A discussion about the possibility of making an exception for .onion took place on the CA/Browser Forum mailing list in October and the sentiment was that if this is to be considered, the Tor Project should be the one requesting it.
Meanwhile, the Tor Project has not decided if it wants to encourage SSL certificates for Tor hidden services.
"If one site gets a cert, it will further reinforce to users that it's 'needed,' and then the users will start asking other sites why they don't have one," Tor Project Leader Roger Dingledine said in a blog post Oct. 31. "I worry about starting a trend where you need to pay Digicert money to have a hidden service or your users think it's sketchy — especially since hidden services that value their anonymity could have a hard time getting a certificate."
Using SSL over Tor is also somewhat redundant. SSL has two major benefits: it encrypts traffic and authenticates servers to clients through digital certificates issued by trusted third parties — the certificate authorities. Tor also encrypts connections between a Tor client and a hidden service and the service's 16-character .onion address is actually a hash of its cryptographic key.
This means Tor hidden service addresses "are self-authenticating: if you type in a given .onion address, your Tor client guarantees that it really is talking to the service that knows the private key that corresponds to the address," Dingledine said.
SSL becomes valuable in situations where the Tor process and the Web server that make up a hidden service run on different machines. In this case the user's connection to the Tor hidden service will be encrypted, but the "last mile" between the Tor service and the actual Web server will not.
Large websites like Facebook likely have such configurations. Their front-facing servers are actually proxies that pull content from different Web servers spread around the world.
Secret documents leaked by former U.S. National Intelligence Agency contractor Edward Snowden showed that the NSA is snooping on unencrypted traffic that flows through the infrastructures of Internet companies like Google. This prompted Google and others to start encrypting the private links between their own data centers.
Even if SSL is to be used by Tor hidden services, there might be alternatives to the CA-based model, Dingledine said. One approach could be to develop a way for a hidden service "to generate its own signed https cert using its onion private key, and teach Tor Browser how to verify them — basically a decentralized CA for .onion addresses, since they are self-authenticating anyway."
"I haven't made up my mind yet about which direction I think this discussion should go," Dingledine said "I'm sympathetic to 'we've taught the users to check for https, so let's not confuse them,' but I also worry about the slippery slope where getting a cert becomes a required step to having a reputable service."
Sign up for CIO Asia eNewsletters.