Tor Browser User Manual

[sun_n_surf]

Lol, it's a trap. I get an untrusted certificate.

[overlordalex]

It's because they're using a stricter form of https, which fails if your company messes with the certs (I'm guessing proxy problems).

This is what it looks like for me:

> Certificate Error There are issues with the site's certificate chain (net::ERR_CERT_AUTHORITY_INVALID).

    Issued To

    Common Name (CN)	blog.torproject.org
    Organisation (O)	<Not Part Of Certificate>
    Organisational Unit (OU)	<Not Part Of Certificate>

    Issued By

    Common Name (CN)	$my_company Web Gateway
    Organisation (O)	$my_company
    Organisational Unit (OU)	$my_company_infrastructure_unit

[noja]

How do you generate a stricter cert like this?

[tucif]

Using HSTS (https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/St...) From the RFC 6797 : (https://tools.ietf.org/html/rfc6797#page-27)

11.3. Using HSTS in Conjunction with Self-Signed Public-Key Certificates

   If all four of the following conditions are true...

   o  a web site/organization/enterprise is generating its own secure
      transport public-key certificates for web sites, and

   o  that organization's root certification authority (CA) certificate
      is not typically embedded by default in browser and/or operating
      system CA certificate stores, and

   o  HSTS Policy is enabled on a host identifying itself using a
      certificate signed by the organization's CA (i.e., a "self-signed
      certificate"), and

   o  this certificate does not match a usable TLS certificate
      association (as defined by Section 4 of the TLSA protocol
      specification [RFC6698]),

   ...then secure connections to that site will fail, per the HSTS
   design.  This is to protect against various active attacks, as
   discussed above.

   However, if said organization wishes to employ its own CA, and self-
   signed certificates, in concert with HSTS, it can do so by deploying
   its root CA certificate to its users' browsers or operating system CA
   root certificate stores.  It can also, in addition or instead,
   distribute to its users' browsers the end-entity certificate(s) for
   specific hosts.  There are various ways in which this can be
   accomplished (details are out of scope for this specification).  Once
   its root CA certificate is installed in the browsers, it may employ
   HSTS Policy on its site(s).

[mnx]

I get a valid cert, with the S/N: 05:CA:2A:A9:A5:D6:ED:44:C7:2D:88:1A:18:B0:E7:DC

[akerro]

Yup, same here https://i.imgur.com/PsYzYmV.png

[noja]

I don't, I get a valid DigiCert cert.

[Wheaties466]

which company is your organization using for web filtering?

[aq3cn]

How do I view the link?

[witty_username]

> https://webcache.googleusercontent.com/search?q=cache%3Ahttp...

Tip: in Google search you can type cache:<URL> to see Google's cached version of a page.

[secfirstmd]

Blatant Plug

For loads more digital and physical security manuals and advice (from using TOR to dealing with physical surveillance) that work offline on your phone, we launched an open source app called Umbrella to make it a bit easier.

-https://play.google.com/store/apps/details?id=org.secfirst.u...

-https://www.amazon.com/Security-First-Umbrella-made-easy/dp/...

-https://secfirst.org/fdroid/repo

-Code and Content - https://github.com/securityfirst/

-Code audit - https://secfirst.org/blog.html

-More info - https://secfirst.org

Ends blatant plug :)

[01Michael10]

How many more posts are you going to plug this app on? How about you make this the last one...

[secfirstmd]

Point taken!

[ComodoHacker]

And please fix your main page.

[secfirstmd]

Thanks for the heads up!

[noja]

I don't mind your plug, but two of those links are broken.

[fdgdasfadsf]

just do a show HN on this.

[SticksAndBreaks]

[UK-Edition] Install Instructions: Click the Executable. Wait for the Police to arrive.