[tbb-dev] Tor Messenger and Certificates
mikeperry at torproject.org
Sat Nov 1 03:36:38 UTC 2014
> Hi list,
> We are thinking of including certificates for OFTC, CCC, etc. with Tor
> Messenger, since some of these popular chat servers use self-signed
> certificates. Quick questions about this:
> - Is this a good idea -- including these certificates by default? Or
> should we let the users click on "add exception" and then add the
> certificates themselves?
> - What is a good way of achieving this (adding these certificates) as
> part of the build process? I can't seem to find a "proper" way and
> documentation seems to be lacking. I think we have to update cert8.db
> as part of the default profile, but I was wondering if there is some
> documentation or a preferred way of doing this.
So far, we have avoided mucking with the cert store in TBB, mostly
because we did not want to invite a slough of discussion and requests
relating to this, because we're not equipped to make these sorts of
policy decisions organizationally at this point.
However, the use cases you describe seem like decent ones. I think you
might be hard-pressed to find an official way to add a self-signed leaf
cert -- most of what you'll find will be about adding certs into the
source code as a proper CA, which is something you definitely don't want
to do (but the constraints on the self-signed cert *should* make this
For this reason, the cert8.db might be the most direct way of
accomplishing what you want, but you might also have a look at doing
this from an addon. For example, Moritz maintains a ca-cert enabling
Again, that is an addon specifically designed for adding CAs. I am not
sure if the same mechanism can be used to add self-signed certs.
Probably, but be careful?
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 801 bytes
Desc: Digital signature
More information about the tbb-dev