[tor-dev] HTTPS and Tor Onion v3 Services
grarpamp
grarpamp at gmail.com
Fri Dec 28 19:06:27 UTC 2018
> sign a
> self-signed tls certificate with your Onion Service's hs_ed25519_secret_key
> and Tor Browser trusting the tls certificate based on this signature
- In unlikely case tor crypto fails or breaks, e2e TLS
is good there.
- An admin might terminate onions on one box, and
forward the plaintext off to other places, e2e TLS
is good there.
- Onionland does have some PKI, CA, pinning, and
tor signing infrastructures.
- Admins might want to play, learn, and do it just
because they can.
The browser either has options to import and trust an
onion sig over a cert, or you need to add it, or skip it
and use today's typical cert methods.
The concepts apply to both v2 and v3 onions.
> Would this approach work?
Manually for you, and by users, loading and configuring things, yes.
Automagically, browser would need to fetch pubkeys from
controller hsdir consensus, observatories, or other methods.
> Would it be worth the effort?
For whatever ca / pki structures are already good for, or not.
And might help against the rewriting onion proxies...
More information about the tor-dev
mailing list