1

How insecure are self-signed certificates?

Why does Tor still use them?

Gaai Chia
  • 71
  • 6
  • I think this question would need some more context. Technically self-signed certificates are no more or less secure than "normal" CA issued certificate - but they are harder to verify since a pre-trusted CA is missing as root of the trust chain. But depending on the specific use case of the certificate there are other ways to get such trust. As for Tor: Are you talking about certificates for .onion domains? I don't think self-signed certificates are actually needed there - see https://blog.torproject.org/tls-certificate-for-onion-site/ – Steffen Ullrich Mar 19 '22 at 06:58
  • OP, Are you referring [these](https://gitweb.torproject.org/torspec.git/tree/tor-spec.txt#n313) self-signed certificates, which are used to secure connections to relay nodes? – mti2935 Mar 19 '22 at 11:09
  • I was referring to the latter one for common Tor circuits. – Gaai Chia Mar 19 '22 at 14:17
  • "But depending on the specific use case of the certificate there are other ways to get such trust." How? Everyone can make a self-signed certificate with their private key, but we don't know others' private keys, so we don't know the owner of self-signed certificates and a MITM can easily trick the client into a fake one. Is there a way to verify a self-signed certificate? – Gaai Chia Mar 19 '22 at 14:55

1 Answers1

2

To answer this question, we first have to think about why our instinct is to not trust self-signed certificates. For example, on the world wide web, browsers inherently do not trust self-signed certificates for good reason. When we connect to https://www.paypal.com/, we want to be sure that the certificate that our browser sees for www.paypal.com does in fact belong to Paypal. We rely on certificate authorities (CA's) for this verification, and our browser warns us if the certificate served by a site is not signed by a trusted CA. Through this process, we feel assured that we are truly connecting to www.paypal.com, and not an MITM attacker running a server using a self-signed certificate to impersonate www.paypal.com. Then, we feel safe in proceeding with entering our login credentials and banking information into the site.

But, connections to Tor relay nodes are different. We don't enter login credentials into Tor relay nodes, nor do we enter banking or other sensitive information into Tor relay nodes. Tor relay nodes simply strip-off one layer of encryption from the Tor onion, then pass the rest onto the next node. In most cases, Tor relay nodes cannot see the plaintext requests and responses to/from the end server, because they are encrypted with at least one more layer of encryption (unless the node is an exit node, and the user is connecting to a server through Tor using in insecure protocol such as http).

Notwithstanding, every Tor relay node has a long term identity signing key. The node's certificate is self-signed using its identity key, and the identity key appears in the directory listing for the node. Then, when the Tor client builds a circuit, it uses this identity key to authenticate the node. For more information, see https://support.torproject.org/ca/about/key-management/ and https://gitweb.torproject.org/torspec.git/tree/tor-spec.txt (section 2).

So, an attempt by an attacker to impersonate a relay using a MITM attack would be unlikely to succeed. And, even if it did succeed, it would not bear any more fruit for the attacker than he would reap by simply running his own Tor node. But, bear in mind that anyone can run a Tor node, including bad actors. This is why the Tor protocol ensures that the user's circuit will consist of at least three relay nodes (so that no single node can see both the user's IP and the IP of the server that they are connection to), and the user hopes that these three nodes do not collude.

forest
  • 65,613
  • 20
  • 208
  • 262
mti2935
  • 21,098
  • 2
  • 47
  • 66
  • So, do you mean that a MITM attack can't success even if we don't know the name of the Tor node but only their public keys? – Gaai Chia Mar 20 '22 at 12:50
  • Does that mean keys are enough for Tor nodes to communicate and CA-signed certificates are not necessary? – Gaai Chia Mar 20 '22 at 12:57
  • WRT 'So, do you mean that a MITM attack can't success even if we don't know the name of the Tor node but only their public keys?'. Yes. As I mentioned in my answer to your other question at https://security.stackexchange.com/questions/260399/tor-how-does-entry-nodes-communicate-with-middle-nodes-how-does-middle-nodes-c, relays connect to one-another by TLS, and authenticity is provided by TLS, by ensuring that the relay's certificate is signed with a trusted key (i.e. the identity key), and that the realy is in possession of the private key corresponding with the public key in the cert. – mti2935 Mar 20 '22 at 13:38
  • WRT `Does that mean keys are enough for Tor nodes to communicate and CA-signed certificates are not necessary?` In theory, the process could take place using just the relay's public key. But, TOR uses TLS as the transport layer, and TLS requires not just a public key, but a certificate that contains the public key. – mti2935 Mar 20 '22 at 13:42