> > The name tor.facebook.com is not self-authenticating, which is the > main practically useful function of .onion names. >
Well ... but this thread starts by observing that attackers are exploiting the fact that Onion names are opaque random strings, meaning people do (at best) prefix matches of a few characters. So isn't the issue that Onion names are *not*, in practice, self authenticating? There are not thousands of CA's, even Firefox only trusts a hundred or so in total and EV certs are issued by only about 25-30. And Google is forcing them into certificate transaparency, so if someone did issue a bogus EV cert under your name you'd be able to locate it immediately with something as basic as a cron job. Chrome already shows visually if a page is bookmarked or not (the star on the right hand side). So there's nothing to do there.
_______________________________________________ Messaging mailing list [email protected] https://moderncrypto.org/mailman/listinfo/messaging
