Hacker News new | past | comments | ask | show | jobs | submit login

No. It's a fully valid ceritifcate issued by DigiCert to

    CN = *.facebook.com
    O = "Facebook, Inc."
    L = Menlo Park
    ST = CA
    C = US
with a bunch of altnames

    DNS Name: *.facebook.com
    DNS Name: facebook.com
    DNS Name: *.fb.com
    DNS Name: *.fbsbx.com
    DNS Name: *.fbcdn.net
    DNS Name: *.xx.fbcdn.net
    DNS Name: *.xy.fbcdn.net
    DNS Name: fb.com
    DNS Name: facebookcorewwwi.onion
    DNS Name: fbcdn23dssr3jqnq.onion
    DNS Name: fbsbx2q4mvcl63pw.onion



Thanks - learned something that you can put anything in the alt names list. So digicert is not checking those to be valid domains and controlled by the cert requester?


You can't put anything in the SubjectAltName field, you can put anything that isn't a valid TLD (and not have to validate it).


So Eve could also get a cert for facebookcorewwwi.onion?


Yes. I submitted a request for one just now, actually. Hopefully the CA doesn't flag it for containing Facebook.


Just had it issued. Probably going to write a blog post now.


Did you get it from DigiCert? Or from another CA?


GlobalSign.

edit: They've revoked the cert. :(


But does TBB check for revocations? I bet the answer is no because otherwise it'd be sending the sites you visit to CA's via OCSP and Tor would never want that. So I think you still win.


You could still get a full revocation list (via Tor or not). In fact using OCSP over Tor should be safe? FB sees some-exit-node, sends you a cert, CA sees some-other-or-same-but-not-provably-you requesting status of FBs cert. Unless FB sent you a specially craftet, session-spesific cert, CA would only see that "someone" checked the status of FBs cert. And with no immediate link between "you" and "someone"? Much as DNS over Tor is safe (but DNS over udp isn't)?


What a shame I didn't put a bunch of likely new TLDs into a cert before they became valid TLDs... ;-)


Do note CAs have to revoke all certs within 30 days of ICANN signing a contract with a new TLD provider.


I would assume that DigiCert checked each and every one of those.


They got their money; I doubt they cared.


No - each name is checked before issuance. .onion is an interesting one though since there isn't WHOIS info. The only check there is to download Tor and check that FB controls the service.


Or to give the CA a copy of the private key to establish ownership of the onion. This would be more trustworthy IMO since there would be no chance of phishing lookalikes or something akin to the "onion cloner" MITM attack.

EDIT: Or simply redirecting myownfacebook420.onion to facebook.com, because that can VERY easily be done. Just add a HiddenServicePort 80 facebook.com:80 to the torrc.


That's frankly a horrible idea. What you should do is simply have them generate a CSR using the key - CSRs are signed by the key.


You can drop the Hacker-News trademark "fuck your comment" so I could actually agree with you without first telling you you're rude.


Then the CA also has a copy of the private key and a malicious person could use that key.


Hey, CAs shouldn't be trusted in the first place.


And there's been another article now showing that someone else was able to successfully obtain a certificate for that same .onion address.


How much would a certificate like this actually cost, to someone browsing for ssl certs?


Depends, multidomain certs aren't horribly expensive. Non-EV multidomain certs usually start around $100 and cover 3-5 domains in the "base" certificate and you can pay $10-20/year more domains. EV multidomain certs start around $300 and usually cover 3 domains and additional domains are +80/year


oo a wildcard CN? I thought that was considered bad form. Well this makes me feel less guilty now!


There are security considerations if you run multiple services on sub domains with the same certificate, but it's frequently done for convinence.




Consider applying for YC's Spring batch! Applications are open till Feb 11.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: