[tbb-bugs] #24192 [Applications/Tor Browser]: When I visit a V3 onion that supplies a invalid certificate, torbrowser will lookup the onion when the get certifice button is clicked

Tor Bug Tracker & Wiki blackhole at torproject.org
Tue Nov 14 11:54:09 UTC 2017


#24192: When I visit a V3 onion that supplies a invalid certificate, torbrowser
will lookup the onion when the get certifice button is clicked
--------------------------------------+--------------------------
 Reporter:  Dbryrtfbcbhgf             |          Owner:  tbb-team
     Type:  defect                    |         Status:  new
 Priority:  High                      |      Milestone:
Component:  Applications/Tor Browser  |        Version:
 Severity:  Major                     |     Resolution:
 Keywords:                            |  Actual Points:
Parent ID:                            |         Points:
 Reviewer:                            |        Sponsor:
--------------------------------------+--------------------------

Comment (by asn):

 Replying to [comment:2 cypherpunks]:
 > You guys need to add an exception to all FQDN which ends with ".onion".
 >
 > \.onion$
 >
 > That's because if you code "V2 and V3 only .onion", you might need to
 update the code again when Tor-V4, TorDNS starts in the future.

 But that means that onions won't be able to revoke SSL certs anymore.
 Since we consider SSL  certs something that onions might need (and in the
 case of your onion, it's even trying to use it), we should probably also
 support its various functionalities, including revocation?

 Alternatively, we could add a scary message saying that the onion will get
 leaked, but I doubt most users understand the trade offs here...

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/24192#comment:4>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online


More information about the tbb-bugs mailing list