Comment by londons_explore
1 day ago
But isn't it unnecessary to use https, since tor itself encrypts and verifies the identity of the endpoint?
1 day ago
But isn't it unnecessary to use https, since tor itself encrypts and verifies the identity of the endpoint?
For example HTTP/2 and HTTP/3 require HTTPS. While technically HTTPS is redundant, .onion sites should avoid requiring browsers to add special casing for them due to their low popularity compared to regular web sites.
What are benefits of HTTP/2 and HTTP/3 for Tor hidden service traffic?
Considerably faster page load times due to being able to continue to use the same connection for each request.
Yes, but browsers moan if you connect to a website without https, no matter if it's on localhost or an onion service.
Tor Browser handles this, it treats `.onion` as a secure context.
Well, you're not supposed to use Tor from browsers that don't explicitly support it. Tor Browser, Brave, and I'm sure some others really wouldn't mind HTTP hidden service traffic.
It would give you a certificate chain which may authenticate the onion service as being operated as who it purports to. Of course, depending on context, a certificate that is useful for that purpose might itself be too much if an information leak
DV certificates (that lets encrypt) provides offer no verification of the owner. EV certificates for .onion could be actually useful though, but one generally has to pay for EV cert.
A certificate that's valid for both a regular domain and an onion domain gives you a degree of confidence of common ownership.