Opened 17 months ago

Closed 17 months ago

Last modified 14 months ago

#21767 closed project (wontfix)

Tor CA - .onion SSL system

Reported by: ikurua22 Owned by: tbb-team
Priority: Medium Milestone:
Component: Applications/Tor Browser Version:
Severity: Normal Keywords:
Cc: guido@… Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

While Tor hidden service is secure by default, many websites are shifting
to HTTPS. Some .onion websites provide HTTPS access with self-sign certi-
ficate. .onion website can be viewed only from Tor network, especially
from "Tor Browser" by Tor project, and "Orfox" by GuardianProject.

Thus, I suggest this project: ".onion Certificate Authority"(TorOCA).

It's like "LetsEncrypt" - "clearnet" + ".onion".
TorOCA gives a pair of certificate(you know, pem and key) to .onion holder.

1) "Tor Browser" have TorOCA root certificate as acceptable authority.
2) User visit https .onion website.
3) The server send TLS certification, which is signed by TorOCA.
4) User can visit the website without warning.

Consider:
1) Pricing. Free is good, but how about ".onion cert/$10/one-time"? This will help Tor project income.
2) Sub-domain. Some .onion websites use subdomain instead of their main domain.

Child Tickets

Change History (6)

comment:1 Changed 17 months ago by ikurua22

.onion http is secure
.onion https is secure = can allow self-sign cert from ".onion"

Current temporary solution is using this addon:
addons.mozilla.org/fr/firefox/addon/skip-cert-error/

Settings:
bypass error when --- uncheck all.
whitelist --- add your .onion (e.g., '.xxxxxx.onion' to allow it and subdomains)

comment:2 Changed 17 months ago by cypherpunks

Some live examples which use HTTPS - add "https://"

www.facebookcorewwwi.onion/
qtt2yl5jocgrk7nu.onion/
repo.a2af37vnxe44tcgo.onion/
kpdqsslspgfwfjpw.onion/

comment:3 Changed 17 months ago by gk

Resolution: wontfix
Status: newclosed

I don't think we want to get into the certificate business, definitely not the Tor Browser folks.

comment:4 Changed 17 months ago by cypherpunks

Resolution: wontfix
Status: closedreopened

comment:5 in reply to:  4 Changed 17 months ago by gk

Resolution: wontfix
Status: reopenedclosed

Replying to cypherpunks:

Read Part 4 and part 5 aloud, gk.

https://blog.torproject.org/blog/facebook-hidden-services-and-https-certs

I did and not only aloud. There are interesting thoughts in this post, for sure. But no mentioning of a *centralized* Tor CA that has a root cert included into Tor Browser and we singing all the .onion certs.

Apart from that does the post show a bunch of possible ways to move further but does not decide which to choose. That would be a good topic for one of our mailing lists (tor-dev maybe). Once we reach a conclusion on how to proceed let's file bugs for implementing that one.

comment:6 Changed 14 months ago by guido

Cc: guido@… added
Note: See TracTickets for help on using tickets.