[tor-dev] HTTPS and Tor Onion v3 Services

grarpamp grarpamp at gmail.com
Fri Dec 28 19:06:27 UTC 2018

> sign a
> self-signed tls certificate with your Onion Service's hs_ed25519_secret_key
> and Tor Browser trusting the tls certificate based on this signature

- In unlikely case tor crypto fails or breaks, e2e TLS
is good there.
- An admin might terminate onions on one box, and
forward the plaintext off to other places, e2e TLS
is good there.
- Onionland does have some PKI, CA, pinning, and
tor signing infrastructures.
- Admins might want to play, learn, and do it just
because they can.

The browser either has options to import and trust an
onion sig over a cert, or you need to add it, or skip it
and use today's typical cert methods.

The concepts apply to both v2 and v3 onions.

> Would this approach work?

Manually for you, and by users, loading and configuring things, yes.
Automagically, browser would need to fetch pubkeys from
controller hsdir consensus, observatories, or other methods.

> Would it be worth the effort?

For whatever ca / pki structures are already good for, or not.
And might help against the rewriting onion proxies...

More information about the tor-dev mailing list