
[3]: https://community.letsencrypt.org/t/maintain-subject-records-country-etc-in-...