
Tor Browser User Manual - cheiVia0
https://blog.torproject.org/blog/announcing-tor-browser-user-manual
======
sun_n_surf
Lol, it's a trap. I get an untrusted certificate.

~~~
overlordalex
It's because they're using a stricter form of https, which fails if your
company messes with the certs (I'm guessing proxy problems).

This is what it looks like for me:

> Certificate Error There are issues with the site's certificate chain
> (net::ERR_CERT_AUTHORITY_INVALID).
    
    
        Issued To
    
        Common Name (CN)	blog.torproject.org
        Organisation (O)	<Not Part Of Certificate>
        Organisational Unit (OU)	<Not Part Of Certificate>
    
        Issued By
    
        Common Name (CN)	$my_company Web Gateway
        Organisation (O)	$my_company
        Organisational Unit (OU)	$my_company_infrastructure_unit

~~~
noja
How do you generate a stricter cert like this?

~~~
tucif
Using HSTS ([https://developer.mozilla.org/en-
US/docs/Web/HTTP/Headers/St...](https://developer.mozilla.org/en-
US/docs/Web/HTTP/Headers/Strict-Transport-Security)) From the RFC 6797 :
([https://tools.ietf.org/html/rfc6797#page-27](https://tools.ietf.org/html/rfc6797#page-27))

11.3. Using HSTS in Conjunction with Self-Signed Public-Key Certificates

    
    
       If all four of the following conditions are true...
    
       o  a web site/organization/enterprise is generating its own secure
          transport public-key certificates for web sites, and
    
       o  that organization's root certification authority (CA) certificate
          is not typically embedded by default in browser and/or operating
          system CA certificate stores, and
    
       o  HSTS Policy is enabled on a host identifying itself using a
          certificate signed by the organization's CA (i.e., a "self-signed
          certificate"), and
    
       o  this certificate does not match a usable TLS certificate
          association (as defined by Section 4 of the TLSA protocol
          specification [RFC6698]),
    
       ...then secure connections to that site will fail, per the HSTS
       design.  This is to protect against various active attacks, as
       discussed above.
    
       However, if said organization wishes to employ its own CA, and self-
       signed certificates, in concert with HSTS, it can do so by deploying
       its root CA certificate to its users' browsers or operating system CA
       root certificate stores.  It can also, in addition or instead,
       distribute to its users' browsers the end-entity certificate(s) for
       specific hosts.  There are various ways in which this can be
       accomplished (details are out of scope for this specification).  Once
       its root CA certificate is installed in the browsers, it may employ
       HSTS Policy on its site(s).

------
secfirstmd
___Blatant Plug_ __

For loads more digital and physical security manuals and advice (from using
TOR to dealing with physical surveillance) that work offline on your phone, we
launched an open source app called Umbrella to make it a bit easier.

-[https://play.google.com/store/apps/details?id=org.secfirst.u...](https://play.google.com/store/apps/details?id=org.secfirst.umbrella)

-[https://www.amazon.com/Security-First-Umbrella-made-easy/dp/...](https://www.amazon.com/Security-First-Umbrella-made-easy/dp/B01AKN9M1Y)

-[https://secfirst.org/fdroid/repo](https://secfirst.org/fdroid/repo)

-Code and Content - [https://github.com/securityfirst/](https://github.com/securityfirst/)

-Code audit - [https://secfirst.org/blog.html](https://secfirst.org/blog.html)

-More info - [https://secfirst.org](https://secfirst.org)

 __ _Ends blatant plug_ __:)

~~~
01Michael10
How many more posts are you going to plug this app on? How about you make this
the last one...

~~~
secfirstmd
Point taken!

~~~
ComodoHacker
And please fix your main page.

~~~
secfirstmd
Thanks for the heads up!

------
SticksAndBreaks
[UK-Edition] Install Instructions: Click the Executable. Wait for the Police
to arrive.

