[tbb-dev] Tor Messenger and Certificates

Mike Perry mikeperry at torproject.org
Sat Nov 1 03:36:38 UTC 2014

Sukhbir Singh:
> Hi list,
> We are thinking of including certificates for OFTC, CCC, etc. with Tor
> Messenger, since some of these popular chat servers use self-signed
> certificates. Quick questions about this:
> - Is this a good idea -- including these certificates by default? Or
>   should we let the users click on "add exception" and then add the
>   certificates themselves?
> - What is a good way of achieving this (adding these certificates) as
>   part of the build process? I can't seem to find a "proper" way and
>   documentation seems to be lacking. I think we have to update cert8.db
>   as part of the default profile, but I was wondering if there is some
>   documentation or a preferred way of doing this.

So far, we have avoided mucking with the cert store in TBB, mostly
because we did not want to invite a slough of discussion and requests
relating to this, because we're not equipped to make these sorts of
policy decisions organizationally at this point.

However, the use cases you describe seem like decent ones. I think you
might be hard-pressed to find an official way to add a self-signed leaf
cert -- most of what you'll find will be about adding certs into the
source code as a proper CA, which is something you definitely don't want
to do (but the constraints on the self-signed cert *should* make this

For this reason, the cert8.db might be the most direct way of
accomplishing what you want, but you might also have a look at doing
this from an addon. For example, Moritz maintains a ca-cert enabling
addon: https://github.com/moba/cacert-firefox-addon

Again, that is an addon specifically designed for adding CAs. I am not
sure if the same mechanism can be used to add self-signed certs.
Probably, but be careful?

Mike Perry
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: Digital signature
URL: <http://lists.torproject.org/pipermail/tbb-dev/attachments/20141031/615c47f7/attachment.sig>

More information about the tbb-dev mailing list