Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

DigiCert is considering SSL certificates for more Tor hidden services

Lucian Constantin | Nov. 10, 2014
Certificate authority DigiCert is considering issuing SSL certificates to more Tor .onion address owners after recently providing Facebook with one.

Certificate authority DigiCert is considering issuing SSL certificates to more Tor .onion address owners after recently providing Facebook with one.

However, SSL certificates for pseudo-top-level domains like .onion that don't actually exist on the Internet are in the process of being phased out and the Tor Project has not yet decided if Tor websites getting SSL certificates is a good thing.

Last week, Facebook made its website accessible inside the Tor anonymity network by setting up a so-called Tor hidden service with the facebookcorewwwi.onion address. The company described it as an experiment that will provide Tor users with end-to-end communication, from their browsers directly into a Facebook data center, avoiding third-party exit nodes.

Tor hidden services use URL addresses that end in .onion, a suffix that does not exist in the Internet's DNS root zone and is not a TLD recognized by the Internet Corporation for Assigned Names and Numbers. As such, these addresses only resolve within the Tor network through a private DNS-like system.

The internal use of made-up TLDs like .onion is not something specific to Tor. Organizations have used pseudo-TLDs like .local, .lan, .corp, .priv and others on their internal networks for a long time, even though it is not a recommended practice.

Over the years certificate authorities have issued valid digital certificates for such internal domain names, as they helped organizations deploy SSL in their enterprise environments without having to install a self-generated root certificate on end-point systems.

This practice is being discontinued because TLDs used internally today might conflict with future TLDs approved by ICANN. According to the baseline requirements for the issuance and management of publicly trusted certificates adopted by the CA/Browser Forum, certificate authorities are no longer allowed to issue new certificates that are valid for "internal names" and have an expiration date past Nov. 1, 2015. All such certificates that already exist have to be revoked by October 2016.

DigiCert has provided Facebook with an SSL certificate for its facebookcorewwwi.onion address that works for now, but will need to find a longer-term solution that will work past Nov. 1, 2015.

"As a company that has long supported the Tor Project in its efforts to provide a secure internet where people can freely express their ideas, DigiCert is continuing to work with Tor and Facebook on how best to support this project moving forward," said Jeremy Rowley, DigiCert's vice president of business development and legal, in a blog post.

"We've had other folks contact us about getting a .onion certificate," Rowley said. "We think there is value in any efforts to provide SSL/TLS security for Tor, but only if the right security controls can be put in place. Right now, we are in the process of evaluating how best to implement strong validation policies before possibly offering such certificates beyond the one for Facebook. We're also exploring some possibilities with standards bodies. We'll report more about these efforts in the future."


1  2  Next Page 

Sign up for CIO Asia eNewsletters.