Hey there programming heroes! I have a question regarding that onion address for Crabgrass (7lvd7fa5yfbdqaii.onion) it seems to always show a wrong certificate while trying to connect to it. it is saying that no domain name fits to the certificate. i'm wondering how big of an issue it is. to use it this way, or how to set the right certificate?
or how to recognize when that would be fake?
sorry if the question sounds naive.. but it always bothers me to click add exception.
thanx!
When you get the security exception, click on advanced and you'll see:
"7lvd7fa5yfbdqaii.onion uses an invalid security certificate. The certificate is only valid for the following names: *.riseup.net, riseup.net Error code: SSL_ERROR_BAD_CERT_DOMAIN "
So what that means it that the onion addresses are not covered under the riseup certificate. This is actually true with all of the onion services and is to be expected.
What you can do is confirm the certificate is indeed a Riseup certificate:
https://riseup.net/en/security/network-security/certificates
Let me know if you need anything else!
"7lvd7fa5yfbdqaii.onion uses an invalid security certificate. The certificate is only valid for the following names: *.riseup.net, riseup.net Error code: SSL_ERROR_BAD_CERT_DOMAIN "
So what that means it that the onion addresses are not covered under the riseup certificate. This is actually true with all of the onion services and is to be expected.
What you can do is confirm the certificate is indeed a Riseup certificate:
https://riseup.net/en/security/network-security/certificates
Let me know if you need anything else!
One other thing: Tor is end to end encrypted by default (even over standard HTTP). In order for us to get SSL certificates for our onions costs a lot right now. There's proposals on the table through the powers that be to allow .onion TLDs to be on less expensive DV certificates (https://cabforum.org/pipermail/public/2017-November/012451.html) but right now that's not possible because the only way to do it is with EV certificates which are very expensive due to all the certification required. So there's no reason why you need SSL like you do over a clearnet connection.