Open
Bug 1250696
Opened 9 years ago
Updated 2 years ago
.onion names contain their own validator, we should use that
Categories
(Core :: Security: PSM, defect, P5)
Core
Security: PSM
Tracking
()
NEW
People
(Reporter: huseby, Unassigned)
References
Details
(Whiteboard: [psm-backlog][tor])
Because .onion names are the hash of the 1024-bit RSA key for the Tor onion service, we could short circuit the cert validation by checking the hash of the public key in the cert served by a web server onion service. This would require the web server use a self-signed cert that is signed by the RSA key for the Tor onion service. This will allow us to take the cert sent by the server, grab the public key, hash it and if that matches the .onion name, then we can treat it like a valid DV cert.
Reporter | ||
Comment 1•9 years ago
|
||
NOTE: the cert using the Tor RSA keypair may not be long enough to meet our other requirements for valid certs.
Updated•9 years ago
|
Summary: .onion names contain their own validator, we should us that → .onion names contain their own validator, we should use that
Reporter | ||
Comment 2•8 years ago
|
||
I think the correct way here is to allow firefox to recognize trust roots that are validated by the .onion. That way a web site can generate a more modern, stronger TLS cert that is signed by a self-signed root cert with the .onion key in it. This should mitigate the relative weakness of the keypair and hashing algorithms used by tor nodes.
Reporter | ||
Comment 3•8 years ago
|
||
Companion tor trac: https://trac.torproject.org/projects/tor/ticket/18696
Reporter | ||
Comment 4•8 years ago
|
||
This might also somewhat mitigate the problem outlined here: https://blog.cloudflare.com/the-trouble-with-tor/ in the section labeled "Long Term Solutions"
Reporter | ||
Comment 5•8 years ago
|
||
We wouldn't have to wait for the CA/B Forum to change the rules about adding .onion addresses to DV certs.
![]() |
||
Comment 6•8 years ago
|
||
I'm not entirely sold on this. This would require a fair amount of effort to implement on top of taking particular care to ensure that this can't be abused in non-TOR contexts.
Whiteboard: [psm-backlog]
Updated•7 years ago
|
Whiteboard: [psm-backlog] → [psm-backlog][tor]
![]() |
||
Updated•7 years ago
|
Priority: -- → P5
See Also: → 1618382
Updated•2 years ago
|
Severity: normal → S3
You need to log in
before you can comment on or make changes to this bug.
Description
•