[tbb-bugs] #13410 [Tor Browser]: Disable self-signed certificate warnings when visiting .onion sites

Tor Bug Tracker & Wiki blackhole at torproject.org
Mon May 18 12:00:31 UTC 2015

#13410: Disable self-signed certificate warnings when visiting .onion sites
     Reporter:  tom          |      Owner:  tbb-team
         Type:  defect       |     Status:  new
     Priority:  normal       |  Milestone:
    Component:  Tor Browser  |    Version:
   Resolution:               |   Keywords:
Actual Points:               |  Parent ID:
       Points:               |

Comment (by yawning):

 > CAs do not (yet?) issue certificates for .onion domains, so there are no
 valid certificates.

 They do now.  As much as I have deep seated hatred for the CA mafia,
 closely matched by my burning hatred for spacebook and bitcoin (which IIRC
 are the 2 places that do have CA certs for .onions currently), something
 like this seems dangerous because without careful design it would allow me
 to throw an obnoxious amount of CUDA at getting "facebookcorewwii.onion",
 creating a self-signed cert, and mounting a fishing attack on user

 (Yes, I am aware that I shouldn't click on the bad, and if I pay the CA
 people enough I can probably get a CA cert for my site of evil anyway, but
 implementing this lowers the bar for entry considerably).

Ticket URL: <https://trac.torproject.org/projects/tor/ticket/13410#comment:2>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tbb-bugs mailing list