[tor-onions] Debugging an ubuntu / apache2 / tor / ssl setup

ronqonions at risley.net ronqonions at risley.net
Sun Oct 14 00:18:50 UTC 2018


> On Oct 13, 2018, at 09:55, Adam Jensen <hanzer at riseup.net> wrote:
> 
> This might be a goofy question but why would SSL ever be used with a Tor
> Hidden Service?

If your site exists as both a hidden service and on the clear web, then it can be problematic to maintain both TLS and unencrypted access.

One problem with hidden services is the potential for copycat sites. Particularly if you have created a vanity .onion address, others can create similar-looking addresses and post them to try to lead people to their site instead of yours. Some folks believe that an EV TLS certificate can mitigate this risk. Facebook, for example, uses an EV certificate for their .onion site. Others question the value of EV certs for most any use cases:

https://scotthelme.co.uk/are-ev-certificates-worth-the-paper-theyre-written-on/

AFAIK, the only folks that issues TLS certificates for .onion addresses is Digicert. They're EV only.

--2p


More information about the tor-onions mailing list