.onion domain support

nsuchy · June 12, 2017, 7:07pm

Add in support to get certificates issued for .onion tor hidden services. This could possibly be done with a little bit of ease. Thoughts?

schoen · June 12, 2017, 7:17pm

Hi @nsuchy,

There have been a number of previous threads about this:

https://community.letsencrypt.org/search?q=onion

I have been following this issue for some time so I can give you my current understanding:

There was previously uncertainty about whether certificates should be issued for .onion names at all because of the possibility that a colliding TLD might be registered giving a potentially confusingly different meaning to these names. RFC 7686 has settled this issue.

DigiCert was the first CA that wanted to issue these certificates, for example for the facebookcorewwwi.onion site, and it pursued special permission from the CA/Browser Forum. This permission was granted and DigiCert has made a practice of issuing these certs. These are paid EV certificates which involve verifying the legal identity of an organization that runs a particular hidden service site.

The exception that was sought from the CA/B Forum, which has since been updated a bit, applied only to EV certificates, not to DV certificates like those issued by Let’s Encrypt.

Some people thought these certificates were superfluous because connections to .onion sites are already encrypted using encryption features within the Tor network itself. However, there are several arguments for why a certificate and explicit use of HTTPS could be useful.

Another concern about DV issue for .onion was that the hidden services protocol was using somewhat obsolete cryptography and some people thought it was not a very good idea to verify identity on the basis of weak cryptography. (I’ve argued against this view because the typical interactive DV that we and other CAs do for clearnet DV issuance is also weak in comparison to modern cryptographic assurances, and is probably easier to attack than the hidden service crypto.) Some people said that when Tor had upgraded to its next-generation hidden service technology, with more modern crypto, this issue might be revisited. At least, the “authentication using obsolete cryptographic techniques” issue would no longer exist then.

Still, DV issuance for .onion will require further action by the CA/B Forum, in response to a discussion and ballot there, which will be quite a bit of work.

Do you know the status of the migration to next-generation hidden services in Tor?

system · July 12, 2017, 7:17pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Letsencrypt for .onion? Issuance Policy	30	19244	July 6, 2022
Let's Encrypt Shouldn't be expected to support onion Addresses - but it might surprise us! Site Feedback	4	148	November 3, 2024
When will Let's Encrypt let .onion owners encrypt? Feature Requests	20	325	July 30, 2024
If/when will LE support .onion addresses? Feature Requests	96	28890	January 3, 2021
Namecoin/DNSChain/.bit support Feature Requests	7	5495	December 11, 2015

.onion domain support

Related Topics