[tor-bugs] #13607 [TorBirdy]: TorBirdy should have an option to distrust all certificate authorities

Tor Bug Tracker & Wiki blackhole at torproject.org
Fri Nov 14 11:00:23 UTC 2014 

#13607: TorBirdy should have an option to distrust all certificate authorities
-----------------------------+---------------------
     Reporter:  sajolida     |      Owner:  ioerror
         Type:  enhancement  |     Status:  new
     Priority:  normal       |  Milestone:
    Component:  TorBirdy     |    Version:
   Resolution:               |   Keywords:
Actual Points:               |  Parent ID:
       Points:               |
-----------------------------+---------------------

Comment (by sajolida):

 Note that I'm not suggesting to make this the default option, but have it
 opt-in. You already have other options like this I think.

 Regarding TOFU and usability. I can think of similar processes in other
 software that work pretty well:

 - In OTR you do TOFU without even noticing it. Then you have option to
 further identify people if you wish (and you are recommended to do so).
 - In Claws Mail in Tails, there's currently no CA verification and people
 have to do TOFU and are prompt with the fingerprint of the server they
 connect to and are proposed to trust it for future uses. I know that Claws
 is not very fancy and has many UX issues, but I don't remember people
 complaining about this particular step.

 So TOFU can work without having to lead people through scary warnings and
 exceptions like Firefox does. Because the certificate scenario in the case
 of email is very different as I explained earlier. It resembles more the
 scenario of OTR than the scenario of browsing a random HTTPS website
 because it's a long-term usage with a single entity.

 On top of such simplistic TOFU mechanism, in the case of Torbirdy it would
 actually be possible to do a first sanity check of the certificate against
 its CA before proposing the TOFU. Right now you are doing "trust on each
 use" by verifying the same certificate from scratch each time through any
 available CA. I think that trusting it only once would definitely be
 better.

 So we could reuse that information in the UX as well, and say something
 like: "Hey, this certificate is new. Do you want to store it and trust it
 permanently from now on? Note that we managed to verify it successfully
 against its CA NameOfTheCA so everything looks good."

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/13607#comment:2>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list