What’s the latest news on this topic?
Tor has launched Hidden Services v3 which (as far as I can tell) has resolved the concerns about the onion addresses.
Is there a CA/B ballot in progress? Where can one learn more?
1 Like
Hi @candrews,
I’m working on this but haven’t made much progress recently. I would suggest following the GitHub issue or this very forum thread. You can also subscribe to cabfpub (or the new server certificate working group list).
We have a draft ballot but it hasn’t been introduced or even circulated to the list yet.
4 Likes
Looks like there’s some new movement towards allowing DV for v3 onion addresses and discussion about how it would work in ACME:
- https://cabforum.org/pipermail/validation/2019-December/001385.html
- https://github.com/letsencrypt/boulder/issues/4620
I wonder if it’s planned to make the server available as a hidden service. Either way, the requester IP is either going to be an exit node or a rendezvous point … which is going to make equitable rate limits a struggle.
4 Likes
Definitely no plans to make the ACME API available as a hidden service.
2 Likes
https://twitter.com/AlecMuffett/status/1230524385884360712
Looks like the vote in favour of DV "Version 3 Onion" TLS certificates, passed!
https://cabforum.org/pipermail/servercert-wg/2020-February/001663.html
5 Likes
Great news!
What is the next step?
2 Likes
make a acme-onion rfc draft so have a protocol extension for acme?
currently it has no defined way to implement callenge for onion address.
2 Likes
@schoen what does Ballot SC27v3 mean for Let’s Encrypt? Are you now free to issue certificates for v3 onions as soon as it’s implemented in ACME and/or Boulder, or are there other hurdles in the way of implementing this?
4 Likes
while web endpoint have a way to attach payload at challenge list, it doesn’t really carried to VA and database doesn’t save it, so It will need to add column to current database,
and in boulder it doesn’t able to handle other then DNS name parameter.
1 Like
@JonahAragon, it has to pass its IP review period (during which CA/B Forum members can declare if they have patents that they believe would be infringed by implementing the procedures in the ballot). After that, Let’s Encrypt could issue these certificates at any time—though in practice both ACME and Boulder would need some work, and also the validation infrastructure because it would probably need to be able to access Tor as part of validations.
3 Likes
Sounds like I shouldn’t hold my breath then… Would the normal HTTP test work for domain validation, so all that needs to happen is Tor access on the validation infrastructure (and adding .onion as a valid TLD), or is it more complex than that?
That could definitely work, although there is a more complex method available, and it’s possible that Let’s Encrypt or other CAs might prefer to adopt the more complex method instead.
3 Likes
Domain control
From an operational perspective adding a tor daemon adjacent to each of our VA instances to allow outbound
torcommunication to.onionsites to verify an agreed upon change to a website (via HTTP-01) is a substantial burden. It's a complex daemon in a memory unsafe language and we would need new monitoring and a lot of general SRE work to deploy it.We would probably prefer to implement proof of domain control support based on the "CSR validation" method described in Wayne's draft ballot since there would be no requirement to make an outbound connection to the
.onionFQDN. Probably implementing the CSR validation properly would require the definition of a new ACME challenge type since there is a need to relay and verify additional information in the CSR (thecaSigningNonceand theapplicantSigningNonce).
5 Likes
Not sure that a Tor client must run adjacent to VA instances. With the distributed nature of the Tor network, topological locality isn't really a thing (in Tor, each packet is travelling 2-6 times around the globe already).
Why can't the Tor client be isolated? There are other services with high security demands (e.g. cloudflare's hidden resolver) that do connect to Tor already.
I don't see how a Tor service can maintain anonymity without the ACME server speaking Tor, as communicating with it via any other means would leak the requestor's IP address, which can (and often will) be related to the service's location.
1 Like
I don't see how a Tor service can maintain anonymity without the ACME server speaking Tor
To ACME's rate limit have any meaning Clients can't keep anonymity, as both .onion name and acme account can printed like paper, because they are just crypto key. only real point account generation can be throttled is accounts generated per IP address.
as onion routing is by itself secure, I guess most thing LE needed for is linking surfacenet identity to onion page, by having both name in same certificate.
3 Likes
I guess there are two distinct needs for HTTPS .onion: DV with full anonymity, and OV/EV with no anonymity.
Many people I know are interested in the first option. The need to have a DV SSL for an .onion domain is purely technical - it is to establish secure context in the browser and to get rid of the broken lock icon. I see this as a shortcoming of the Tor browser itself, since Tor is already end-to-end encrypted on par with that of TLS (including PFS).
To address the issue of rate limiting, an Acme .onion service could charge a small fee, e.g. 1 XRP for each certificate issued (1 XRP is ~$0.65). I think XRP is a good fit because it's a non-PoW (i.e. "green") and a relatively stable coin with a low TX fee.
The validation of an .onion domain can indeed take place without communicating with the .onion service at all, as the CSR can be simply signed by the private key that corresponds to the .onion address.
1 Like
I made a pebble request for this: but I'm not sure if I interperate draft right (like where the hack it get client nonce or jws payload structure of update-challenge (should I decode json twice?
2 Likes