Opened 21 months ago

Closed 10 months ago

Last modified 10 months ago

#18252 closed defect (worksforme)

Ask DuckDuckGo to add its .onion into HTTPS certificate and change schema in the search plugin to HTTPS

Reported by: cypherpunks Owned by: tbb-team
Priority: Medium Milestone:
Component: Applications/Tor Browser Version:
Severity: Normal Keywords:
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

Because .onions are not self-authenticating (it can be a backdoor by Tor developers), anyone with enough computational power can make MiTM. The temporary solution is to use HTTPS even on .onions.

DDG allows you to connect via HTTPS to their .onion, though they don't have .onion name in their HTTPS certificate, which causes ssl_error_bad_cert_domain errors.

Child Tickets

Change History (8)

comment:1 Changed 21 months ago by cypherpunks

Component: - Select a componentTor Browser
Owner: set to tbb-team

comment:2 Changed 17 months ago by cypherpunks

See #19367 for the suggestion to add an certificate exception for DuckDuckGo which IMO isn't the way to go.

comment:3 Changed 17 months ago by cypherpunks

Totally agreed, .onion addresses are already verified by the address itself. So adding an exception is a good idea.
EDIT: Not sure if possible, but also cache the public key?

Last edited 17 months ago by cypherpunks (previous) (diff)

comment:4 Changed 10 months ago by cypherpunks

DuckDuckGo now has a valid certificate on its hidden service. See https://3g2upl4pq6kufc4m.onion/.

Users are automatically redirected to the HTTPS version which breaks searches through the location bar and search bar.

comment:5 in reply to:  4 ; Changed 10 months ago by gk

Resolution: fixed
Status: newclosed

Replying to cypherpunks:

DuckDuckGo now has a valid certificate on its hidden service. See https://3g2upl4pq6kufc4m.onion/.

Neat. Seems we are done in this ticket. For the other issue please file a report for the DuckDuckGo team or if you think this is a Tor Browser issue, a new trac ticket would be good. Thanks.

comment:6 Changed 10 months ago by gk

Resolution: fixed
Status: closedreopened

comment:7 Changed 10 months ago by gk

Resolution: worksforme
Status: reopenedclosed

comment:8 in reply to:  5 Changed 10 months ago by cypherpunks

Replying to gk:

Neat. Seems we are done in this ticket. For the other issue please file a report for the DuckDuckGo team or if you think this is a Tor Browser issue, a new trac ticket would be good. Thanks.

FWIW the ticket about searches through the location bar and search bar breaking is #21042.

Note: See TracTickets for help on using tickets.