-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
I beg to differ. One of the very good points made in the talk was that by tying the "vanilla" DNS name of the website and its .onion address as alternate names, you can offer proof to your users that the .onion URL they entered is indeed the website they were trying to reach.
Barring that, you have to trust on good faith that the random string you found on Google is not bringing you to a malicious copy of your destination which performs man-in-the-middle to steal your credentials (and/or rewrites Bitcoin address since apparently that's a thing).
As for the original question, I think that you cannot get a DV certificate for the .onion TLD at the moment. I assume that you could go the FaceBook way and try your luck with Verisign or Digicert, but it's probably going to cost you a few hundred of dollars. Since you're at 32c3, you should get in touch with the EFF / Let's Encrypt people to see if they have made plans for this issue.
- -- Ivan
On 12/29/2015 08:38 PM, Jesse V wrote:
On 12/29/2015 10:25 AM, Benoit Chesneau wrote:
I was at the talk this afternoon at the 32c3 and <i am wondering where can get a certificate for a .onion. Any service to suggest? Also where I should see to configure it correctly?
- benoit
You don't need one. Hidden services automatically get end-to-end authentication and encryption. Since that is handled by Tor and not by the browser, hidden service addresses use "http" rather than "https", but in this case the connection is nevertheless encrypted. It's technically redundant to add HTTPS. A few hidden services have added an HTTPS cert but I think that's mostly for a publicity stunt than anything else.
_______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays