On 10/13/2018 08:18 PM, ronqonions@risley.net wrote:
If your site exists as both a hidden service and on the clear web, then it can be problematic to maintain both TLS and unencrypted access.
One problem with hidden services is the potential for copycat sites. Particularly if you have created a vanity .onion address, others can create similar-looking addresses and post them to try to lead people to their site instead of yours. Some folks believe that an EV TLS certificate can mitigate this risk. Facebook, for example, uses an EV certificate for their .onion site. Others question the value of EV certs for most any use cases:
https://scotthelme.co.uk/are-ev-certificates-worth-the-paper-theyre-written-...
I didn't realize Certificates for .onion domains [1] were possible. Thanks for the news!
[1]: https://en.wikipedia.org/wiki/Extended_Validation_Certificate#cite_ref-7
Could the same certificate be used for both the clear web HTTPS URL and the Tor onion address or would it be necessary to maintain two separate certificates?
Facebook seems to use two different certificates:
https://www.facebook.com/ BD:25:8C:1F:62:A4:A6:D9:CF:7D:98:12:D2:2E:2F:F5:7E:84:FB:36
https://www.facebookcorewwwi.onion/ A8:24:85:A1:5C:10:A7:F5:48:3E:BE:FA:B9:53:B8:8D:6E:0D:EE:F7
AFAIK, the only folks that issues TLS certificates for .onion addresses is Digicert. They're EV only.
It's not really important but my site [2] has a digicert certificate and if it is Extended Validation then they verified my legal identity in a very indirect way :)