Comment by charcircuit

1 day ago

Next, I hope they focus on issuing certificates for .onion addresses. On the modern web many features and protocols are locked behind HTTPS. The owner of a .onion has a key pair for it, so proving ownership is more trustworthy than even DNS.

11 comments

charcircuit

throw0101d 1 day ago

'Automated Certificate Management Environment (ACME) Extensions for ".onion" Special-Use Domain Names'

* https://datatracker.ietf.org/doc/html/rfc9799

* https://acmeforonions.org

* https://onionservices.torproject.org/research/appendixes/acm...

londons_explore 1 day ago

But isn't it unnecessary to use https, since tor itself encrypts and verifies the identity of the endpoint?

charcircuit 1 day ago
For example HTTP/2 and HTTP/3 require HTTPS. While technically HTTPS is redundant, .onion sites should avoid requiring browsers to add special casing for them due to their low popularity compared to regular web sites.
- tucnak 1 day ago
  
  What are benefits of HTTP/2 and HTTP/3 for Tor hidden service traffic?
  
  1 reply →
rnhmjoj 1 day ago
Yes, but browsers moan if you connect to a website without https, no matter if it's on localhost or an onion service.
- creatonez 1 day ago
  
  Tor Browser handles this, it treats `.onion` as a secure context.
- tucnak 1 day ago
  
  Well, you're not supposed to use Tor from browsers that don't explicitly support it. Tor Browser, Brave, and I'm sure some others really wouldn't mind HTTP hidden service traffic.
gizmo686 1 day ago
It would give you a certificate chain which may authenticate the onion service as being operated as who it purports to. Of course, depending on context, a certificate that is useful for that purpose might itself be too much if an information leak
- huhhuh 1 day ago
  
  DV certificates (that lets encrypt) provides offer no verification of the owner. EV certificates for .onion could be actually useful though, but one generally has to pay for EV cert.
  
  1 reply →