[tor-onions] Debugging an ubuntu / apache2 / tor / ssl setup

Adam Jensen hanzer at riseup.net
Sun Oct 14 01:00:03 UTC 2018


On 10/13/2018 08:18 PM, ronqonions at risley.net wrote:
> If your site exists as both a hidden service and on the clear web, then it can be problematic to maintain both TLS and unencrypted access.
> 
> One problem with hidden services is the potential for copycat sites. Particularly if you have created a vanity .onion address, others can create similar-looking addresses and post them to try to lead people to their site instead of yours. Some folks believe that an EV TLS certificate can mitigate this risk. Facebook, for example, uses an EV certificate for their .onion site. Others question the value of EV certs for most any use cases:
> 
> https://scotthelme.co.uk/are-ev-certificates-worth-the-paper-theyre-written-on/
> 

I didn't realize Certificates for .onion domains [1] were possible.
Thanks for the news!

[1]:
https://en.wikipedia.org/wiki/Extended_Validation_Certificate#cite_ref-7

Could the same certificate be used for both the clear web HTTPS URL and
the Tor onion address or would it be necessary to maintain two separate
certificates?

Facebook seems to use two different certificates:

https://www.facebook.com/
BD:25:8C:1F:62:A4:A6:D9:CF:7D:98:12:D2:2E:2F:F5:7E:84:FB:36

https://www.facebookcorewwwi.onion/
A8:24:85:A1:5C:10:A7:F5:48:3E:BE:FA:B9:53:B8:8D:6E:0D:EE:F7


> AFAIK, the only folks that issues TLS certificates for .onion addresses is Digicert. They're EV only.

It's not really important but my site [2] has a digicert certificate and
if it is Extended Validation then they verified my legal identity in a
very indirect way :)

[2]: https://www.metadatalibrary.org/


More information about the tor-onions mailing list