.onion domain support

Add in support to get certificates issued for .onion tor hidden services. This could possibly be done with a little bit of ease. Thoughts?

Hi @nsuchy,

There have been a number of previous threads about this:


I have been following this issue for some time so I can give you my current understanding:

There was previously uncertainty about whether certificates should be issued for .onion names at all because of the possibility that a colliding TLD might be registered giving a potentially confusingly different meaning to these names. RFC 7686 has settled this issue.

DigiCert was the first CA that wanted to issue these certificates, for example for the facebookcorewwwi.onion site, and it pursued special permission from the CA/Browser Forum. This permission was granted and DigiCert has made a practice of issuing these certs. These are paid EV certificates which involve verifying the legal identity of an organization that runs a particular hidden service site.

The exception that was sought from the CA/B Forum, which has since been updated a bit, applied only to EV certificates, not to DV certificates like those issued by Let’s Encrypt.

Some people thought these certificates were superfluous because connections to .onion sites are already encrypted using encryption features within the Tor network itself. However, there are several arguments for why a certificate and explicit use of HTTPS could be useful.

Another concern about DV issue for .onion was that the hidden services protocol was using somewhat obsolete cryptography and some people thought it was not a very good idea to verify identity on the basis of weak cryptography. (I’ve argued against this view because the typical interactive DV that we and other CAs do for clearnet DV issuance is also weak in comparison to modern cryptographic assurances, and is probably easier to attack than the hidden service crypto.) Some people said that when Tor had upgraded to its next-generation hidden service technology, with more modern crypto, this issue might be revisited. At least, the “authentication using obsolete cryptographic techniques” issue would no longer exist then.

Still, DV issuance for .onion will require further action by the CA/B Forum, in response to a discussion and ballot there, which will be quite a bit of work.

Do you know the status of the migration to next-generation hidden services in Tor?


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.