[cabfpub] .onion and .exit

Adam Langley agl at google.com
Thu Oct 16 17:34:30 UTC 2014

On Thu, Oct 16, 2014 at 10:01 AM, Jeremy Rowley
<jeremy.rowley at digicert.com> wrote:
> In this case, [customers] want the certificate to tie the service to the company so that users know exactly who is controlling the service. The cert is primarily to ensure that users are connecting to the correct service and that government actors aren't spoofing or MITM the service. The reason we want to add the .onion addresses to our certificate is that we believe the only way for us to truly secure the connection end-to-end is for us to present our service with a certified  .onion address and to rewrite all of our internal urls to be .onion addresses as well

Is this an EV certificate? If so, then I can see the argument. If not,
then this customer appears to misunderstand how .onion addresses work.
A .onion contains a key and Tor ensures the authenticity of the
connection internally. (There are reasonably questions about the
cryptographic strength of that authentication, but I think Tor are
working on that and this customer doesn't appear to be raising that

> Right now anyone could throw up a Tor hidden service that acted as a proxy to our service and claim it to either be official are a better/faster method than using a normal exit node and some people would believe them; once we start running our service we expect some to attempt this anyway.

This is a fair point but, again, only seems to make sense if it's an
EV certificate.



More information about the Public mailing list