[liberationtech] FYI: Making Connections to Facebook more Secure
Tom Ritter
tom at ritter.vg
Sat Nov 1 17:54:03 PDT 2014
On 31 October 2014 08:05, AntiTree <antitree at gmail.com> wrote:
> I find the interesting part the fact that they got a CA to sign a .onion
> domain certificate. Is that normal?
No, this is the first time it's ever happened.
On 31 October 2014 09:20, AntiTree <antitree at gmail.com> wrote:
> I'm still wondering how one verifies ownership of a .onion domain?
Oh it'd be pretty easily, technically. an onion domain is a
fingerprint of the public key - sign a statement with the private key,
and you can verify ownership pretty easily. I don't know if that's
what DigiCert did, but I find the 'How do you even verify that?!'
argument to be fairly uninteresting.
> You
> aren't going to look at the WHOIS record and send an email to the
> technical contact on file or send an email to postmaster at xxx.onion. Do
> large companies like FB have a fast track for getting odd requests?
Of course - companies that pay 5 figures or more to CAs per year can
certainly call them up and ask after odd things. Don't view it as
conspiracy, it's how business works - pay more, get better service.
It doesn't mean you can get anything you ask, but you can make them
say no to you. :) For example, when you ship a hardware device with
one root CA, you need to make sure that when you buy your next
certificate from the company, it's signed by an intermediate chained
up to that root CA. That's a reasonable request. Request a 512-bit
certificate - they're going to say no.
If one is interested in the CA-aspect of this, I encourage you to read
the CABForum thread:
https://cabforum.org/pipermail/public/2014-October/thread.html#4210
and Tor's thoughts: (Part 4)
https://blog.torproject.org/blog/facebook-hidden-services-and-https-certs
-tom
More information about the liberationtech
mailing list