Opened 4 years ago

Last modified 17 months ago

#18696 new enhancement

.onion names contain their own validator, we should use that

Reported by: huseby Owned by: tbb-team
Priority: Medium Milestone:
Component: Applications/Tor Browser Version:
Severity: Normal Keywords:
Cc: asn Actual Points:
Parent ID: Points:
Reviewer: Sponsor: Sponsor27


Companion bug to

I'd like to get feedback on this proposal.

The idea is to allow TBB to accept a self-signed trust root cert if the hash of the public key matches the .onion address. This will allow servers running as .onion sites to generate strong/modern TLS certs that are signed by a self-signed root cert containing the .onion public key.

This should allow us to get around the DV cert problem and allow valid .onion TLS certs be validated by the .onion name and have strong/modern TLS certs.

Child Tickets

Change History (5)

comment:1 Changed 4 years ago by cypherpunks

Component: - Select a componentTor Browser
Owner: set to tbb-team

comment:2 Changed 3 years ago by tokotoko

Cc: fdsfgs@… added

comment:3 Changed 3 years ago by tokotoko

Cc: fdsfgs@… removed

comment:4 Changed 17 months ago by gk

Cc: asn added
Sponsor: Sponsor27

asn: What do you think?

comment:5 Changed 17 months ago by asn

Hm. This seems plausible in terms of design and use cases. Not sure how it interacts with all the other onion DV proposals that have been proposed. e.g.

Note: See TracTickets for help on using tickets.