Opened 5 years ago

Closed 4 years ago

Last modified 13 months ago

#13795 closed task (fixed)

Bundle SPI and jabber.ccc.de root certificates

Reported by: sukhbir Owned by:
Priority: Medium Milestone:
Component: Archived/Tor Messenger Version:
Severity: Normal Keywords:
Cc: arlolra, tom Actual Points:
Parent ID: #10946 Points:
Reviewer: Sponsor:

Description

We should ship the SPI root certificate (spi-inc.org) for OFTC, and the jabber.ccc.de certificate with Tor Messenger since both of these services are widely used.

This was discussed on tbb-dev. We should do this by updating the certificate store as part of the build process. This should be done transparently and we should make it clear that we are shipping these two root certificates.

Child Tickets

Change History (6)

comment:1 Changed 5 years ago by tom

Cc: tom added

comment:2 Changed 5 years ago by sukhbir

Resolution: fixed
Status: newclosed

(Some more discussion on tbb-dev.)

Short version: We are bundling the SPI root cert and a cert_override.txt for jabber.ccc.de.

Long version:

Since OFTC is a widely used IRC network, we want that users should be able to connect to it without the certificate warnings. So we are bundling the SPI root cert which signs the OFTC certificates. (This cert is also shipped with Debian and is part of the ca-certificates package.)

The jabber.ccc.de cert is signed by CAcert and we did not want to ship the CAcert root as part of Tor Messenger. Since jabber.ccc.de is also a widely used Jabber service, we are shipping a cert_override.txt populated with the jabber.ccc.de fingerprint. This file is copied to every profile that is created and users will be able to connect to jabber.ccc.de without the certificate warning and without us shipping the CAcert root.

(We can't ship a cert_override.txt for OFTC since there can be only one entry per domain and if you connect to irc.oftc.net, you can be connected to any of their servers).

comment:3 Changed 4 years ago by arlolra

Resolution: fixed
Severity: Normal
Status: closedreopened

Debian is removing SPI CA, which was the justification for including it:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=796208

comment:4 in reply to:  3 Changed 4 years ago by sukhbir

Replying to arlolra:

Debian is removing SPI CA, which was the justification for including it:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=796208

Thanks for reporting. The SPI cert is no longer part of the build and we won't be shipping it with the next release.

This means that OFTC users will get a certificate warning but given their blocking of Tor recently, we should be fine.

comment:5 Changed 4 years ago by arlolra

Resolution: fixed
Status: reopenedclosed

comment:6 Changed 13 months ago by traumschule

<+sukhe> hello. yes, I think it's fine to close the tickets. thanks for doing what we should done earlier :)

sad but true:
https://blog.torproject.org/sunsetting-tor-messenger

luckily there are alternatives:
https://blog.torproject.org/tor-heart-onion-messaging

.. and maybe someday

Note: See TracTickets for help on using tickets.