trick or SSL
joeyh at
So it seems that CAs will happily issue ssl certs for any .onion address at all, without checking if you own it, since it's not an official TLD. Here's someone getting a duplicate cert for facebook's new .onion address. https://news.ycombinator.com/item?id=8538388
Wonder if someone could sneak a *.onion cert past one of the many fine CA's we all trust so much. Nah, they all do such a good job, surely not.
And, what about all those new TLDs? What was to stop someone getting a bogus louvre.museum cert before that was a valid TLD? Is there a multi-year waiting period to ensure any such bogus certs expire before rolling out a new TLD? (I assume that CA's do a good job of setting expiries, because it lets them make more $$.)
Jakukyo Friel, Scorpio20, cmhobbs, lnxwalt@microca.st and 3 others likes this.
michaelmd, Olivier Mehani, Stephen Michael Kellat shared this.
I've long been frustrated with this 'web of trust' that's controlled by a handful of commercial entities. Profit over security.
cmhobbs at 2014-11-01T01:31:50Z
Jakukyo Friel, Douglas Perkins, lnxwalt@microca.st likes this.
I'd say that "profit over security" implies a comparison that's never made. It's just "profit". The sales pitch is "security".
Douglas Perkins at 2014-11-01T02:16:25Z
lnxwalt@microca.st likes this.
Are SSL certs even *needed* (from user POV) when you use an .onion link, though?
I thought Tor's wrapping meant that your traffic wouldn't be going over plaintext. And the usual warning about Bad Exit Nodes Sniffing Your Passwords doesn't apply because you aren't leaving the Tor network.
SombreKnave at 2014-11-01T15:32:18Z
Douglas Perkins, lnxwalt@microca.st likes this.
Looks like Tor have already thought about this (well they would have!) This blog post covers the pros and cons of .onion SSLs:
https://blog.torproject.org/blog/facebook-hidden-services-and-https-certs
SombreKnave at 2014-11-02T11:12:57Z
lnxwalt@microca.st likes this.