[tbb-bugs] #21767 [Applications/Tor Browser]: Tor CA - .onion SSL system

Tor Bug Tracker & Wiki blackhole at torproject.org
Fri Mar 17 11:16:57 UTC 2017

#21767: Tor CA - .onion SSL system
     Reporter:  ikurua22                  |      Owner:  tbb-team
         Type:  project                   |     Status:  new
     Priority:  Medium                    |  Milestone:
    Component:  Applications/Tor Browser  |    Version:
     Severity:  Normal                    |   Keywords:
Actual Points:                            |  Parent ID:
       Points:                            |   Reviewer:
      Sponsor:                            |
 While Tor hidden service is secure by default, many websites are shifting
 to HTTPS. Some .onion websites provide HTTPS access with self-sign certi-
 ficate. .onion website can be viewed only from Tor network, especially
 from "Tor Browser" by Tor project, and "Orfox" by GuardianProject.

 Thus, I suggest this project: ".onion Certificate Authority"(TorOCA).

 It's like "LetsEncrypt" - "clearnet" + ".onion".
 TorOCA gives a pair of certificate(you know, pem and key) to .onion

 1) "Tor Browser" have TorOCA root certificate as acceptable authority.
 2) User visit https .onion website.
 3) The server send TLS certification, which is signed by TorOCA.
 4) User can visit the website without warning.

 1) Pricing. Free is good, but how about ".onion cert/$10/one-time"? This
 will help Tor project income.
 2) Sub-domain. Some .onion websites use subdomain instead of their main

Ticket URL: <https://trac.torproject.org/projects/tor/ticket/21767>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tbb-bugs mailing list