When I visit a V3 onion that supplies a invalid certificate, torbrowser will lookup the onion when the get certifice button is clicked. This may leak the secret onion address. I attached a photo showing the issue.
Trac: Username: Dbryrtfbcbhgf
To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information
Child items
0
Show closed items
No child items are currently assigned. Use child items to break down this issue into smaller parts.
Linked items
0
Link issues together to show that they're related.
Learn more.
You guys need to add an exception to all FQDN which ends with ".onion".
.onion$
That's because if you code "V2 and V3 only .onion", you might need to update the code again when Tor-V4, TorDNS starts in the future.
But that means that onions won't be able to revoke SSL certs anymore. Since we consider SSL certs something that onions might need (and in the case of your onion, it's even trying to use it), we should probably also support its various functionalities, including revocation?
Alternatively, we could add a scary message saying that the onion will get leaked, but I doubt most users understand the trade offs here...
In general, if you are an onion operator and you want your onion address to be secret, you shouldn't configure SSL with an OCSP provider. Does self-signed certs use OCSP?
I think handling this on the onion side and not on the client-side makes sense here.
After talking with ahf a bit I think we can do something smarter. We could require OCSP-must-stapling for .onions and otherwise just prevent it. Firefox is supporting it since ESR 45 at least: