[tor-relays] tor hidden services & SSL EV certificate

[Ivan Kwiatkowski]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

I beg to differ. One of the very good points made in the talk was that
by tying the "vanilla" DNS name of the website and its .onion address
as alternate names, you can offer proof to your users that the .onion
URL they entered is indeed the website they were trying to reach.

Barring that, you have to trust on good faith that the random string
you found on Google is not bringing you to a malicious copy of your
destination which performs man-in-the-middle to steal your credentials
(and/or rewrites Bitcoin address since apparently that's a thing).

As for the original question, I think that you cannot get a DV
certificate for the .onion TLD at the moment. I assume that you could
go the FaceBook way and try your luck with Verisign or Digicert, but
it's probably going to cost you a few hundred of dollars.
Since you're at 32c3, you should get in touch with the EFF / Let's
Encrypt people to see if they have made plans for this issue.

- --
Ivan

On 12/29/2015 08:38 PM, Jesse V wrote:
> On 12/29/2015 10:25 AM, Benoit Chesneau wrote:
>> I was at the talk this afternoon at the 32c3 and <i am wondering
>> where can get a certificate for a .onion. Any service to suggest?
>> Also where I should see to configure it correctly?
>> 
>> - benoit
>> 
> 
> You don't need one. Hidden services automatically get end-to-end 
> authentication and encryption. Since that is handled by Tor and not
> by the browser, hidden service addresses use "http" rather than
> "https", but in this case the connection is nevertheless encrypted.
> It's technically redundant to add HTTPS. A few hidden services have
> added an HTTPS cert but I think that's mostly for a publicity stunt
> than anything else.
> 
> 
> 
> _______________________________________________ tor-relays mailing
> list tor-relays at lists.torproject.org 
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
> 
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJWgud3AAoJEEDp8Kj16odUcN0P+QElB/86fiE1Sl5nvN8SrkaB
Tw9sMpWh3Eciccyu831l8eljb2zsEcsVaGrpye3gKTdCRDHJIw+6zT2clRwgxlby
1isi7/x2rUr18ar2qE32edisTy4++FUJA+qEZADBQGzAojVFMn+MZIODkVBGFmwG
raOycdABpCk6GD1z8Xes0vNzFoFws4sEyWuqWWsAYNbDyokHYWSI41MtgqiSuzJe
3pB+SNwZ5IeP3vOjZbpL/pe7zoqqP2eKjPstT50MhOblBQtvbjQPc439meCHjmcu
1sXCNClODZFuyEOa2dQO6aG9fX/nF6xEYkQViF34otgSwcKB6IcIRsaXD+MLT7Ts
wS18ug7ZjaMChq59Ug4BtjSJGrQqbjLmzaYq+Sk8GCVXVxgLAJqfQzDEDi3k3nBE
xPdeDYYaD5poGlfevpSi6xdmI5N0jbBv74TI9XuLtDgg6PCI1oUccH+O+Qyfabn/
al81ANcQsTYgTMDb6iemo7HJ7FxN+1fHHy8voKecDG8hzJUUDMh/rXzrt8egbWbj
y0Q0wbW7vY+AjJy+YYrWe5YHCxJ9u7VacJ59YCkFPeG7ZXIUqv15cKTxVMXhgeR+
ZhksZgWSQ1bzbThMRP/alrPvSL2N9yhAxXkdQ+ycKzNygXS88M7S0OIKBIAp73zO
MY6YnhupRj2N1+9X8dqe
=mCnL
-----END PGP SIGNATURE-----