[tor-talk] Motivations for certificate issues for onion services

[Alec Muffett]

(2) What reasons do people have for wanting certificates that cover
onion names?  I think I know of at least three or four reasons, but I'm
interested in creating a list that's as thorough as possible.


Six to start with:

- not having to rewrite CMS code which assumes HTTPS, eg for secure
cookies; the Onion acts as a straight deployment on a new domain name

- corollary: not having to lobby browser manufacturers to pollute their
code to understand that http under this magical "onion" TLD is somehow
almost but not entirely treatable like https.

- access to secure-locked protocols like WebRTC

- protection of traffic for the link between Tor daemon (basically a
reverse-proxy) and the site load-balancer fanout in enterprise deployment

- user expectation for padlocks, consistency rather than special-snowflake
creeping featurism

- EV: attestation.

-alec