¶ºÒõ¹Ý

Browsers 03-25-2015

The Current State of .Onion Certificates and What Happens Next

Jeremy Rowley

Digital certificates allow users to verify they are connecting to a legitimate website and browse worry-free. Last year, and has since issued certificates to several other .onion addresses. These certificates allow Tor users to browse anonymously while still being able to identify that the website is operated by an official organization.

Internal Name Deprecation

Though these .onion certificates are currently valid, ¶ºÒõ¹Ý issued the certificates knowing they might need to be revoked this fall. This is because .onion does not exist in the Internet’s DNS root zone and is not recognized by the Internet Engineering Steering Group (IESG) as a top-level domain (TLD).

Because .onion is not recognized, these .onion certificates are considered internal name certificates. The CA/Browser Forum has deprecated the use of public SSL Certificates for internal names and they will no longer be allowed after November 1, 2015. Unless .onion is recognized as a reserved TLD, all .onion certificates will expire in October 2015.

What This Means for Tor Users

Without publicly-trusted SSL Certificates for .onion domains, Tor website operators will not be able to authenticate themselves to users by using public SSL Certificates. These certificates are essential to help combat phishing and MITM attacks for Tor users.

These certificates are also important for data encryption in Tor. Though Tor's internal PKI system provides encryption, it is only 1024-bit. The use of an SSL Certificate raises the encryption to 2048 bits, making the data more secure.

Getting .Onion Recognized

The CA/B Forum last month. This is a good first step to allow .onion websites to obtain SSL Certificates.

However, for .onion certificates to be live past October, .onion needs to be recognized as a reserved TLD by the IESG. Until then, ¶ºÒõ¹Ý will continue to issue .onion certificates with the intent to revoke them before the November deadline.

UP NEXT
PKI

3 Surprising Uses of PKI in Big Companies and How to Ensure They Are all Secure

5 Min

Featured Stories

07-03-2024

What is a CA’s Role in delivering digital trust?

11-11-2024

FIPS 140-3 certification unlocked for ¶ºÒõ¹Ý TrustCore SDK

10-31-2024

Announcing the GA release of ¶ºÒõ¹Ý Device Trust Manager