DigiCert is considering SSL certificates for more Tor hidden services

The company has received requests for .onion SSL certificates after issuing one to Facebook

Certificate authority DigiCert is considering issuing SSL certificates to more Tor .onion address owners after recently providing Facebook with one.

However, SSL certificates for pseudo-top-level domains like .onion that don't actually exist on the Internet are in the process of being phased out and the Tor Project has not yet decided if Tor websites getting SSL certificates is a good thing.

Last week, Facebook made its website accessible inside the Tor anonymity network by setting up a so-called Tor hidden service with the facebookcorewwwi.onion address. The company described it as an experiment that will provide Tor users with end-to-end communication, from their browsers directly into a Facebook data center, avoiding third-party exit nodes.

Tor hidden services use URL addresses that end in .onion, a suffix that does not exist in the Internet's DNS root zone and is not a TLD recognized by the Internet Corporation for Assigned Names and Numbers. As such, these addresses only resolve within the Tor network through a private DNS-like system.

The internal use of made-up TLDs like .onion is not something specific to Tor. Organizations have used pseudo-TLDs like .local, .lan, .corp, .priv and others on their internal networks for a long time, even though it is not a recommended practice.

Over the years certificate authorities have issued valid digital certificates for such internal domain names, as they helped organizations deploy SSL in their enterprise environments without having to install a self-generated root certificate on end-point systems.

This practice is being discontinued because TLDs used internally today might conflict with future TLDs approved by ICANN. According to the baseline requirements for the issuance and management of publicly trusted certificates adopted by the CA/Browser Forum, certificate authorities are no longer allowed to issue new certificates that are valid for "internal names" and have an expiration date past Nov. 1, 2015. All such certificates that already exist have to be revoked by October 2016.

DigiCert has provided Facebook with an SSL certificate for its facebookcorewwwi.onion address that works for now, but will need to find a longer-term solution that will work past Nov. 1, 2015.

"As a company that has long supported the Tor Project in its efforts to provide a secure internet where people can freely express their ideas, DigiCert is continuing to work with Tor and Facebook on how best to support this project moving forward," said Jeremy Rowley, DigiCert's vice president of business development and legal, in a blog post.

"We've had other folks contact us about getting a .onion certificate," Rowley said. "We think there is value in any efforts to provide SSL/TLS security for Tor, but only if the right security controls can be put in place. Right now, we are in the process of evaluating how best to implement strong validation policies before possibly offering such certificates beyond the one for Facebook. We're also exploring some possibilities with standards bodies. We'll report more about these efforts in the future."

A discussion about the possibility of making an exception for .onion took place on the CA/Browser Forum mailing list in October and the sentiment was that if this is to be considered, the Tor Project should be the one requesting it.

Meanwhile, the Tor Project has not decided if it wants to encourage SSL certificates for Tor hidden services.

"If one site gets a cert, it will further reinforce to users that it's 'needed,' and then the users will start asking other sites why they don't have one," Tor Project Leader Roger Dingledine said in a blog post Oct. 31. "I worry about starting a trend where you need to pay Digicert money to have a hidden service or your users think it's sketchy -- especially since hidden services that value their anonymity could have a hard time getting a certificate."

Using SSL over Tor is also somewhat redundant. SSL has two major benefits: it encrypts traffic and authenticates servers to clients through digital certificates issued by trusted third parties -- the certificate authorities. Tor also encrypts connections between a Tor client and a hidden service and the service's 16-character .onion address is actually a hash of its cryptographic key.

This means Tor hidden service addresses "are self-authenticating: if you type in a given .onion address, your Tor client guarantees that it really is talking to the service that knows the private key that corresponds to the address," Dingledine said.

SSL becomes valuable in situations where the Tor process and the Web server that make up a hidden service run on different machines. In this case the user's connection to the Tor hidden service will be encrypted, but the "last mile" between the Tor service and the actual Web server will not.

Large websites like Facebook likely have such configurations. Their front-facing servers are actually proxies that pull content from different Web servers spread around the world.

Secret documents leaked by former U.S. National Intelligence Agency contractor Edward Snowden showed that the NSA is snooping on unencrypted traffic that flows through the infrastructures of Internet companies like Google. This prompted Google and others to start encrypting the private links between their own data centers.

Even if SSL is to be used by Tor hidden services, there might be alternatives to the CA-based model, Dingledine said. One approach could be to develop a way for a hidden service "to generate its own signed https cert using its onion private key, and teach Tor Browser how to verify them -- basically a decentralized CA for .onion addresses, since they are self-authenticating anyway."

"I haven't made up my mind yet about which direction I think this discussion should go," Dingledine said "I'm sympathetic to 'we've taught the users to check for https, so let's not confuse them,' but I also worry about the slippery slope where getting a cert becomes a required step to having a reputable service."

Join the Good Gear Guide newsletter!

Error: Please check your email address.

Tags securityDigiCertTOR ProjectencryptionprivacypkiFacebook

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Lucian Constantin

IDG News Service
Show Comments

Most Popular Reviews

Latest News Articles


PCW Evaluation Team

Azadeh Williams

HP OfficeJet Pro 8730

A smarter way to print for busy small business owners, combining speedy printing with scanning and copying, making it easier to produce high quality documents and images at a touch of a button.

Andrew Grant

HP OfficeJet Pro 8730

I've had a multifunction printer in the office going on 10 years now. It was a neat bit of kit back in the day -- print, copy, scan, fax -- when printing over WiFi felt a bit like magic. It’s seen better days though and an upgrade’s well overdue. This HP OfficeJet Pro 8730 looks like it ticks all the same boxes: print, copy, scan, and fax. (Really? Does anyone fax anything any more? I guess it's good to know the facility’s there, just in case.) Printing over WiFi is more-or- less standard these days.

Ed Dawson

HP OfficeJet Pro 8730

As a freelance writer who is always on the go, I like my technology to be both efficient and effective so I can do my job well. The HP OfficeJet Pro 8730 Inkjet Printer ticks all the boxes in terms of form factor, performance and user interface.

Michael Hargreaves

Windows 10 for Business / Dell XPS 13

I’d happily recommend this touchscreen laptop and Windows 10 as a great way to get serious work done at a desk or on the road.

Aysha Strobbe

Windows 10 / HP Spectre x360

Ultimately, I think the Windows 10 environment is excellent for me as it caters for so many different uses. The inclusion of the Xbox app is also great for when you need some downtime too!

Mark Escubio

Windows 10 / Lenovo Yoga 910

For me, the Xbox Play Anywhere is a great new feature as it allows you to play your current Xbox games with higher resolutions and better graphics without forking out extra cash for another copy. Although available titles are still scarce, but I’m sure it will grow in time.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?