[tbb-bugs] #13410 [Tor Browser]: Disable self-signed certificate warnings when visiting .onion sites

Tor Bug Tracker & Wiki blackhole at torproject.org
Tue Oct 14 18:40:20 UTC 2014

#13410: Disable self-signed certificate warnings when visiting .onion sites
 Reporter:  tom          |          Owner:  tbb-team
     Type:  defect       |         Status:  new
 Priority:  normal       |      Milestone:
Component:  Tor Browser  |        Version:
 Keywords:               |  Actual Points:
Parent ID:               |         Points:
 I suspect it's fairly common (or at least, we hope it's common) for users
 to type https:// instead of http://.

 If an onion site doesn't support HTTPS, the user gets an error page
 because it can't connect. If it does, the user gets an invalid certificate
 or mismatched certificate warning.  CAs do not (yet?) issue certificates
 for .onion domains, so there are no valid certificates.

 But the security of the .onion URL ensures we're talking to the valid so,
 so ignoring SSL mis-configurations _should_ be safe, as we already have
 authenticity, integrity, and confidentiality.  Right?  Or am I missing

Ticket URL: <https://trac.torproject.org/projects/tor/ticket/13410>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tbb-bugs mailing list