[tor-onions] SSL certificates for hidden services/.onion domains

Alec Muffett alecm at fb.com
Thu Feb 25 16:17:25 UTC 2016


> On Feb 25, 2016, at 15:33, shadow <shadow at systemli.org> wrote:
> 
> Can anyone explain the advantages of .onion certs?

Having SSL Certificates for Onion addresses can help answer questions like:

1) "how do I know that this onion address is run by the *real* <insert-company-name>?"

2) "how do I know that <www-onion-address> and <cdn-onion-address> are run by the same <organisation>?"

3) "what can I do about <bad people> who set up a look-alike phishing onion site and try fooling people into thinking it's mine?"

4) "my existing website codebase relies heavily upon 'secure cookies' which can only go over HTTPS; how can I launch an onion site without doing a lot of expensive refactoring of my code merely to support an experiment with Tor?"

5) "new features in upcoming browsers are going to be locked to HTTPS access - some already are, eg: webcam access - how can i futureproof?"

And because Ballot-144 was thought about by a bunch of sensible people:

6) "Onion SSL Certificates are EV-only. But I need a wildcard certificate! Oh, wait, Onion-EV certificates are wildcard-enabled? Cool!"

    -a



More information about the tor-onions mailing list