There should be a way to auth via letsencrypt.org, anonymously.
To: tor-relays@lists.torproject.org From: kernelcorn@riseup.net Date: Tue, 29 Dec 2015 12:27:06 -0900 Subject: Re: [tor-relays] tor hidden services & SSL EV certificate
On 12/29/2015 11:18 AM, Aeris wrote:
A few hidden services have added an HTTPS cert but I think that's mostly for a publicity stunt than anything else.
As indicated in the roger’s lecture, HTTPS is usefull for HS :
- browsers handle more securely cookies or other stuff in HTTPS mode,
avoiding some possible leaks
- because anybody can create an HS and proxify any content, X.509 certs
allow users to verify the authenticity of the HS (you are on the official Facebook HS if you have a cert with facebook.com *AND* facebookcorewwwi.onion inside)
I've downloaded the .webm of Roger's lecture but haven't had the time today to listen to it. My point was that HSs already have an authentication mechanism and it's assumed that you can verify the address through some trusted out-of-band method, so in that case you don't need an SSL cert. This can sometimes be superior to trusting the centralized CA model, but I agree that the points you've listed are useful applications as well.