[tbb-bugs] #13410 [Applications/Tor Browser]: Disable self-signed certificate warnings when visiting .onion sites

Tor Bug Tracker & Wiki blackhole at torproject.org
Thu Nov 16 12:53:50 UTC 2017

#13410: Disable self-signed certificate warnings when visiting .onion sites
 Reporter:  tom                       |          Owner:  tbb-team
     Type:  defect                    |         Status:  reopened
 Priority:  Very High                 |      Milestone:
Component:  Applications/Tor Browser  |        Version:
 Severity:  Normal                    |     Resolution:
 Keywords:  ux-team                   |  Actual Points:
Parent ID:                            |         Points:
 Reviewer:                            |        Sponsor:

Comment (by pastly):

 If people want certificates for their onion services, they should go
 through the process of getting a valid one. Hopefully someday there will
 be an easy way to do so like Let's Encrypt. Until then, by removing the
 warning we're appeasing the users in this ticket but potentially hurting
 many more.

 Assumption: effectively no one checks the certificates they are served,
 even if they are self-signed.

 Scenario 1: the connection is MiTM'ed somehow (there's a bad guy between
 the user and his Tor process or there's a bad guy between the web server
 and the webmaster's Tor process). The bad guy can replace the cert without
 detection because either (1) the onion service was using a self-signed
 cert and no one checks that they continue to get the **same** self-signed
 cert, or (2) because the browser has disabled cert errors. **BAD**.

 Scenario 2: the onion service has a valid cert, but the connection is
 MiTM'ed somehow. Again, the bad guy can replace the cert without
 detection. **BAD**. With current behavior, there's at least a chance that
 the user will realize something is wrong and do something about it.

 Replying to [comment:1 vynX]
 > Don't let legacy crap impede us from fully enjoying end-to-end TLS
 (which is relevant when your Tor router isn't the same machine as your Tor

 No, let's keep the legacy ~~crap~~ security assumptions so that users know
 their transport layer has been confirmed secure by a chain of trust. Tor
 secures between Tor processes. TLS secures between browser and web server.
 Let's not lie to users about the latter.

 Yes: boooooo CAs suck. Down with the system. Etc. Etc. But this is silly.
 What is more intelligent is encouraging users and onion service operators
 to run Tor as close as possible to the end software (AKA "just use Tor
 Browser" to users and "run Tor on the same machine as the webserver in
 most cases, or on a very secure access-controlled network if you're a big
 corporate machine" to onion service operators).

 Replying to [ticket:13410 tom]
 > I suspect it's fairly common (or at least, we hope it's common) for
 users to type ​https:// instead of ​http://.

 I suspect users don't type either one.

Ticket URL: <https://trac.torproject.org/projects/tor/ticket/13410#comment:20>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tbb-bugs mailing list