Hi list,
We are thinking of including certificates for OFTC, CCC, etc. with Tor Messenger, since some of these popular chat servers use self-signed certificates. Quick questions about this:
- Is this a good idea -- including these certificates by default? Or should we let the users click on "add exception" and then add the certificates themselves?
- What is a good way of achieving this (adding these certificates) as part of the build process? I can't seem to find a "proper" way and documentation seems to be lacking. I think we have to update cert8.db as part of the default profile, but I was wondering if there is some documentation or a preferred way of doing this.
Thanks,
Sukhbir Singh:
Hi list,
We are thinking of including certificates for OFTC, CCC, etc. with Tor Messenger, since some of these popular chat servers use self-signed certificates. Quick questions about this:
Is this a good idea -- including these certificates by default? Or should we let the users click on "add exception" and then add the certificates themselves?
What is a good way of achieving this (adding these certificates) as part of the build process? I can't seem to find a "proper" way and documentation seems to be lacking. I think we have to update cert8.db as part of the default profile, but I was wondering if there is some documentation or a preferred way of doing this.
So far, we have avoided mucking with the cert store in TBB, mostly because we did not want to invite a slough of discussion and requests relating to this, because we're not equipped to make these sorts of policy decisions organizationally at this point.
However, the use cases you describe seem like decent ones. I think you might be hard-pressed to find an official way to add a self-signed leaf cert -- most of what you'll find will be about adding certs into the source code as a proper CA, which is something you definitely don't want to do (but the constraints on the self-signed cert *should* make this impossible).
For this reason, the cert8.db might be the most direct way of accomplishing what you want, but you might also have a look at doing this from an addon. For example, Moritz maintains a ca-cert enabling addon: https://github.com/moba/cacert-firefox-addon
Again, that is an addon specifically designed for adding CAs. I am not sure if the same mechanism can be used to add self-signed certs. Probably, but be careful?
Hi,
Here is an update about shipping certificates with Tor Messenger:
We are now shipping the SPI (spi-inc.org) root cert for OFTC. Since this root certificate is also bundled with Debian, we are not worried about this. (We are being transparent in the build system that we are bundling this cert and will be more so in the documentation and public announcement.)
Coming to the jabber.ccc.de, it is signed by CAcert. Which brings me to the question -- should we be bundling the CAcert root certificate? I base this question on the fact that it is not shipped with Debian (or Ubuntu) or Mozilla, and there seems to be a lot of discussion (one example: http://lwn.net/Articles/590879/) about this topic. Should we ship this with Tor Messenger then?
Another alternative solution is to add the jabber.ccc.de certificate itself and not the CAcert root (which is currently what is in the repository). But I think that's probably even worse given that I am adding the CCC cert itself as a root cert.
Thoughts?
(For the record, we are adding certificates during the build process by updating certdata.txt.)
Hi,
Sukhbir Singh:
Hi,
Here is an update about shipping certificates with Tor Messenger:
We are now shipping the SPI (spi-inc.org) root cert for OFTC. Since this root certificate is also bundled with Debian, we are not worried about this. (We are being transparent in the build system that we are bundling this cert and will be more so in the documentation and public announcement.)
why is that one not in Mozilla's trust store? Do they have documentation on how their internal processes wrt to issuing certificates work? Do they have audits of that process?
Coming to the jabber.ccc.de, it is signed by CAcert. Which brings me to the question -- should we be bundling the CAcert root certificate? I base this question on the fact that it is not shipped with Debian (or Ubuntu) or Mozilla, and there seems to be a lot of discussion (one example: http://lwn.net/Articles/590879/) about this topic. Should we ship this with Tor Messenger then?
Messing with CAs is always a tricky business. And, personally, I am not a strong fan of adding root certificates of organizations that can't make sure their processes can handle issuing certificates properly, quite the contrary. (Btw. I am not claiming that all the other CAs *can* make that sure; that's a separate discussion though)
Instead of adding additional root certificates I'd explore ways of getting the necessary certificates installed in the user-friendliest way possible when the user is *actually needing* them. (There is no need to expose all those users that are neither using OFTC nor jabber.ccc.de to the additional risk that comes with shipping these root CAs when using Tor Messenger)
Georg
Hi,
* Georg Koppen:
why is that one not in Mozilla's trust store? Do they have documentation on how their internal processes wrt to issuing certificates work? Do they have audits of that process?
There is a standardized process but I am not aware of that other than the fact that it exists.
https://wiki.mozilla.org/CA:How_to_apply
The SPI root cert on the other hand comes bundled with Debian and is part of ca-certificates.
Messing with CAs is always a tricky business. And, personally, I am not a strong fan of adding root certificates of organizations that can't make sure their processes can handle issuing certificates properly, quite the contrary. (Btw. I am not claiming that all the other CAs *can* make that sure; that's a separate discussion though)
Instead of adding additional root certificates I'd explore ways of getting the necessary certificates installed in the user-friendliest way possible when the user is *actually needing* them. (There is no need to expose all those users that are neither using OFTC nor jabber.ccc.de to the additional risk that comes with shipping these root CAs when using Tor Messenger)
This is a good point though I am not sure how the UI can be made better. My concern is not the UI but the fact that we don't want that the users have to deal with certificates, especially if they don't know anything about them. An ideal solution will be to not expose the SPI cert to users not using OFTC, but that is not possible.
I think we need to discuss this a bit more before we actually bundle the certs in our public builds (or not.)
Here is an update about shipping certificates with Tor Messenger:
We are now shipping the SPI (spi-inc.org) root cert for OFTC. Since this root certificate is also bundled with Debian, we are not worried about this. (We are being transparent in the build system that we are bundling this cert and will be more so in the documentation and public announcement.)
why is that one not in Mozilla's trust store? Do they have documentation on how their internal processes wrt to issuing certificates work? Do they have audits of that process?
I can't find any indication API ever wanted to be included in Mozilla's trust store, but I could be wrong. If http://www.spi-inc.org/ca/ is all the documentation they have (no issuance policy documents, no audits, no nothing) they're not going to make it it in.
Coming to the jabber.ccc.de, it is signed by CAcert. Which brings me to the question -- should we be bundling the CAcert root certificate? I base this question on the fact that it is not shipped with Debian (or Ubuntu) or Mozilla, and there seems to be a lot of discussion (one example: http://lwn.net/Articles/590879/) about this topic. Should we ship this with Tor Messenger then?
Messing with CAs is always a tricky business. And, personally, I am not a strong fan of adding root certificates of organizations that can't make sure their processes can handle issuing certificates properly, quite the contrary. (Btw. I am not claiming that all the other CAs *can* make that sure; that's a separate discussion though)
Instead of adding additional root certificates I'd explore ways of getting the necessary certificates installed in the user-friendliest way possible when the user is *actually needing* them. (There is no need to expose all those users that are neither using OFTC nor jabber.ccc.de to the additional risk that comes with shipping these root CAs when using Tor Messenger)
I'm opposed to adding root CA certificates (CACert, SPI) until such a time Tor Browser/Messenger is ready to maintain its own root store. I don't think doing that is a bad idea though, and would be interested in thinking through what it would take as a pie-in-the-sky type discussion.
But I'm also strongly opposed to requiring users to click through self-signed or invalid root certificate warnings for extremely popular services. So I think services like jabber.ccc.de and OFTC should have their leaf certs included and trusted by default after confirming their validity.
-tom
Thank you everyone for your comments.
Based on the feedback and our own discussions, we are going with this for now:
Instead of adding the root certificates, we have decided to ship a cert_override.txt [0] populated with the services we care about (OFTC, jabber.ccc.de). This will allow users to connect these services without the scary certificate warnings, and without us adding the root certificates to Tor Messenger. (When you add a certificate exception, it gets saved to the cert_override.txt in the profile directory.)
[0] - https://developer.mozilla.org/en-US/docs/Cert_override.txt
Sukhbir Singh transcribed 0.9K bytes:
Hi list,
We are thinking of including certificates for OFTC, CCC, etc. with Tor Messenger, since some of these popular chat servers use self-signed certificates. Quick questions about this:
- Is this a good idea -- including these certificates by default? Or should we let the users click on "add exception" and then add the certificates themselves?
It's probably friendlier to package them in, since they are frequently used by a large number of people.
I can't think of any messaging programs off the top of my head which explicitly bundles in commonly used self-signed certifications. Somewhat similarly, however, Adam Langley's xmpp-client does hardcode a list of .onion addresses for commonly used XMPP servers. [0] As such, it's probably acceptable to add certificates in a transparent manner.
[0]: https://github.com/agl/xmpp-client/blob/master/config.go#L187
-
Georg Koppen -
isis -
Mike Perry -
Sukhbir Singh -
Tom Ritter