[tor-relays] tor hidden services & SSL EV certificate

Mirimir mirimir at riseup.net
Tue Dec 29 20:55:24 UTC 2015


On 12/29/2015 01:16 PM, bernard wrote:
> 
> On 29/12/2015 19:38, Jesse V wrote:
>> A few hidden services have added an
>> HTTPS cert but I think that's mostly for a publicity stunt than anything
>> else.
> 
> (I am not commenting on the technical necessity of a cert.)
> 
> No, I think the point that was made at today's talk (and correct me if I
> got it wrong) was that if I am the operator of, for example,
> www.bigclearwebwebsite.com (who, by default of big known to the
> Internet, I am not worried about the anonymity of my site or those who
> operate it).
> 
> I want to create a www.bigclearwebwebsite.onion site (which of course
> would be more like www.xhsjeflflajdfyeysksldpfiejcc.onion), I can do
> this by getting a HTTPS cert for my .onion address.
> 
> The objective of it (from a users point of view) would be the tieing the
> identity of the *clear web* site and the *.onion site* together to give
> the user some trust that bigclearwebwebsite.onion is in fact the same as
> the .com site.
> 
> 
> 
> (Replace bigclearwebwebsite. with DuckDuckGo, Facebook, etc)

True. But I don't see that it helps much for onion sites that aren't
tied to well-known clearweb sites. Spoofers could also get HTTPS certs.
And users couldn't tell them apart.

I've been playing with GnuPG-signed pages, with the public key available
from multiple independent sources. But of course, it's a bit much to
expect users to verify signatures.


More information about the tor-relays mailing list