DigiCert is considering SSL certificates for more Tor hidden services

The company has received requests for .onion SSL certificates after issuing one to Facebook

Certificate authority DigiCert is considering issuing SSL certificates to more Tor .onion address owners after recently providing Facebook with one.

However, SSL certificates for pseudo-top-level domains like .onion that don't actually exist on the Internet are in the process of being phased out and the Tor Project has not yet decided if Tor websites getting SSL certificates is a good thing.

Last week, Facebook made its website accessible inside the Tor anonymity network by setting up a so-called Tor hidden service with the facebookcorewwwi.onion address. The company described it as an experiment that will provide Tor users with end-to-end communication, from their browsers directly into a Facebook data center, avoiding third-party exit nodes.

Tor hidden services use URL addresses that end in .onion, a suffix that does not exist in the Internet's DNS root zone and is not a TLD recognized by the Internet Corporation for Assigned Names and Numbers. As such, these addresses only resolve within the Tor network through a private DNS-like system.

The internal use of made-up TLDs like .onion is not something specific to Tor. Organizations have used pseudo-TLDs like .local, .lan, .corp, .priv and others on their internal networks for a long time, even though it is not a recommended practice.

Over the years certificate authorities have issued valid digital certificates for such internal domain names, as they helped organizations deploy SSL in their enterprise environments without having to install a self-generated root certificate on end-point systems.

This practice is being discontinued because TLDs used internally today might conflict with future TLDs approved by ICANN. According to the baseline requirements for the issuance and management of publicly trusted certificates adopted by the CA/Browser Forum, certificate authorities are no longer allowed to issue new certificates that are valid for "internal names" and have an expiration date past Nov. 1, 2015. All such certificates that already exist have to be revoked by October 2016.

DigiCert has provided Facebook with an SSL certificate for its facebookcorewwwi.onion address that works for now, but will need to find a longer-term solution that will work past Nov. 1, 2015.

"As a company that has long supported the Tor Project in its efforts to provide a secure internet where people can freely express their ideas, DigiCert is continuing to work with Tor and Facebook on how best to support this project moving forward," said Jeremy Rowley, DigiCert's vice president of business development and legal, in a blog post.

"We've had other folks contact us about getting a .onion certificate," Rowley said. "We think there is value in any efforts to provide SSL/TLS security for Tor, but only if the right security controls can be put in place. Right now, we are in the process of evaluating how best to implement strong validation policies before possibly offering such certificates beyond the one for Facebook. We're also exploring some possibilities with standards bodies. We'll report more about these efforts in the future."

A discussion about the possibility of making an exception for .onion took place on the CA/Browser Forum mailing list in October and the sentiment was that if this is to be considered, the Tor Project should be the one requesting it.

Meanwhile, the Tor Project has not decided if it wants to encourage SSL certificates for Tor hidden services.

"If one site gets a cert, it will further reinforce to users that it's 'needed,' and then the users will start asking other sites why they don't have one," Tor Project Leader Roger Dingledine said in a blog post Oct. 31. "I worry about starting a trend where you need to pay Digicert money to have a hidden service or your users think it's sketchy -- especially since hidden services that value their anonymity could have a hard time getting a certificate."

Using SSL over Tor is also somewhat redundant. SSL has two major benefits: it encrypts traffic and authenticates servers to clients through digital certificates issued by trusted third parties -- the certificate authorities. Tor also encrypts connections between a Tor client and a hidden service and the service's 16-character .onion address is actually a hash of its cryptographic key.

This means Tor hidden service addresses "are self-authenticating: if you type in a given .onion address, your Tor client guarantees that it really is talking to the service that knows the private key that corresponds to the address," Dingledine said.

SSL becomes valuable in situations where the Tor process and the Web server that make up a hidden service run on different machines. In this case the user's connection to the Tor hidden service will be encrypted, but the "last mile" between the Tor service and the actual Web server will not.

Large websites like Facebook likely have such configurations. Their front-facing servers are actually proxies that pull content from different Web servers spread around the world.

Secret documents leaked by former U.S. National Intelligence Agency contractor Edward Snowden showed that the NSA is snooping on unencrypted traffic that flows through the infrastructures of Internet companies like Google. This prompted Google and others to start encrypting the private links between their own data centers.

Even if SSL is to be used by Tor hidden services, there might be alternatives to the CA-based model, Dingledine said. One approach could be to develop a way for a hidden service "to generate its own signed https cert using its onion private key, and teach Tor Browser how to verify them -- basically a decentralized CA for .onion addresses, since they are self-authenticating anyway."

"I haven't made up my mind yet about which direction I think this discussion should go," Dingledine said "I'm sympathetic to 'we've taught the users to check for https, so let's not confuse them,' but I also worry about the slippery slope where getting a cert becomes a required step to having a reputable service."

Join the CSO newsletter!

Error: Please check your email address.

Tags securityDigiCertTOR ProjectencryptionprivacypkiFacebook

More about FacebookGoogleICANNInternet Corporation for Assigned Names and NumbersLeaderNSA

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Lucian Constantin

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place