|
|
|
|
|
|
by 0x0
4255 days ago
|
|
|
Someone else said getting SSL certs for .onion in the SNI doesn't require ANY kind of validation. So someone bruteforcing the .onion key could easily get their own valid SSL cert and have full access to the plaintext for anyone browsing the .onion site over SSL. The security of facebook over onion is now only protected by the hash power required to brute force the vanity address, instead of the integrity of the SSL CA system or the power required in factoring an SSL key. Even the requirement to spoof DNS or perform actual man-in-the-middle-of-the-wire hijacks has vanished. |
|
|
https://news.ycombinator.com/item?id=8539066