LibreCryptography

Additional Onion Cert Validation

There was also someone that erroneously commented on the post, stating that there was no constructive purpose to having a TLS cert on an .onion domain.

This could not be further from the truth and there are CAs that do offer them. None of the free CAs do however because this requires Extended Validation (i.e., 'EV Cert'). Those are the certs that light up green in your browser and have the organization's name directly in the 'omnibox' (search bar) as well.

Benefits of an .onion Cert

1. Users visiting your .onion will be assured that they are visiting your organization's .onion. Since .onion domains are merely composed of random alphanumeric strings (via ed25519 for v3 ; just like Bitcoin addresses), there are no other external validators that can be used to prove which .onion address is truly yours or not. However, with a .onion capable certification, you're able to list your .onion as an alternate domain on your main cert, which would allow individuals to cross reference the .onion address they're visiting with the information on the cert on your main website.

2. This will enable users Tor browsers to connect to your website using the .onion network over TLS 1.3 as well (yes, the security benefits do stack; this is why the Browser forum approved this measure in the first place). I was able to 'hack' up a setup for the Librehash App portal to allow proxy forwarding via .onion to the clearnet website. The issue with that in most setups is that they're configured incorrectly by the admin, which leads to the leakage of packet information (even as users are connecting via an .onion domain). However, by proxy forwarding the .onion domain connection over port 80 after having an Apache server listening on that same port (within a container) to forward those connections back through over https (443), I was able to sufficiently provide .onion + TLS strength protection for those .onion websites (visitors can double check on this by downloading Wireshark and inspecting their packets as they visit any one of those apps via their .onion domains)

^^^ A guide will be published on this relatively soon if anyone else is looking to do this.

www.tg-me.com/us/LibreCryptography/com.librecryptography/195

73 viewsNov 23, 2020 at 21:30

Additional Onion Cert Validation

There was also someone that erroneously commented on the post, stating that there was no constructive purpose to having a TLS cert on an .onion domain.

This could not be further from the truth and there are CAs that do offer them. None of the free CAs do however because this requires Extended Validation (i.e., 'EV Cert'). Those are the certs that light up green in your browser and have the organization's name directly in the 'omnibox' (search bar) as well.

Benefits of an .onion Cert

1. Users visiting your .onion will be assured that they are visiting your organization's .onion. Since .onion domains are merely composed of random alphanumeric strings (via ed25519 for v3 ; just like Bitcoin addresses), there are no other external validators that can be used to prove which .onion address is truly yours or not. However, with a .onion capable certification, you're able to list your .onion as an alternate domain on your main cert, which would allow individuals to cross reference the .onion address they're visiting with the information on the cert on your main website.

2. This will enable users Tor browsers to connect to your website using the .onion network over TLS 1.3 as well (yes, the security benefits do stack; this is why the Browser forum approved this measure in the first place). I was able to 'hack' up a setup for the Librehash App portal to allow proxy forwarding via .onion to the clearnet website. The issue with that in most setups is that they're configured incorrectly by the admin, which leads to the leakage of packet information (even as users are connecting via an .onion domain). However, by proxy forwarding the .onion domain connection over port 80 after having an Apache server listening on that same port (within a container) to forward those connections back through over https (443), I was able to sufficiently provide .onion + TLS strength protection for those .onion websites (visitors can double check on this by downloading Wireshark and inspecting their packets as they visit any one of those apps via their .onion domains)

^^^ A guide will be published on this relatively soon if anyone else is looking to do this.

BY LibreCryptography