[tbb-bugs] #13410 [Tor Browser]: Disable self-signed certificate warnings when visiting .onion sites
Tor Bug Tracker & Wiki
blackhole at torproject.org
Tue Oct 14 18:40:20 UTC 2014
#13410: Disable self-signed certificate warnings when visiting .onion sites
-------------------------+--------------------------
Reporter: tom | Owner: tbb-team
Type: defect | Status: new
Priority: normal | Milestone:
Component: Tor Browser | Version:
Keywords: | Actual Points:
Parent ID: | Points:
-------------------------+--------------------------
I suspect it's fairly common (or at least, we hope it's common) for users
to type https:// instead of http://.
If an onion site doesn't support HTTPS, the user gets an error page
because it can't connect. If it does, the user gets an invalid certificate
or mismatched certificate warning. CAs do not (yet?) issue certificates
for .onion domains, so there are no valid certificates.
But the security of the .onion URL ensures we're talking to the valid so,
so ignoring SSL mis-configurations _should_ be safe, as we already have
authenticity, integrity, and confidentiality. Right? Or am I missing
something?
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/13410>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tbb-bugs
mailing list