[tor-talk] facebookcorewwwi on brief hiatus
Jeremy Rand
jeremyrand at airmail.cc
Fri Dec 13 12:19:00 UTC 2019
carlo von lynX:
> On Fri, Dec 13, 2019 at 11:29:34AM +0000, Alec Muffett wrote:
>> tldr: new TLS certificate is stuck in the pipeline for a few days, because
>> onion certificates are special and weird:
>
> Onion certificates are an oxymoron. The onion address
> is self-validating. It is a bug that web browsers apply
> the logic of X.509 to Tor addresses - they shouldn't
> check certificates at all, or at best pin down the
> public key contained in the certificate.
This is not necessarily the case. There exist threat models (e.g.
Whonix-style situations) where the Tor daemon and the application are in
separate trust domains, and in those threat models, there is an
advantage to using TLS combined with onion (compared to only onion),
because TLS is terminated in the application rather than the Tor daemon.
Cheers,
--
-Jeremy Rand
Lead Application Engineer at Namecoin
Mobile email: jeremyrandmobile at airmail.cc
Mobile OpenPGP: 2158 0643 C13B B40F B0FD 5854 B007 A32D AB44 3D9C
Send non-security-critical things to my Mobile with OpenPGP.
Please don't send me unencrypted messages.
My business email jeremy at veclabs.net is having technical issues at the
moment.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.torproject.org/pipermail/tor-talk/attachments/20191213/cebf2738/attachment.sig>
More information about the tor-talk
mailing list